Windows Tip Sheet
R2W2: .NET Security, v2.0
Week 2 of Don’s Windows Server 2003 R2 Month.
One new feature in Win2003 R2 -- and available for download for every other
version of Windows -- is v2.0 of the .NET Framework. I’ve written before
on .NET Framework security and how you, as an administrator, can get more control
over what .NET stuff is allowed to run in your environment. V2.0 isn’t
a whole new world, thank heavens; it’s .NET Framework 2.0 Configuration
console even looks
a lot like the v1.1 variant. But it’s worth
reviewing the defaults under 2.0 so that you understand what they mean for you
if you don’t take any further configuration action.
By default in most organizations, any .NET code running from the local machine’s
hard drive is granted FullTrust, meaning it can do pretty much anything it wants.
A smart thing is to lock that down, so that only code which has been digitally
signed, using a certificate issued by a trusted CA, will get FullTrust; Microsoft
signs all of their code, so you won’t break any of their stuff by taking
this action. Signed applications are also protected from tampering; changing
the code breaks the signature, so any third-party developers or contractors
you’re working with should be taking the steps to sign their code.
Apps running from a network drive on your intranet -- including any code running
from a redirected folder (like if you redirect My Documents to a network drive)
-- receive less trust. In most cases, they can’t execute at all, in fact.
Code is allowed to execute, but it can’t call any COM components or other
non-.NET code, nor can it perform a lot of fairly basic tasks. In my experience,
most apps will throw an exception when run from a network drive unless you reconfigure
permissions appropriately.
Take some time to review the .NET 2.0 security settings in your environment.
You don’t necessarily need to lock everything down, but making some smart
choices can protect you against the inevitable spamware, spyware or other malware,
written in .NET, that’s sure to come down the pike someday.
Additional Resources:
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.