I’m setting a .Net framework security policy to run a smart document using location evidence. The smart document resides on a network share. If I set the policy under Machine in the .Net’s Runtime Security Policy the smart document runs fine, however if I set the policy under User it doesn’t run. Furthermore if the document is local it runs fine with the policy set under User, it just fails when the smart document is on a network share. So, my question is: how can I setup a .Net policy under User to run a smart document that is on a network share using location evidence? The policy needs to be under User because the users running the install don’t have administrator rights on their workstation, so they don’t have privileges to set a policy under Machine. I’m using VS 2003 and VSTO 2003. Thanks a lot! Ram
Hi The following command adds a child code group that gives the share \\netserver\netshare local intranet permissions. caspol -machine -addgroup 1. -url \\netserver\netshare\* LocalIntranet Code Access Security Policy Tool (Caspol.exe) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp 892465 How to run a managed assembly from a local intranet share and how to make security changes if the assembly requires more permissions in the .NET Framework http://support.microsoft.com/default.aspx?scid=kb;EN-US;892465 NET Framework Configuration Tool (Mscorcfg.msc) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm l/cpconnetframeworkadministrationtoolmscorcfgmsc.asp Best regards, Peter Huang Microsoft Online Partner Support Get Secure! - www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights.
Peter: Thank you for your response. The problem I’m having is that the users running my setup are not admins, so they don’t have rights to add a child code group under Machine. They only can add groups under User. However, when adding the new policy under User the application is failing to run due to permissions. I need a way to run my smart document from a network share with a policy added under the User group. Thanks a lot for your help, and if you need any more info please let me know. Ram ""Peter Huang" [MSFT]" wrote: > Hi > > The following command adds a child code group that gives the share > \\netserver\netshare local intranet permissions. > caspol -machine -addgroup 1. -url \\netserver\netshare\* LocalIntranet > > Code Access Security Policy Tool (Caspol.exe) > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm > l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp > > 892465 How to run a managed assembly from a local intranet share and how to > make security changes if the assembly requires more permissions in the .NET > Framework > http://support.microsoft.com/default.aspx?scid=kb;EN-US;892465 > > NET Framework Configuration Tool (Mscorcfg.msc) > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm > l/cpconnetframeworkadministrationtoolmscorcfgmsc.asp > > Best regards, > > Peter Huang > Microsoft Online Partner Support > > Get Secure! - www.microsoft.com/security > This posting is provided "AS IS" with no warranties, and confers no rights. > >
Hi Ram, I think you need to ask the admin to set the .NET securtiy setting for the user to trust the shared folder. And then the user can have the rights. This is how we managed computer, the admin should have the most power to adjust the computer to restrict the user to have their correct rights.Otherwise a user can set securty to full trust will make the security policy vulnerable. And that is why commonly we use the admin account to install software onto the machine and the end user just use the software. It is the administrator's job to make sure the software is running under a well configed environment. Best regards, Peter Huang Microsoft Online Partner Support Get Secure! - www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights.
Peter: Thank you for your response and follow up to my problem. In my case an automated setup is setting the security policy, the user don’t even realize he/she is changing the .Net security configuration. As I said, when the application is installed local it runs fine, the only problem is when the user install to a network share. My client insists in having a regular user run the setup to execute the application from a network share. Could you confirm if there is a way to do this or if it is just not possible? Thanks a lot! Ram ""Peter Huang" [MSFT]" wrote: > Hi Ram, > > I think you need to ask the admin to set the .NET securtiy setting for the > user to trust the shared folder. And then the user can have the rights. > This is how we managed computer, the admin should have the most power to > adjust the computer to restrict the user to have their correct > rights.Otherwise a user can set securty to full trust will make the > security policy vulnerable. > > And that is why commonly we use the admin account to install software onto > the machine and the end user just use the software. It is the > administrator's job to make sure the software is running under a well > configed environment. > > > Best regards, > > Peter Huang > Microsoft Online Partner Support > > Get Secure! - www.microsoft.com/security > This posting is provided "AS IS" with no warranties, and confers no rights. > >
Hi Ram, It seems that you have posted a new thread in this newsgroup with the title. "Setting CAS policy for a network share" I have replied in that thread you can go and take a look. If you still have any concern, please feel free to post here. Best regards, Peter Huang Microsoft Online Partner Support Get Secure! - www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights.
