The way Code Access Security identifies application is by utilizing Evidence. Evidence stores such info as assembly location, hash of the assembly, assembly signature and code group assembly belongs to. Code Group is important to us since it provides such critical information as permission set. Evidence is usually gathered during runtime. Evidence can be of two types. One is host evidence that provides info about directory, URL, host and assembly evidence that programmer can use to store custom information.
|Application directory||The directory with the assembly|
|Hash||Hash of the assembly|
|Publisher||Assembly's digital signature|
|Site||The site for the assembly|
|Strong Name||Strong name of the assembly|
|URL||The URL for the assembly|
|Zone||The zone in which the assembly is running|
Code Access Security has access control entry called permission.
|Directory Services||Grants access to the AD|
|DNS||Manages access to submit DNS req’s|
|Environment Variables||Manages access to environment variables|
|Event Log||Manages access to event logs|
|File Dialog||Manages access for Open dialog box|
|File IO||Manages access to files and folders|
|Isolated Storage File||Manages access to isolated storage|
|Message Queue||Manages access message queues|
|Performance Counter||Manages whether an assembly can read or write performance counters|
|Printing||Manages capability to print|
|Reflection||Manages discovery members and type informations in other assemblies|
|Registry||Manages access to registry keys|
|Security||Manages access to various CAS features|
|Service Controller||Manages services that can browse or control|
|Socket Access||Manages initiate TCP/IP connections|
|SQL Client||Manages access SQL Server|
|User Interface||Manages creation of new windows|
|Web Access||Manages access Web sites|
|X509 Store||Manages access to the X509 certificate store|
Code Access Security has Access Control List which has permission set.
|FullTrust||Exempts from CAS permission checks|
|SkipVerification||Enables to bypass permission checks|
|Execution||Enables to run and grants no other permissions|
|Nothing||Grants no permissions to an assembly|
|LocalIntranet||Grants a generous set of permissions|
|Internet||Grants a restricted set of permissions|
|Everything||Grants assemblies all permissions|
Code Groups as it was mentioned before is another component of Code Access Security and it manages and assigns Assemblies with permission sets. We use .NET Configuration tool mscorcfg.msc to perform this operation.
|Code Group||Evidence||Permission Set|
There is also concept of Security Policy which is nothing more then a grouping of Code Groups. Security Policy is playing a major role at setting CAS at multiple levels. There are several levels that we need to be aware of: Enterprise which configured at AD level, Machine configured at machine level, User, and App. domain.
Code Access Security is different from Windows OS Security and it has to go through Windows Security first before hitting Hard Disk
We can manage Code Access Security using .NET Configuration Tool or Code Access Security Policy Tool which command line tool. For instance if we decide to use CAS Policy Tool we will run this line of code caspol.exe:
Caspol -addfulltrust assemblyname.exe
CAS is useful only for partially trusted assemblies and not in fully trusted assemblies.