Using CasPol to Fully Trust a Share
Since network shares by default only get LocalIntranet permissions, it's relatively common to want to use CasPol to fully trust some shares that you control and know are safe. However, CasPol syntax being what it is, the command to do this isn't immediately obvious. If I wanted to trust everything on the share \\ShawnFa-Srv\Tools, the command:
CasPol.exe -m -ag 1.2 -url file://\\ShawnFa-Srv/Tools/* FullTrust
Would setup the policy to do what I needed. Lets break down this command:
- -m - modify the machine level of the policy. This is needed, since the machine level is where all of the default policy lives. On NT platforms it's also the default level that CasPol works with, however on Win9x, CasPol will default to the user level, so putting -m in the command line explicitly tells CasPol to use the correct level.
- -ag 1.2 - add a code group under group 1.2. In the default policy, group 1.2 is the LocalIntranet group, so the new code group that we're creating will only be checked if the file comes from the intranet.
- -url file://\\ShawnFa-Srv/Tools/ * - The membership condition for the new code group should be a UrlMembershipCondition, and it should match anything with a URL that starts with file://ShawnFa-Srv/Tools, meaning that any file on the \\ShawnFa-Srv\Tools share will match this code group.
- FullTrust - The permission set to grant assemblies that match the code group. In this case, FullTrust.
Once you know the pattern, it's pretty easy to modify this command line to do slightly different things. For instance, if I want to trust only a specific non-strongly named assembly on my share, I might use
CasPol -m -ag 1.2 -hash SHA1 -file \\ShawnFa-Srv\Tools\CodeCSS\CodeCSS.exe FullTrust
Which will create a hash membership condition that matches the SHA1 hash of the CodeCSS.exe file.
When I install a new build of the runtime, my install script actually ends with two lines that do just this:
CasPol.exe -pp off -m -ag 1.2 -url file://\\ShawnFa-Srv/Tools/* FullTrust
copy config\security.config config\security.config.default
Which trusts everything coming off of a share on my computer, and then makes a copy of that policy as the new default, so that all future calls to CasPol -all -reset do not remove this modification.
Comments
Anonymous
May 11, 2005
Shawn,
I've added FullTrust to a share where we launch an application and it takes a heck of a long time. Are there factors (other than the network speed / latency) that would slow down a .NET application starting from a network share?
Thanks! BTW very helpful blog entry.Anonymous
July 26, 2005
Just tried
CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust
and got the message
Are you sure you want to perform this operation? (yes/no)
which I had to confirm with YES, of course.
I thought I can use CasPol.exe to write a custom setup action to perform this update, but I don't want the user to be displayed this message. Any chance to do the same, WITHOUT the message?Anonymous
July 27, 2005
Hi Uwe -- check out: http://blogs.msdn.com/shawnfa/archive/2005/07/27/443975.aspx :-)
-ShawnAnonymous
August 25, 2005
Regarding the -url parameter (e.g.)
CasPol.exe -pp off -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust
If EXE's are placed in subfolders under the root of the share are they automatically granted FullTrust? (e.g. //ShawnFa-Srv/Tools/subFolder/someprog.exe )
If yes, then I'm doing something wrong because they're not on my system?Anonymous
November 11, 2005
The comment has been removedAnonymous
February 10, 2006
One of the V1 decisions we made was to not allow partially trusted callers in our policy framework. ...Anonymous
April 24, 2006
The comment has been removedAnonymous
April 25, 2006
You have to trust the share with the name that the managed code sees, so if it's accessable via S:Projects your URL would be file://s:projects
-ShawnAnonymous
July 06, 2006
The comment has been removedAnonymous
July 07, 2006
Are you sure you're using a matching caspol and runtime? Settings applied to v1.1 don't affect apps running against v2.0. Similarly v2.0 32bit and v2.0 64bit are seperate.
