Which Package are the Security Tools In?

When installing the v2.0 .NET redist package, you'll find that the .Net Configuration MMC snap-in is missing.  As of v2.0, we've moved this tool to the SDK package, which you can download here: [x86] [x64] [IA64].

The split of security tools between the redist and SDK is:


  • Caspol


  • .NET Configuration Snapin
  • CertMgr
  • MakeCert
  • PermCalc
  • PEVerify
  • SN
  • SecUtil
  • SignTool

Incidentally, the CLR team doesn't own CertMgr, MakeCert, or SignTool even though they ship in the SDK.

Comments (13)

  1. Richard says:

    GacUtil has also moved from the Redist to the SDK. As a result, there is no way to manage the GAC on a machine without the SDK installed.

  2. Right.  GAC administration is not an end-user scenario.  Applications should be using an installer such as MSI to install their assemblies to the GAC.


  3. CoqBlog says:

    Vous savez, le snap-in MMC de configuration du Framework (mscorcfg.msc pour les intimes) que vous trouviez…

  4. Tyrven says:

    Is there a simple way of installing these on a server without downloading/installing the SDK?

  5. Hi Tyrven,

    The SDK license does not allow for you to distribute the tools outside of the SDK, so you will have to download the entire package.


  6. Sarath says:

    Why the security config tool moved from redist to SDK? i have client machines having framework only. now they have to install entire SDK(which comes enormous 350 mb) just for configuring security to access the server.

  7. Every client machine will have the caspol tool, so you can push out a script which automates the process.  You can also create an MSI file with the SDK tool on your machine and push that out to each client machine.


  8. Marc says:

    Well i’ve been spending the last hour to find a solution to run an application from a network drive using the Framework 2.0

    I would like to give the application full rights, which i can manage in the SDK but users i want the application to use simply cannot.

    How can i work around this without having to install the entire SDK?

  9. Well, the easiest way in v2.0 is to use ClickOnce.  If you’re on v1.x or ClickOnce isn’t an option, then you can use the SDK MMC snap-in to generate an MSI package out of your security policy, and ship that to end users.  Finally, you could provide them a script that utilizes caspol, which is in the redist, to update your policy settings.


  10. VasekB says:

    how to leave Users to set Admin config task:

    \serversharerunas.exe /user:axa-assistanceadmin-username "\serversharecaspol -cg 1.2 FullTrust" | \serversharesanur.exe admin-password

  11. The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid using

  12. Kevin Dente says:

    I too think removing the security configuration applet from the redist was  a big mistake.

  13. Steve Harding says:

    We already install using a caspol script.  However, we have many hundreds of customers, and when our support team needs to troubleshoot the .NET security config, they cannot!

    Once again, thanks MS for making my life harder than it should be!

Skip to main content