Impact of granting "full trust" to .NET framework 1.1 for the Internet zone

I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.

This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.

Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?

-- Craig
LVL 11
Craig YellickDatabase ArchitectAsked:
Who is Participating?
 
Bob LearnedConnect With a Mentor Commented:
Ok, so you are talking about Trusted Sites, and not setting the Internet Zone to full trust, that is a different story.  If you are using Trusted Sites, then those are specifically defined, and can be reasonably certain that security will not be breached, unless there is an identified vulnerability in the .NET framework.

Bob
0
 
Bob LearnedCommented:
Hmmm, let me see if I can set up a web page that accesses your machine, because you have trusted my web site completely.  How's that for a scenario?

Bob
0
 
Craig YellickDatabase ArchitectAuthor Commented:
The software is a hybrid Windows Forms application that uses IE and client-side components that use HTTP to communicate with a central web server. So from that standpoint, the client workstation does have to trust the web server pretty much totally, as would be the case with most app software that is installed to a workstation.

My big concern is the requirement that the configuration be so open, with full trust and no HTTPS.

Bob, could you elaborate on what it is that your scenario entails? A random web site out there in the world is not going to be in the Trusted list, so unless the workstation user adds the site's URL to the trusted list, it does not get extra privs, right?

(Note: I hate the way this thing is setup, so there's no defense here. Just trying to understand the ramifications of the required configuration.)

-- Craig
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
Craig YellickDatabase ArchitectAuthor Commented:
Thanks for the clarification. Just to be totally accurate about this issue, the following node in the .NET Framework config tool is normally set to "Internet". The app requires that it be set to "FullTrust".

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

To my understanding, this grants full trust status to all of the sites listed in the IE Trusted Sites listing. Does it have other side effects?

-- Craig
0
 
Bob LearnedCommented:
Not that I know of.  There isn't any security hole that could bypass the Trusted Sites settings, so I feel pretty comfortable that you have chosen a good path.  If you are concerned about security, though, you should really think about using https:// addresses with SSL.

Bob
0
 
Craig YellickDatabase ArchitectAuthor Commented:
Thanks. It's not my app, I'm evaluating a commercial app for a customer.

Totally agree about HTPPS. That's the next thing to evaluate -- they wrote a custom .NET remoting protocol (why?) that uses HTTP. Sensitive data is involved and if it does not use HTTPS then how are they securing it...going to be a long day. Thanks again for your input.

-- Craig
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.