Windows Tip Sheet

R2W2: .NET Security, v2.0

Week 2 of Don’s Windows Server 2003 R2 Month.

One new feature in Win2003 R2 -- and available for download for every other version of Windows -- is v2.0 of the .NET Framework. I’ve written before on .NET Framework security and how you, as an administrator, can get more control over what .NET stuff is allowed to run in your environment. V2.0 isn’t a whole new world, thank heavens; it’s .NET Framework 2.0 Configuration console even looks a lot like the v1.1 variant. But it’s worth reviewing the defaults under 2.0 so that you understand what they mean for you if you don’t take any further configuration action.

By default in most organizations, any .NET code running from the local machine’s hard drive is granted FullTrust, meaning it can do pretty much anything it wants. A smart thing is to lock that down, so that only code which has been digitally signed, using a certificate issued by a trusted CA, will get FullTrust; Microsoft signs all of their code, so you won’t break any of their stuff by taking this action. Signed applications are also protected from tampering; changing the code breaks the signature, so any third-party developers or contractors you’re working with should be taking the steps to sign their code.

Apps running from a network drive on your intranet -- including any code running from a redirected folder (like if you redirect My Documents to a network drive) -- receive less trust. In most cases, they can’t execute at all, in fact. Code is allowed to execute, but it can’t call any COM components or other non-.NET code, nor can it perform a lot of fairly basic tasks. In my experience, most apps will throw an exception when run from a network drive unless you reconfigure permissions appropriately.

Take some time to review the .NET 2.0 security settings in your environment. You don’t necessarily need to lock everything down, but making some smart choices can protect you against the inevitable spamware, spyware or other malware, written in .NET, that’s sure to come down the pike someday.

Additional Resources:

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.