Customizable CAS Defaults

  • Article

One of the nicer new Whidbey features, at least from an admin standpoint, is the ability to customize the default CAS settings.  On v1.0 and 1.1 of the framework running caspol -all -reset resulted in the security policy being reset to hardcoded defaults.  Whidbey will allow users to change what caspol -all -reset means.

This is achieved through the use of a security.config.default file, located in your %WINDIR%\Microsoft.NET\Framework\v2.0.xxxx\config directory.  The security.config.default file is actually just an XML snapshot of the security policy you'd like applied as the default policy.

Since this is the same format as the standard security.config file, there's a very easy way to create your security.config.default file.  First, customize your security policy to your liking.  This can be done either with the MMC snapin or through caspol itself.  Then copy the security.config file to security.config.default.  That's all there is to it!   No matter what you do to your policy, you can always get your settings back by running a caspol -all -reset.

I find this feature especially useful, since I have a ton of managed utilities on a network share.  Since I install new builds of the CLR almost daily, I modified my install script to run a:

CasPol.exe -pp off -m -ag 1.2 -url * FullTrust

after every install.  This works out nicely, except that as a member of the security team I'm often mucking with policy or running tests that change the way the policy is laid out.  To fix that problem, the next line of my install script after I add my custom group through caspol is just a copy of security.config to security.config.default.

It's not the sexiest feature in the world, but I find that it is a rather nice feature to have the option of using.