Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Impact of granting "full trust" to .NET framework 1.1 for the Internet zone

Posted on 2006-10-30
6
706 Views
Last Modified: 2008-02-01
I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.

This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.

Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?

-- Craig
0
Comment
Question by:CraigYellick
  • 3
  • 3
6 Comments
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17839215
Hmmm, let me see if I can set up a web page that accesses your machine, because you have trusted my web site completely.  How's that for a scenario?

Bob
0
 
LVL 11

Author Comment

by:CraigYellick
ID: 17842083
The software is a hybrid Windows Forms application that uses IE and client-side components that use HTTP to communicate with a central web server. So from that standpoint, the client workstation does have to trust the web server pretty much totally, as would be the case with most app software that is installed to a workstation.

My big concern is the requirement that the configuration be so open, with full trust and no HTTPS.

Bob, could you elaborate on what it is that your scenario entails? A random web site out there in the world is not going to be in the Trusted list, so unless the workstation user adds the site's URL to the trusted list, it does not get extra privs, right?

(Note: I hate the way this thing is setup, so there's no defense here. Just trying to understand the ramifications of the required configuration.)

-- Craig
0
 
LVL 96

Accepted Solution

by:
Bob Learned earned 500 total points
ID: 17842264
Ok, so you are talking about Trusted Sites, and not setting the Internet Zone to full trust, that is a different story.  If you are using Trusted Sites, then those are specifically defined, and can be reasonably certain that security will not be breached, unless there is an identified vulnerability in the .NET framework.

Bob
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 11

Author Comment

by:CraigYellick
ID: 17842338
Thanks for the clarification. Just to be totally accurate about this issue, the following node in the .NET Framework config tool is normally set to "Internet". The app requires that it be set to "FullTrust".

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

To my understanding, this grants full trust status to all of the sites listed in the IE Trusted Sites listing. Does it have other side effects?

-- Craig
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17848888
Not that I know of.  There isn't any security hole that could bypass the Trusted Sites settings, so I feel pretty comfortable that you have chosen a good path.  If you are concerned about security, though, you should really think about using https:// addresses with SSL.

Bob
0
 
LVL 11

Author Comment

by:CraigYellick
ID: 17849677
Thanks. It's not my app, I'm evaluating a commercial app for a customer.

Totally agree about HTPPS. That's the next thing to evaluate -- they wrote a custom .NET remoting protocol (why?) that uses HTTP. Sensitive data is involved and if it does not use HTTPS then how are they securing it...going to be a long day. Thanks again for your input.

-- Craig
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question