Improving Web Application Security: Threats and - CGISecurity

830 Improving Web Application Security: Threats and Countermeasures9. Select This policy level will only have the permissions from the permission setassociated with this code group and Policy levels below this level will not beevaluated.By selecting these attributes for the code group, you ensure that no other codegroup, either at the current machine level or from the ASP.NET applicationdomain level, affects the permission set that is granted to the FileIO assembly.This ensures that the assembly is only granted the permissions defined by theRestrictedFileIO permission set that you created earlier.Note If you do not select these options, default machine policy grants the assembly full trustbecause the assembly is installed on the local computer and falls within the My_Computer_Zonesetting.10. Click OK to close the Properties dialog box.Step 5. Test File I/O With Code Access Security ConstraintsIn this procedure, you install the FileIO assembly in the global assembly cache(GAC). You then run the Web application and try to access files inside and outside ofC:\Temp. The code access security policy that you configured in Step 4 constrains thecode so that it is only allowed to access files from beneath C:\Temp.The assembly should be installed in the GAC because of the ASP.NET loads strongnamed assemblies as domain neutral assemblies. All strong named assemblies thatASP.NET Web applications call should be installed in the GAC. For more informationabout this issue, see “Strong Names” in Chapter 7, “Building Secure Assemblies.”Note Normally, default machine policy and ASP.NET policy grant full trust to assemblies that areinstalled in the GAC. The This policy level will only have the permissions from the permission setassociated with this code group and Policy levels below this level will not be evaluated attributesthat you assigned to the code group created in Step 4 ensure that the assembly is not granted fulltrust, and is only granted the permissions defined by the RestrictedFileIO permission set that youcreated earlier. To test file I/O with code access security constraints1. Install the FileIO assembly into the GAC using the Gacutil.exe utility.You can call Gacutil.exe as a post-build step to ensure that it is placed in the GACwhen it has been successfully built inside Microsoft Visual Studio ® .NET.a. Display the FileIO project’s Properties dialog box in Visual Studio .NET.b. In Common Properties, select Build Events.c. Type “C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\gacutil” -i $(TargetPath) in the Post-build Event Command Line field.d. Click OK to close the project Properties dialog box.