-ShawnAnonymous
July 13, 2006
Every once in a while someone will ask how they can do something similar to these caspol commands from...Anonymous
July 14, 2006
The comment has been removedAnonymous
July 18, 2006
That link lead me to check some other things out. Since I control the code I was able to check what kind of permissions were being requested.
Turned out that the computer with the SDK installed was running the code from the Intranet group. While the computer without the SDK was running it from the Internet group. Both computers are on the domain with the same login credentials and running the code from a network drive, so I'm a bit perplexed as to what's causing the difference, however this provides a fix since none of the end users for the app will have the SDK. Problem worked around until I test it out a bit more ;) Thanks!
-JesseAnonymous
July 21, 2006
Shawn -
I want to use an ActiveX control written in C# 2.0 in an intranet ASP.NET application.
The control downloads fine on my computer, but only after I used the 2.0 Configuration tool to adjust my LocalIntranet zone security to FullTrust. My IE zone security setting for LocalIntranet is at the default, Medium-Low.
End users have the .NET 2.0 Framework installed, but not the 2.0 Configuration applet. Even if they did, we wouldn't want them to manually change their configuration.
What I'm wondering is how best to deploy security policy? Can we run CasPol on end user PC's to grant FullTrust to our intranet application? I have tried various combinations of parameters to CasPol, with no luck.
Thanks, MikeAnonymous
July 26, 2006
Caspol can be run on the users machine, or you can install the configuration wizard and push an MSI out to each of them. Since you're using ActiveX, ClickOnce won't help you out, but that's generally where I'll point people to shipping v2.0 apps off of a share.
-ShawnAnonymous
November 05, 2006
The comment has been removedAnonymous
November 06, 2006
Hi Dave, Normally you would use caspol -pp off to cause caspol to no longer prompt for confirmation. However, it appears that there is a bug where caspol does not respect that setting when adding an assembly to the full trust list. One workaround is that you could pre-populate the workstation's full trust lists with the msosec.dll assembly, since caspol will not prompt if the assembly is already on the list. -ShawnAnonymous
December 29, 2006
Awesome, very straight forward n clear explanation. Kudos to ShawnAnonymous
January 04, 2007
We used caspol.exe on a server functioning as Windows Terminal Services. caspol.exe was run on that server to grant full trust to an application on a second server. This worked fine for a while (and still does for most users). However, when we add new users to the domain and give them access to this machine, they cannot run the application (they get the "...has encountered a problem and needs..." message indicating that the trust does not exist. We have been unsuccessful getting any new users to be able to run the application. If we remove .Net 2.0, reinstall, no users can run the application. If we then run caspol.exe , the original set of users that could run the application can now run it again, but none of the new users can run it. Any ideas? -jeffAnonymous
January 10, 2007
Hi Jeff, One thought is that some users have modified their user-level security policy, and it is not granting the share full trust. If you check the user level policy in caspol: caspol -u -lg It should show that AllCode gets FullTrust and nothing else. You can also try caspol -all -rsg <path to assembly on server>, which will dump out the groups that the CLR is matching when resolving policy for your server. -ShawnAnonymous
January 17, 2007
How would one create a functioning grouppolicy for active directory use? We want to run a program from a share on 20 terminalservers, and i like to make just one setting :-)Anonymous
January 18, 2007
Hi Diederik, You'll need to use the MMC snap-in to export your security policy to an MSI file. (Right click on the security policy and export to MSI should be an option). Then you can deploy this MSI file to your domain. The MSI does not conatin any merge logic however, it will literally overwrite the existing security policy with a copy of the policy from your local machine. -ShawnAnonymous
February 27, 2007
Shawn just to be sure, so If I want to run a windows app over the network, I need to create a machine policy on that computer and then copy it to everyone pc that needs to access that program. Thanks IdrissAnonymous
March 09, 2007
