- Introduction
- Security Policy and Assemblies
- Evidence-Based Security Policy
- Determining Security Policy
- Administering Security Policy
- Principle of Least Privilege
Administering Security Policy
Now let's look at a simple example of changing the security policy by using the first example in this article. First we'll create a new named permission set. In the .NET Configuration Tool, select the Permission Set node under the Machine security policy level. Right-click and select New. In the resulting dialog box, fill in the name of the permission set to create: TestPermissionSet (see Figure 3). Click the Next button. In the next dialog, select three permissions to add to this permission set: Security, FileIO, and UserInterface. As you select each one, another dialog box appears in which you can restrict the associated permissions. For each permission, select the radio button at the bottom of the dialog box that grants unrestricted access. Figure 4 shows the resulting dialog for the Security permissions. After adding these three permissions, click the Finish button. (Save your changes, or the security policy won't go into effect. If you need to save your changes, an asterisk appears next to the Machine node in the Configuration Tool.)
NOTE
Some pre-release versions of the .NET Configuration (or Admin) Tool don't require you to save your changes before they become effective.
Figure 3 Create Permission Set dialog box.
Figure 4 Permission Settings dialog box.
Now you need to associate this named permission set with a code group. For simplicity, let's use an existing code group rather than creating a new one. Select My_Computer_Zone on the Machine policy level. Right-click and select Properties; then select the Permission Set tab. In the drop-down list, select the permission set we just created, TestPermissionSet. The associated permissions should appear in the list box. Click OK to close the dialog box. Again, save your changes.
Run the first example again. The demand for the FileIO permission should succeed. Now let's modify the permissions associated with the permission set to remove the FileIO permission. Select the TestPermissionSet and select Change Permissions. In the resulting dialog, remove the FileIO permission. Make sure that your changes are saved. Now try to run the example again. The example will fail.
To get your system back to the way it was before, restore FullTrust as the permission set for your My_Computer_Zone code group. Then delete TestPermissionSet.
When the FileIO permission set was removed, the union of the permissions in the code groups on the machine level no longer had the FileIO permission. Even though the User and Enterprise policy levels granted the FileIO permission, the most restrictive level determines policy.