Configuring App. domains in .NET Framework with C#

We are provided with default configuration of app. domain. However, we can always configure it ourselves. This is important to know if we need to enhance security of our code. We can limit the damage which can be done if assembly has been compromised. For example, if Assembly has read permission then a hacker can potentially install software once Assembly is broken. On the other side if we set up Assembly in a different manner by restricting Read permission hacker will not have a chance to install malicious software via this Assembly even if Assembly was jeopardized.

Assembly has so called Evidence which contain information about code groups Assembly belongs. Code groups in this content are a folder on the drive or website. By controlling Evidence we can assign security permission to Assemblies.  In order to do so we need to create System.Security.Policy.Evidence object and pass it as a parameter to method called ExecuteAssembly.
object [] hostEvidence = {new Zone(SecurityZone.Internet)};
Evidence internetEvidence = new Evidence(hostEvidence, null);
AppDomain myAppDomain = AppDomain.CreateDomain("MyOwnDomain");
myAppDomain.ExecuteAssembly("SecondAssemblyFile.exe", internetEvidence);

If we examine above code we’ll see that assembly will run in app. domain with the permission granter to Internet_Zone which is our code_group in this case. We know that Internet_Zone is very restrictive with Internet permission set.

If we want to configure app. domain we should create App. domains with AppDomainSetup class with the following properties.


ActivationArguments Gets or sets the activation data of an app. domain
ApplicationBase Gets or sets the name of the root directory
ApplicationName Gets or sets the name of the app
ApplicationTrust Gets or sets an object containing security info
ConfigurationFile Gets or sets the name of the config. file for an app. domain
DisallowApplicationBaseProbing Checks if application base path and private binary path are probed when searching for assemblies to load
DisallowBindingRedirects Gets or sets a value indicating whether an app. domain allows assembly binding redirection
DisallowCodeDownload Gets or sets a value indicating whether HTTP download is allowed for an app. domain
DisallowPublisherPolicy Gets or sets an indicator that the publisher policy section of the configuration file is applied to an app. domain
DynamicBase Gets or sets the base directory
LicenseFile Gets or sets the location of the license file
LoaderOptimization Specifies the optimization policy
PrivateBinPath Gets or sets the list of directories

// Construct AppDomain.
AppDomainSetup myAppDomainSetup = new AppDomainSetup();
myAppDomainSetup.ApplicationBase = "file://" + System.Environment.CurrentDirectory;
myAppDomainSetup.DisallowBindingRedirects = false;
myAppDomainSetup.DisallowCodeDownload = true;
myAppDomainSetup.ConfigurationFile = AppDomain.CurrentDomain.SetupInformation.ConfigurationFile;
// Create AppDomain
AppDomain d = AppDomain.CreateDomain("New Domain", null, myAppDomainSetup);

AppDomain.CurrentDomain.SetupInformation is used to examine properties of the App. domain.