We help IT Professionals succeed at work.

Impact of granting "full trust" to .NET framework 1.1 for the Internet zone

Craig Yellick
on
Medium Priority
758 Views
Last Modified: 2008-02-01
I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.

This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.

Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?

-- Craig
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2008

Commented:
Hmmm, let me see if I can set up a web page that accesses your machine, because you have trusted my web site completely.  How's that for a scenario?

Bob
Craig YellickDatabase Architect

Author

Commented:
The software is a hybrid Windows Forms application that uses IE and client-side components that use HTTP to communicate with a central web server. So from that standpoint, the client workstation does have to trust the web server pretty much totally, as would be the case with most app software that is installed to a workstation.

My big concern is the requirement that the configuration be so open, with full trust and no HTTPS.

Bob, could you elaborate on what it is that your scenario entails? A random web site out there in the world is not going to be in the Trusted list, so unless the workstation user adds the site's URL to the trusted list, it does not get extra privs, right?

(Note: I hate the way this thing is setup, so there's no defense here. Just trying to understand the ramifications of the required configuration.)

-- Craig
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2008
Commented:
Ok, so you are talking about Trusted Sites, and not setting the Internet Zone to full trust, that is a different story.  If you are using Trusted Sites, then those are specifically defined, and can be reasonably certain that security will not be breached, unless there is an identified vulnerability in the .NET framework.

Bob

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Craig YellickDatabase Architect

Author

Commented:
Thanks for the clarification. Just to be totally accurate about this issue, the following node in the .NET Framework config tool is normally set to "Internet". The app requires that it be set to "FullTrust".

  My Computer>Runtime Security Policy
  >Machine>Code Groups
  >All_Code>Trusted_Zone

To my understanding, this grants full trust status to all of the sites listed in the IE Trusted Sites listing. Does it have other side effects?

-- Craig
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2008

Commented:
Not that I know of.  There isn't any security hole that could bypass the Trusted Sites settings, so I feel pretty comfortable that you have chosen a good path.  If you are concerned about security, though, you should really think about using https:// addresses with SSL.

Bob
Craig YellickDatabase Architect

Author

Commented:
Thanks. It's not my app, I'm evaluating a commercial app for a customer.

Totally agree about HTPPS. That's the next thing to evaluate -- they wrote a custom .NET remoting protocol (why?) that uses HTTP. Sensitive data is involved and if it does not use HTTPS then how are they securing it...going to be a long day. Thanks again for your input.

-- Craig
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.