SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: 1.1

Permission to Trust

Custom ASP.NET Trust Levels

By Don Kiely

In my last column (PlayIt Safe) I discussed how ASP.NET implements various trust levels. It usesconfig files to pre-define various levels, ranging from Minimal to Full Trust.There is nothing magic about these levels; a level is simply a pre-defined setof permissions that define what protected resources your application canaccess, as well as limitations on access that are specific to each type ofresource.

The pre-defined trust levels are probably fine for somekinds of intranet applications for which you don?t have to worry too much aboutprotecting valuable resources. But because none of them provide an exactlycorrect set of restricted and unrestricted permissions, you can?t use any ofthe pre-defined levels without leaving open unnecessary security holes. Thecritical principal of least privilege mandates that you give an application theminimum set of restricted permissions it needs to run, and no more, for theshortest possible time. As hackers become increasingly clever in their attacks,any production application needs to have a well-defined, custom trust leveldefined and implemented.

Fortunately, this is relatively easy to do, once you havedefined the minimum set of permissions your application requires. With thatlist, the easiest way to get started is to steal one of the pre-defined configfiles. For the sake of example, I?ll start with web_minimaltrust.config, whichdefines the Minimal Trust Level. Because this level already has close to theminimum permissions necessary for an ASP.NET application, all you have to do isadd the new permissions you need. (By the way, you might notice asecurity.config file in your framework config files. This is the main file usedto define the Machine security for .NET code access security. Those settingsare relevant to any .NET code that runs on the machine, but is not directlyrelevant to defining custom ASP.NET trust levels. For the record, however,creating a custom trust level is implementing the AppDomain policy level for anapplication.)

Copy web_minimaltrust.config and create a new file with adifferent name, such as MyCustomTrustLevel.config. Open it in the XML or texteditor of your choice and begin hacking. Let?s say that the only real resourcethat my application has to access is the e:\weblog directory to read and writecustom log files. Start by adding the FileIOPermission to the SecurityClasssection:

<SecurityClass Name="FileIOPermission"

 Description="System.Security.Permissions.FileIOPermission,

 mscorlib,Version=1.0.5000.0, Culture=neutral,

 PublicKeyToken=b77a5c561934e089"/>

This defines the .NET Framework class that contains theFileIOPermission class, identifying it through its strong name.

Next, add a restricted file I/Opermission to the ASP.NET named permission set. This is the collection ofpermissions included with the AppDomain used by the Common Language Runtime todetermine the actual permissions your ASP.NET assembly has at run time. In thiscase, we only want the application to be able to access e:\Weblog:

<IPermission class="FileIOPermission"version="1"

 Read="e:\weblog"Write="e:\weblog" Append="e:\weblog"

 PathDiscovery="e:\weblog"/>

Save the file. By convention, put it in the CONFIGdirectory with the other config files.

Next, you must insert the custom trust level inmachine.config. Add a new <trustLevel> element to the securityPolicysection:

<system.web>

 <securityPolicy>

 <trustLevelname="Full" policyFile="internal"/>

 <trustLevelname="High" policyFile="web_hightrust.config"/>

 <trustLevelname="Medium" policyFile="web_mediumtrust.config"/>

 <trustLevelname="Low" policyFile="web_lowtrust.config"/>

 <trustLevelname="Minimal" policyFile="web_minimaltrust.config"/>

 <trustLevelname="MyCustom" policyFile="MyCustomTrustLevel.config"/>

 </securityPolicy>

 <!--  level="[Full|High|Medium|Low|Minimal]"-->

 <trustlevel="Full" originUrl=""/>

</system.web>

Name the trust level any legal XML name; this is how you?llreference the name in your application?s web.config file. You can also changethe level attribute of the <trust> element to use your custom level bydefault. If you aren?t going to use any of the built-in levels on this machine,feel free to delete those <trustLevel> elements.

Finally, specify your custom trust level for your applicationin its web.config file:

<system.web>

 <trust level="MyCustom"originUrl=""/>

</system.web>

The most difficult part of defining a custom trust level,besides establishing the permission set your application requires, is deployingthe config files. It requires both modifying built-in files (machine.config)and installing new files in the proper location, then hooking your applicationinto the custom level.

Voil?! You have now have taken a big step toward a secureASP.NET application by locking it down and removing extraneous permissions. Youstill have a lot of work to do to have a secure application, though, and I?lltalk more about that in coming columns.

In the next installment I?ll look at the differencebetween restricted and unrestricted permissions, as well as how to define themfor your applications.

Don Kielyis senior technology consultant for Information Insights, a business andtechnology consultancy in Fairbanks, AK. E-mail him at mailto:donkiely@computer.org.