.net framework security policy, network configuration

Posted on 2005-04-18
Last Modified: 2012-05-05
I've written a login script in, runs fine on local system and off network share when I use the framwork wizard to give intranet unrestricted execute premissions (I know this isn't the best solution as it can be signed etc). The problem is that to get it to run on the 300 odd computers we have here I would need to go to every one and run the framework wizard to give intranet full rights which I don't really have time to do!

I've read there is an adminUI program which will generate a .msi which can be distrobuted to put this in place but google/etc doesn't seem to know where it can be found?!

Any suggestions?
Question by:x4h
    LVL 96

    Expert Comment

    by:Bob Learned
    Is 300 the maximum for the Enterprise, or is it just a sub-set of a larger organization.

    LVL 3

    Author Comment

    300 computers total, more being added as we go along.
    LVL 96

    Expert Comment

    by:Bob Learned
    You can define a trust at the Enterprise level, rather than the Machine level in the .NET Framework Configuration Wizard.


    LVL 3

    Author Comment

    Can you point me in the right direction to do this?

    The only zones that come up for me through the 'security adjustment wizard' are 'my computer, local intranet, internet, trusted site, untrusted site'.
    LVL 96

    Accepted Solution

    .NET Framework Enterprise Security Policy Administration and Deployment:

    Follow these steps:

    1. Open Control Panel.

    2. Open the Administrative Tools folder.

    3. Double-click Microsoft .NET Framework Configuration.

    4. In the Microsoft .NET Framework Configuration tool, open the Runtime Security Policy node.

    5. Open the Enterprise policy node.

    6. Open the Code Groups folder.

    7. Right-click the All_Code code group and select the New option.

    8. Enter the name and description of your new code group, and click Next.

    9. Select the Strong Name or Publisher membership condition type, and click Import to select the assembly that you want to have a high level of trust across the enterprise. If the assembly is not signed, you can use the Hash membership condition instead. If you want all assemblies by the respective publisher to receive high levels of trust across the enterprise, uncheck the Version and Name properties for Strong Name membership conditions, or simply use the Publisher membership condition.

    10. Click Next, and then select or create the permission set you want the assembly or assemblies to receive. For unhindered access to all resources, select the FullTrust permission set.

    11. Finish the wizard.

    12. Right-click the newly created code group.

    13. Select the Properties option.

    14. On the General tab, select This policy will only have the permissions from the permission set associated with this code group to make this code group exclusive with respect to all other code groups of that policy level.

    15. On the General tab, select Policy levels below this level will not be evaluated to make this code group a LevelFinal code group, preventing evaluation of the machine and user policy if this code group applies.

    16. Right-click the Runtime Security Policy node.

    17. Select the Create Deployment Package wizard, and use it to create a deployment package of the Enterprise policy level.

    18. Deploy the .msi file using either Group Policy or Systems Management Server (SMS). See Question #3 for more details on deployment.

    Note   Step 15 bypasses the FullTrust permission set grant from the All_Code code group in default policy by making your new code group exclusive. This excludes any permission contribution from other code groups at that policy level. You should never introduce additional exclusive code groups if you know that two or more exclusive code groups will apply simultaneously to an assembly or set of assemblies.

    Note   Step 16 will cause the machine and user policy levels to be skipped if your new code group applies. Do not use this attribute too widely in enterprise policy, because when you do, policy customizations that the machine administrator or user may have done will not be effective.

    LVL 3

    Author Comment

    Works perfectly, many thanks :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I'm currently working for a company where I have to upgrade over 50 VB6 programs to VB.NET 2008.  So far I'm about half way through, and I've learned quite a few tricks that drastically improve the performance of VB.NET apps. Because there are a…
    This article explains how to create and use a custom WaterMark textbox class.  The custom WaterMark textbox class allows you to set the WaterMark Background Color and WaterMark text at design time.   IMAGE OF WATERMARKS STEPS Create VB …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now