Yep Idriss -- that's correct, you need to deploy that policy to every client machine that will run your application. Alternatively you could look at ClickOnce deployment, which does not rely on machine security policy. -ShawnAnonymous
March 15, 2007
The comment has been removedAnonymous
March 15, 2007
The comment has been removedAnonymous
March 16, 2007
Hi Shawn You solved my problem. Now I understand that copy and paste does not work sometimes in cmd. Learnt a lesson here. You are the man. Thanks SaiAnonymous
March 27, 2007
The comment has been removedAnonymous
March 29, 2007
Hi James, That will work, however caspol also has built-in functionality for that. If you do: caspol -pp off It will suppress the prompt as well. -ShawnAnonymous
April 02, 2007
Hello I need to run a VB.NET 2005 app as a logon script. Would it still be appropriate to grant "FullTrust" to the "\servernetlogon" share? OR is there a better way? Regards JohnAnonymous
April 09, 2007
Hi John, You could certainly do that if you trust your internal network. Another option would be to sign your scripts and trust the signature. -ShawnAnonymous
April 16, 2007
I am trying to do my first .net install. The program is to be used via a citrix environment. I have run the caspol settings on the .exe's computer however I get the security message still. How can I check to see where the security is being pulled from and can I check/run caspol when my program starts to set the appropriate security? Thanks!Anonymous
April 18, 2007
Hi David, Security policy must be updated on the machines that run the application, not the machine that hosts the application. Otherwise malware would just say "trust me, Evil.exe is trusted!". For the same reason, partial trust code cannot say "Hey, I'm trusted -- let me just elevate my permissions." Your best bet is to use ClickOnce to deploy your application. -ShawnAnonymous
April 20, 2007
Hi, we use Windows Vista 32bit EE or BE and tried caspool for our (web-)development shares. Even though the command itself works fine and the share is correctly in the list of trusted locations, whysoever VS2005 is still believing that the share isn't trusted?! Do you have an idea what else we can try? Thanks in advance, Ingo PS: We thought that somehow the domain policies might interfere and tried the same thing with a machine outside the domain but with proper access rights to the share - the result is the same.Anonymous
April 21, 2007
Recently I visited Toronto for Beta release of software I designed. As always with Beta versions, weAnonymous
April 30, 2007
The comment has been removedAnonymous
May 01, 2007
Hi there, We have recently installed .NET 2.0 to our web servers (3 in a cluster talking to a Network Share). We previously had to set each web server to have full trust permissions to the share for .NET 1.1 to work. However, it seems this has not helped for .NET 2.0 If i run: CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust will this resolve the problem for .NET 2.0 or do I need to add more parameters to the CasPol.exe? What is interesting is that .NET 2.0 applications work if they are created as Web Sites in VS 2005 and not Web Projects (compiling to a BIN).Anonymous
May 07, 2007
Hi Shawn, I have a c# 2.0 exe which has some file IO commands where it checks whether a file is there (File.Exists). When I copy this exe on a network share and run it, I get this error Request for the permission of type 'System.Security.Permissions.FileIOPermission , mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' f ailed. I have given Full Trust like what you have specified and the command works great, why do I get this error messageAnonymous
May 07, 2007
Hi Srini, You get the error because by default Intranet applications do not have rights to check for files on the local machine. Once you elevate the permissions using caspol, it has permission and the code succeeds. -ShawnAnonymous
May 07, 2007
Hi Matt, You'll of course need to substitute \shawnfa-srvtools* with your own server and share :-) Since each CLR version has its own policy you'll need to make the changes to every version of the CLR (1.1, 2.0 32 bit, 2.0 64 bit) that you intend to run ASP.NET applications against. -ShawnAnonymous
May 07, 2007
The comment has been removedAnonymous
May 07, 2007
Hi Ingo, I've noticed that behavior too :-) Unfortunately VS isn't smart enough to do a policy resolution against your assembly (and it really can't since it doesn't know the full set of evidnece for the assembly until it is loaded). Because of that it will give you the warning whenever you load any code from a network share. If you've setup policy properly, it should be safe to ignore. -ShawnAnonymous
