Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Impact of granting "full trust" to .NET framework 1.1 for the Internet zone

Posted on 2006-10-30
6
Medium Priority
?
714 Views
Last Modified: 2008-02-01
I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.

This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.

Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?

-- Craig
0
Comment
Question by:Craig Yellick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17839215
Hmmm, let me see if I can set up a web page that accesses your machine, because you have trusted my web site completely.  How's that for a scenario?

Bob
0
 
LVL 11

Author Comment

by:Craig Yellick
ID: 17842083
The software is a hybrid Windows Forms application that uses IE and client-side components that use HTTP to communicate with a central web server. So from that standpoint, the client workstation does have to trust the web server pretty much totally, as would be the case with most app software that is installed to a workstation.

My big concern is the requirement that the configuration be so open, with full trust and no HTTPS.

Bob, could you elaborate on what it is that your scenario entails? A random web site out there in the world is not going to be in the Trusted list, so unless the workstation user adds the site's URL to the trusted list, it does not get extra privs, right?

(Note: I hate the way this thing is setup, so there's no defense here. Just trying to understand the ramifications of the required configuration.)

-- Craig
0
 
LVL 96

Accepted Solution

by:
Bob Learned earned 2000 total points
ID: 17842264
Ok, so you are talking about Trusted Sites, and not setting the Internet Zone to full trust, that is a different story.  If you are using Trusted Sites, then those are specifically defined, and can be reasonably certain that security will not be breached, unless there is an identified vulnerability in the .NET framework.

Bob
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 11

Author Comment

by:Craig Yellick
ID: 17842338
Thanks for the clarification. Just to be totally accurate about this issue, the following node in the .NET Framework config tool is normally set to "Internet". The app requires that it be set to "FullTrust".

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

To my understanding, this grants full trust status to all of the sites listed in the IE Trusted Sites listing. Does it have other side effects?

-- Craig
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17848888
Not that I know of.  There isn't any security hole that could bypass the Trusted Sites settings, so I feel pretty comfortable that you have chosen a good path.  If you are concerned about security, though, you should really think about using https:// addresses with SSL.

Bob
0
 
LVL 11

Author Comment

by:Craig Yellick
ID: 17849677
Thanks. It's not my app, I'm evaluating a commercial app for a customer.

Totally agree about HTPPS. That's the next thing to evaluate -- they wrote a custom .NET remoting protocol (why?) that uses HTTP. Sensitive data is involved and if it does not use HTTPS then how are they securing it...going to be a long day. Thanks again for your input.

-- Craig
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question