ASP.NET VERSIONS: 1.1
Play It Safe
Partially Trusted ASP.NET Apps
By Don Kiely
By default, all ASP.NET applications run with full trust. But full trust essentially tells the Common Language Runtime (CLR), Trust this code. Don t check for permissions. Even if the code tells you to turn off security features that you normally use to maintain tight protection against the bad guys, do it without question. Circumvent every protection you natively use to protect this server; turn it off. The only thing limiting any malicious intent your code might have is anything that the system admins might have set in the operating system, since the CLR doesn t and can t circumvent operating system restrictions.
Hmm. This doesn t sound like the best security environment for your .NET applications or any applications for that matter. But by default, ASP.NET applications run as full trust. In version 1.0 you had no option to run with anything but full trust, which opened your Web applications to all kinds of evil code. In version 1.1, the default is still full trust, but you can change it. And you most certainly should for production applications!
Understanding how the trust system works in ASP.NET 1.1 requires that you spelunk the configuration files installed in a default ASP.NET 1.1 installation. You can find the files in C:\WINDOWS\Microsoft.NET\Framework\[version]\ CONFIG, where for version 1.1 [version] is v1.1.4322 . Starting with machine.config, you ll find this section that provides the default trust levels for all ASP.NET applications on the server:
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
<!-- level="[Full|High|Medium|Low|Minimal]" -->
<trust level="Full" originUrl=""/>
The <securityPolicy> element defines the trust levels available by default. The <trust> element then specifies the default trust level for all applications. But notice that the <location> element has the allowOverride attribute set to true. This means that you can specify a different trust level for individual ASP.NET applications installed on this server.
Each trust level in the list dramatically reduces the permissions available to Web applications. Full trust has the policyFile attribute set to internal . This is because full trust essentially shuts off code access security for the application, meaning that the code can do anything that any .NET code can do. Anything at all! So no additional information is required.
The other trust levels specify a config file that has the details of the permissions available to apps with that trust level. For example, navigate to C:\WINDOWS\Microsoft.NET\Framework\[version]\CONFIG and open web_mediumtrust.config in your favorite XML or text editor. Ready? You ll see a <SecurityClasses> element that looks like this:
<SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
This section lists the permissions that medium trust ASP.NET applications have. If you look through the rest of the web_mediumtrust.config file, you ll see that it specifies for each permission whether it is restricted or unrestricted. (I ll cover restricted and unrestricted permissions in a future column. For now, you should know that an application can have an unrestricted permission to do something, such as read or write files anywhere on the local hard drives, or have a restricted permission, such as to only read files from a specific directory.) Each of the trust levels specifies a unique set of permissions, spanning the range of unlimited permissions (full trust) to almost no permissions (minimal trust).
So what should you glean from all this?
1) these are text files;
2) text files are easily editable; and
3) you can therefore create your own trust levels.
Using the decades-old concept of least privilege, in which a user or application should have exactly the permissions it requires to run or do its job and absolutely no more NONE OF THE PRE-DEFINED TRUST LEVELS ARE SUITABLE FOR ANY APP!!! This means that in any production application you should and MUST define a custom trust level. I ll explore how to do that next time.
In the meantime, practice safe apps!
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].