May 09, 2007
Hi, i'm getting error System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. can anybody help help me out by setting up security trust using caspol, i'm using asp.net 2.0 files resides on UNC network. Thanks in advance, A K SAnonymous
May 09, 2007
ASP.NET grants AspNetHostingPermission within AppDomains that it controls. That error indicates that you're attempting to access an API that is only meant to be accessed from within an ASP.NET application from outside ASP.NET. If you are in an ASP.NET application, another possibility is that the ASP.NET trust levels got corrupted and the hosting permission is no longer being granted there -- in that case you'll have to check the ASP.NET forums to find an ASP.NET expert that can help you reset your settings. -ShawnAnonymous
June 05, 2007
The comment has been removedAnonymous
February 25, 2009
I had alot of trouble getting this working, but it finally did when I used this command: caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive" caspol.exe is located at C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 also you need to restart devenv.exe after doing this.Anonymous
March 21, 2009
Thank you "Full trust"! I've spent several hours on this, being in need of running .net assemblies from my development-server share. caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive" worked like a charm. Thank you again!Anonymous
April 27, 2009
hmm, what I miss and haven't been able to find anywhere on the net yet is a list of all possible trust levels. as for me, I'm trying to develop a script that automatically sets the trust level, problem is that I've managed to set it to full trust once and now my program on the net always works. I have not managed to set a smaller level that makes my program crash any more. But I need this to test my script. Can anybody help?Anonymous
May 10, 2009
Thank you very much it really worked i struggled around a day to fix thisAnonymous
May 14, 2009
The comment has been removedAnonymous
May 21, 2009
You shouldn't be using the full trust list to do this - as caspol is warning you, that list is no longer used as of v2.0 of the .NET Framework. Instead, you'll want to use one of the other options such as the URL membership condition that I show in the example. -ShawnAnonymous
May 21, 2009
The comment has been removedAnonymous
May 31, 2009
I'm running the Visual Studio 2008 in a VMWARE instance of Vista Ultimate and I have a mapped drive Projects (B:) that I'm trying to use caspol on to allow fulltrust for all projects I create. I've used: caspol -m -ag 1.2 -url file://B:* FullTrust I get the success and prompted for yes or no. Like normal not in that order. But when I fire up VS2008 again I still get the same issue when I create a new project. I've proceeded to restart the VMWARE instance same issue. I've also tried individually allow applications. caspol -m -ag 1.2 -url file://B:WebApplication99* FullTrust still same results..... Could you please advise? Thanks for any help you have.Anonymous
June 08, 2009
The comment has been removedAnonymous
June 16, 2009
I was wondering if it is possible to use Caspol to enable full trust for a folder for running a Access 2007 runtime app from. What I have done is created a click-once console app to extract an updated version of the access app to a local folder (c:hcprect) if IsFirstRun is true, otherwise it just uses System.Diagnostics.Process.Start to run the app using the runtime. However, on client machines that don't have full version of Access 2003/2007, i want to be able to set Full Trust via batch file maybe so they don't have to answer the dialog and click Open button. Is this possible? If I am in the wrong place let me know too! Thanks,Anonymous
June 28, 2009
Great blog entry ;) I miss the information how to remove this Full Trust entries. Is there a way doing that with CasPol? Please both ways (Full Trust to share and file). Thank you :)Anonymous
July 07, 2009
Hi Shawn- I'm running into an issue with CASPOL where if I run it as a user without administrator permissions it fails. My command is such: %SystemRoot%Microsoft.NETFrameworkv2.0.50727caspol -q -machine -addgroup 1. -url http://SERVERNAME/* FullTrust -name "APPName" What do I need to do to allow any user to run this command? Thanks -CipAnonymous
July 09, 2009
The comment has been removedAnonymous
July 15, 2009
The comment has been removedAnonymous
August 13, 2009
