ASP.NET VERSIONS: 1.1
Permission to Trust
Custom ASP.NET Trust Levels
By Don Kiely
In my last column (Play It Safe) I discussed how ASP.NET implements various trust levels. It uses config files to pre-define various levels, ranging from Minimal to Full Trust. There is nothing magic about these levels; a level is simply a pre-defined set of permissions that define what protected resources your application can access, as well as limitations on access that are specific to each type of resource.
The pre-defined trust levels are probably fine for some kinds of intranet applications for which you don t have to worry too much about protecting valuable resources. But because none of them provide an exactly correct set of restricted and unrestricted permissions, you can t use any of the pre-defined levels without leaving open unnecessary security holes. The critical principal of least privilege mandates that you give an application the minimum set of restricted permissions it needs to run, and no more, for the shortest possible time. As hackers become increasingly clever in their attacks, any production application needs to have a well-defined, custom trust level defined and implemented.
Fortunately, this is relatively easy to do, once you have defined the minimum set of permissions your application requires. With that list, the easiest way to get started is to steal one of the pre-defined config files. For the sake of example, I ll start with web_minimaltrust.config, which defines the Minimal Trust Level. Because this level already has close to the minimum permissions necessary for an ASP.NET application, all you have to do is add the new permissions you need. (By the way, you might notice a security.config file in your framework config files. This is the main file used to define the Machine security for .NET code access security. Those settings are relevant to any .NET code that runs on the machine, but is not directly relevant to defining custom ASP.NET trust levels. For the record, however, creating a custom trust level is implementing the AppDomain policy level for an application.)
Copy web_minimaltrust.config and create a new file with a different name, such as MyCustomTrustLevel.config. Open it in the XML or text editor of your choice and begin hacking. Let s say that the only real resource that my application has to access is the e:\weblog directory to read and write custom log files. Start by adding the FileIOPermission to the SecurityClass section:
mscorlib, Version=1.0.5000.0, Culture=neutral,
This defines the .NET Framework class that contains the FileIOPermission class, identifying it through its strong name.
Next, add a restricted file I/O permission to the ASP.NET named permission set. This is the collection of permissions included with the AppDomain used by the Common Language Runtime to determine the actual permissions your ASP.NET assembly has at run time. In this case, we only want the application to be able to access e:\Weblog:
<IPermission class="FileIOPermission" version="1"
Read="e:\weblog" Write="e:\weblog" Append="e:\weblog"
Save the file. By convention, put it in the CONFIG directory with the other config files.
Next, you must insert the custom trust level in machine.config. Add a new <trustLevel> element to the securityPolicy section:
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
<trustLevel name="MyCustom" policyFile="MyCustomTrustLevel.config"/>
<!-- level="[Full|High|Medium|Low|Minimal]" -->
<trust level="Full" originUrl=""/>
Name the trust level any legal XML name; this is how you ll reference the name in your application s web.config file. You can also change the level attribute of the <trust> element to use your custom level by default. If you aren t going to use any of the built-in levels on this machine, feel free to delete those <trustLevel> elements.
Finally, specify your custom trust level for your application in its web.config file:
<trust level="MyCustom" originUrl=""/>
The most difficult part of defining a custom trust level, besides establishing the permission set your application requires, is deploying the config files. It requires both modifying built-in files (machine.config) and installing new files in the proper location, then hooking your application into the custom level.
Voil ! You have now have taken a big step toward a secure ASP.NET application by locking it down and removing extraneous permissions. You still have a lot of work to do to have a secure application, though, and I ll talk more about that in coming columns.
In the next installment I ll look at the difference between restricted and unrestricted permissions, as well as how to define them for your applications.
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].