What to do when CasPol throws SecurityExceptions

CasPol is written in managed code, and as such is subject to the CLR’s security policy system just like any other piece of managed code.  Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy, the MyComputer code group and the Microsoft strong name code group.

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -rsg caspol.exe
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

Level = Enterprise

Code Groups:

1. All code: FullTrust

Level = Machine

Code Groups:

1. All code: Nothing
   1.1. Zone – MyComputer: FullTrust
      1.1.1. StrongName – 00240000048000009400000006020000002400005253413100040
      A12436518206DC093344D5AD293: FullTrust

Level = User

Code Groups:

1. All code: FullTrust


Even if a local administrator has decided not to blindly grant FullTrust to all code living on the local machine, CasPol will still be given FullTrust via code group 1.1.1.  But what if that code group were to also stop granting FullTrust?  At that point, your managed apps would be in a world of hurt, including CasPol.  In fact, depending on the final grant set, CasPol would be likely unable to work itself.  Because of this issue, CasPol will actually resist any attempts to put the policy in this state:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -cg 1.1 Internet -cg 1.1.1 Internet
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
Changed code group permission set to “Internet” in the Machine level.
This operation will make some or all caspol functionality cease to work. If you are sure you want to do this operation, use the ‘-force’ option before the option you just executed. For example:
    caspol -force -machine -remgroup 1.6

Policy save aborted.

However, if you do pass the -force switch to CasPol, or through your own code, or any other mechanism get the policy to a state where CasPol cannot recover it, don’t worry … there’s still a way to get your machine into a valid state without reinstalling the framework.

All you need to do is delete the security policy from your disk.  As an Administrator delete %WINDIR%\Microsoft.NET\Framework\<version directory>\config\Security.config and Security.config.cch.  This will remove the machine level policy.  Then, run caspol -all -reset in order to put back the default policy …. otherwise you’ll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels).

Comments (5)

  1. Peter Torr says:

    Another way to do this is to install a 3rd party membership condition, add a rule to policy that uses it, and then delete the assembly from the GAC. Things start to break at that point, for obvious reasons 😉

  2. David Molnar says:

    "[if the configuration files are missing] you’ll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels)"

    This seems like a potentially dangerous behavior. What if I can trick the user into deleting Security.config and Security.config.cch before running some mobile code? It seems like then the code would then have FullTrust permissions, regardless of what the user thought the security policy should be or what the default policy should be.

    Why not refuse to execute in this condition and emit an error message asking the user to run caspol -all -reset ?

  3. Shawn says:

    Hi David,

    The ACLs on the enterprise and machine policy levels (where all of the default policy is stored on NT based machines), are such that non-administrators do not have permission to edit or delete them.

    If the user has administrative privileges on the machine, and you can trick them into deleting their security configuration files before running your code, then you’ve esentially already won. There are probably many other things that you could trick the user into doing at that point as well.


  4. Shawn says:

    Good point Peter — I’ve been planning on doing a piece on what the FullTrust list is and why its necessary … this will be a good starting point for that.