I have a .Net 2.0 app that a vendor has given me to deploy in our organization. They created an app that goes along with it that takes care of the caspol part, however, it needs to be run with admin permissions against a network drive. I've created an installer myself that will map a drive as a local admin, then apply the permissions but it's buggy and doesn't always work. I'd rather just run their application but all of our users have "power user" rights so they can't do it themselves. The command is: caspol -pp off -m -ag All_Code -url "file:// R:Programsimswincleardecisions* " FullTrust -n Network_Apps We're a novell shop that uses zenworks for deployments. Any help, like possibly using group policy instead, would be greatly appreciated. I'm not a .net programmer so my knowledge is limited.Anonymous
August 13, 2009
I did find this: http://www.codeproject.com/KB/dotnet/Using_MSI_or_a_strong_nam.aspx Seems to be what I need, but not sure. If it'll work I can just distribute that as an msi, but not sure since the "admin" account that will run it won't have an R drive mapped.Anonymous
September 04, 2009
I am trying to solve the trusted location issue when opening visual studio 2008 projects. When using CasPol.exe -m -ag 1.2 -url file://O:/* FullTrust I get the following: ERROR: Runtime error: Access denied. You might now have administrative credentials to perform this tast. Contact your system administrator for assistance. This is on a new Windows 7 installation, not sure if that has anything to do with it or not.Anonymous
October 09, 2009
The comment has been removedAnonymous
November 05, 2009
In order to diagnose a security exception, having the full exception text and call stack is useful - this way we can figure out who was demanding what. -ShawnAnonymous
November 05, 2009
Dylan - CAS sits on top of NT security, so if you are getting an access denied trying to perform an operation, that cannot be fixed with Caspol. Instead, you'll need to ensure that your user account has permission to write to the machine wide CAS settings file. Make sure you're attempting this operaiton from an elevated command prompt, otherwise it won't succeed. -ShawnAnonymous
November 05, 2009
Suyambu - Check out ClickOnce deployment for applications. In a ClickOnce application, the application declares what permissions it needs (for instance FullTrust), and will be guaranteed to either run with those permissions or not run at all. -ShawnAnonymous
November 05, 2009
The comment has been removedAnonymous
November 05, 2009
Cip - that requires admin privilege because that command modifies the security settings for the entire machine. Modification to machine wide security state is not allowed by unprivileged users. -ShawnAnonymous
January 22, 2010
Thank you, thank you, thank you. We had an oddball problem I still can't explain...We are migrating from one build server to another. We have a shared libraries directory on a DFS share where common pre-compiles assemblies come from. When we checkout from old server and compile, it works perfectly. Copy that code to new server and it compiles perfectly, too. Checkout from the second server and we get the permissions error. Took 3 tries, but Cspol fixed it C:WINDOWSMicrosoft.NETFrameworkv2.0.50727>caspol -q -machine -addgroup 1 -ur l file://\mysharesubdiranothersubdirsharedlibs/* FullTrust -name "Sharedlib" .Anonymous
February 24, 2010
Hi Jeff, My guess is that Windows was mapping the Zone to something unexpected. You can figure out what groups the file is matching by running caspol -rsg \mysharesubdiranothersibdirsharedlibsassembly.dll Which may shed some light for you. -ShawnAnonymous
March 05, 2010
YAY!! Solved it! Okay, so if you are using Microsoft practices/application blocks for logging, make sure the assemblies have been correctly installed using the installutil.exe. I have a rather lengthy scripted setup for creating the dev environment for this web 1.1 application and it seems I left out the full path to the installutil.exe. I discovered the issue by putting Process Monitor to work and seeing that a reg key for the distributed logging was missing. Made me think something was up with the installation of the app block. Checked the batch file for this and realized the full path was missing off the installutil.exe. Anyhow, guess I really should properly log the install so that I can check the results for failure. Thanks! ~ Adam (http://adamcox.net)Anonymous
December 02, 2010
Thanks a lot Shawn, it resolved my issue after I run the caspol command.Anonymous
April 01, 2013
The comment has been removed