Using Caspol.exe to grant .NET applications rights to a remote network share


When you host a .NET application on a remote network share, you may receive a System.SecurityException exception error message or a security warning message.

The Code Access Security Policy tool (CASPOL) enables administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

Caspol is used to fully trust a remote share, since by default network shares only get LocalIntranet permissions.

The solution for the System.SecurityException exception error message is to use caspol to grant a .NET application the FullTrust right to a network share. To do this:

1. Launch a command prompt with administrative credentials

2. Change to the C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory.

3. Run the following command:

caspol -m -ag 1 -url “file://\\server\share\*” FullTrust -exclusive on

Replace \\server\share\ with the path to your .NET application located on the remote network share.

Running the above command allowed me to resolve the following IIS 7.0 error:

SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed

By the way, .NET Framework 3.5 SP1 allows managed code to be launched from a network share.

References:
http://support.microsoft.com/?id=320268
http://blogs.msdn.com/shawnfa/archive/2004/12/30/344554.aspx
http://books.google.com/books?id=VJOtwMawoswC&pg=PA576&lpg=PA576&dq=iis+7.0+caspol.exe&source=bl&ots=W88GOo1Cfp&sig=U8sBtcNzbaSgPTghAp519S9O3sM&hl=en&ei=o1zSSeafEobmnQfHrbzlBQ&sa=X&oi=book_result&resnum=1&ct=result
http://www.iislogs.com/articles/23/
http://support.microsoft.com/kb/837909
http://www.sharepointblogs.com/ssa/archive/2007/09/06/using-caspol-exe-to-add-assemblies-to-full-trust-assembly-list.aspx
http://www.dotnetjunkies.ddj.com/quickstart/howto/doc/security/SecScripting.aspx

3 Responses to “Using Caspol.exe to grant .NET applications rights to a remote network share”

  1. Getting IIS 7.5 (in VirtualBox) to Serve Sites from an OSX Share Says:

    […] This post from backroom security tech and also this from .NET security blog helped here. […]

    • pd Says:

      Any security issues with this? I feel like giving the .NET application full trust rights could be potentially dangerious. Thoughts?

  2. Sanit Says:

    Hi,

    For the above example, the quotation marks shouldn’t be there. I get a syntax error when I put the quotes. It should be:

    caspol -m -ag 1 -url file://\\server\share\* FullTrust -exclusive on


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: