Solved

Impact of granting "full trust" to .NET framework 1.1 for the Internet zone

Posted on 2006-10-30
6
705 Views
Last Modified: 2008-02-01
I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.

This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.

Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?

-- Craig
0
Comment
Question by:CraigYellick
  • 3
  • 3
6 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17839215
Hmmm, let me see if I can set up a web page that accesses your machine, because you have trusted my web site completely.  How's that for a scenario?

Bob
0
 
LVL 11

Author Comment

by:CraigYellick
ID: 17842083
The software is a hybrid Windows Forms application that uses IE and client-side components that use HTTP to communicate with a central web server. So from that standpoint, the client workstation does have to trust the web server pretty much totally, as would be the case with most app software that is installed to a workstation.

My big concern is the requirement that the configuration be so open, with full trust and no HTTPS.

Bob, could you elaborate on what it is that your scenario entails? A random web site out there in the world is not going to be in the Trusted list, so unless the workstation user adds the site's URL to the trusted list, it does not get extra privs, right?

(Note: I hate the way this thing is setup, so there's no defense here. Just trying to understand the ramifications of the required configuration.)

-- Craig
0
 
LVL 96

Accepted Solution

by:
Bob Learned earned 500 total points
ID: 17842264
Ok, so you are talking about Trusted Sites, and not setting the Internet Zone to full trust, that is a different story.  If you are using Trusted Sites, then those are specifically defined, and can be reasonably certain that security will not be breached, unless there is an identified vulnerability in the .NET framework.

Bob
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 11

Author Comment

by:CraigYellick
ID: 17842338
Thanks for the clarification. Just to be totally accurate about this issue, the following node in the .NET Framework config tool is normally set to "Internet". The app requires that it be set to "FullTrust".

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

To my understanding, this grants full trust status to all of the sites listed in the IE Trusted Sites listing. Does it have other side effects?

-- Craig
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17848888
Not that I know of.  There isn't any security hole that could bypass the Trusted Sites settings, so I feel pretty comfortable that you have chosen a good path.  If you are concerned about security, though, you should really think about using https:// addresses with SSL.

Bob
0
 
LVL 11

Author Comment

by:CraigYellick
ID: 17849677
Thanks. It's not my app, I'm evaluating a commercial app for a customer.

Totally agree about HTPPS. That's the next thing to evaluate -- they wrote a custom .NET remoting protocol (why?) that uses HTTP. Sensitive data is involved and if it does not use HTTPS then how are they securing it...going to be a long day. Thanks again for your input.

-- Craig
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question