.NET Security and the Framework Configuration Tool
Although Internet Explorer allows you to configure some of the security settings for .NET applications, it does not provide a comprehensive list of things that you can allow or deny to .NET applications.
In order to get access to the full range of security options available to .NET applications, you need to use the .NET Framework Configuration Tool. This tool is part of the .NET Framework (not VS.NET), which means that every user with the .NET Framework installed has the Configuration Tool installed as well. To launch it, go to the Windows Control Panel
, select Administrative Tools
, then choose Microsoft .NET Framework Configuration
Using this tool, you can configure .NET Security Policies and decide what locations you want to trust and the degree of privileges that a location will receive.
|Figure 8: Using the .NET Framework Configuration Tool to configure Code Groups and Permission Sets|
A complete explanation of .NET Security Policies and the tools to configure them is beyond the scope of this article. But let's take a brief tour of how to use the .NET Framework Configuration Tool to configure Code Groups and Permission Sets (Figure 8
In Code Groups, you categorize which code is to be trusted and which code is to be denied access. You can probably recognize that the predefined code groups in the Figure 8
correspond to the Zones that you saw in the Internet Explorer Security Setting.
Permission Sets are a means to assemble various permissions under a single name. For example, Figure 9
shows the permissions assigned by default to Permission Sets LocalIntranet and Permission Sets Internet.
Figure 9: Default permission sets
Figure 10: Defining custom Code Groups and Permission Sets
You can define custom Code Groups and Permission Sets by right-clicking in the appropriate node. For example, follow these steps to give full trust to code coming from URL http://127.0.0.1
so that the previous example does not raise any security errors:
- Open the Code Groups branch, right-click on the All_Code branch and select New (see Figure 10).
- Enter a name for the new Code Group, perhaps MyCodeGroupFor127, and then click Next
- Select URL as the condition type for the code group and enter http://127.0.0.1/* as the URL to trust (see Figure 11), and then click Next.
Figure 11: Choosing a URL condition type for a code group
Figure 12: Assigning a permission set to a code group
- Finally, select Full Trust (see Figure 12), and click Next and then Finish.
Now, if you go back to Internet Explorer and launch the loader.exe program with the URL http://127.0.0.1/CodeDownloadDemo/Loader.exe
, the application will run without Security problems. You can even go to the File menu, and then launch the Employee Form and load Employee data with no problems.
In the previous example, you gave Full Trust to a URL. This is not a problem for a demo; but in production environments you need to be more selective and give locations the minimal permissions required in order for them to work properly. Your network administrator will probably not let you grant permissions otherwise.
I highly encourage you to play with this configuration tool and learn about how to create groups and permission sets that will match your particular security requirements.