How to use CASPOL Tool using VB.NET

In this article I will explain you about the CASPOL Tool in VB.NET.
  • 2542

Suppose a developer creates an assembly that requires access to a resource or action that is typically available to users or clients requesting that assembly. Sometimes, for maintenance or other purposes, the administrator may need to restrict the action or resource required by the developer's assembly. This restriction could cause the assembly to function improperly or fail altogether when security exceptions are thrown. Viewing the requirements of the assembly could help you identify the problem and determine whether security issues are involved.

CASPOL (Caspol.exe), a command-line tool included with the .NET runtime SDK, is used to administer policy changes as well as to view existing permissions and the code group hierarchy. Let's look at a few examples of viewing code groups and permissions with CASPOL.

Your default view in CASPOL is determined by your current access permissions (enterprise, machine, or user). If you do not currently have administrative permissions, your default view is the Users view. The examples below explicitly specify either the machine or the user policy level. When code groups from both levels should be displayed together, as in the first example, the -all option is used.

Running the following command from the command line shows the code groups to which a specific assembly file belongs.

CASPol -all -resolvegroup hello.dll

Although this example uses a library called hello.dll, the library could be replaced with any assembly-even caspol.exe itself. Assuming that the hello.dll assembly has no custom or added restrictions, the command output from the example is as shown in Listing A.

Listing A : Output from CASPOL Command to View Code Groups

Microsoft (R) .NET Framework CasPol 1.0.2204.21
Copyright (c) Microsoft Corp 1999-2000. All rights reserved.
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
Level = User
Code Groups:
1. All code: FullTrust

While brief and simple, this output is sufficient to demonstrate what you can expect to see when viewing code groups. The first item is one of the policy levels, the machine policy, followed by a list of the code groups that the code belongs to. At the machine level, the code belongs to the All Code group, which uses the built-in permission set called Nothing. (Other no modifiable built-in permission sets include Execution and FullTrust). The Nothing permission set prohibits all resources, including the right to execute code. However, the All Code group has a subgroup called Zone. The Zone subgroup requires that any code within that subgroup meet the My Computer membership condition. For any code that meets that condition, the FullTrust permission set is used to allow full access to all resources. At the next policy level listed, the user level, we have FullTrust permissions to run all code. In the final line of output, the program displays that it has run successfully.

If you plan to view an assembly's permission sets for diagnostic reasons, you may want to use the - all option so that you can be sure you're seeing all the relevant information. After all, when the assembly is run, it's being spawned by a user account, in which case the machine, user policies, and the application domain's policy if it exists) are combined to produce the total permissions granted to that assembly. Using the -all option lets you see both the user and machine permission sets at the same time. Note that the -all option can also be abbreviated to just -a in the command.

The following command shows the permission sets to which a specific assembly file belongs.

CASPol -all -resolveperm hello.dll

Again, the hello.dll library could be replaced with any assembly. An example of the command's output appears in Listing B.

Listing B: Output from CASPOL Command to View Permission Sets

Microsoft (R) .NET Framework CasPol 1.0.2204.21
Copyright (c) Microsoft Corp 1999-2000. All rights reserved.
Resolving permissions for level = Machine
Resolving permissions for level = User
Grant =
<PermissionSet class="System.Security.PermissionSet" version="1">

mscorlib, Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1"><PublicKeyBlob>
<Permission class="System.Security.Permissions.URLIdentityPermission,
Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">
<Permission class="System.Security.Permissions.ZoneIdentityPermission,
Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">

The first item in the example output is the policy levels. The output combines both the machine and user policies to display what permissions have been granted to the code.

The PermissionSet itself is set to unrestricted, allowing all permissions to be available. Next, three specific sets of permissions are being demanded:

  • StrongNameIdentityPermission -indicates that the hello.dll library contains a strong name (a shared assembly using public-key cryptography). This permission contains the public key that must be matched for other code to make valid calls to this assembly. The cryptographic number has been shortened in this example for display.

  • URLIdentityPermission -lists the URL where the code originated. If you are viewing one of your own assemblies, you will most likely see the path that you compiled to.

  • ZoneIdentityPermission -determines if the calling code is from a specific zone (a specific caller region, such as Intranet_Zone or Internet_Zone). Only exact zone matches can be defined for this permission, and a URL can only belong to a single zone.

Another option that can be used with the CASPOL utility is the -list option. The -list option shows the list of code groups followed by a list of named permission sets available in the most recently displayed policy. The following command enlists the -list option to provide you with an overall look at your permissions:

CASPol -list

The output from this command is for your entire current configuration, not just for a single assembly. If the output is too long for your shell window, then try using the following command, which saves the output to text file called output.txt:

CASPol -list > output.txt

To shorten the output further, you could use the following command to list just the code groups for your current configuration:

CASPol -listgroups

This command produces output similar to that in Listing C.

Listing C: Output from CASPOL Command to List Code Groups Only

Security is ON
Execution checking is OFF
Policy change prompt is ON
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. Honor SkipVerification requests: SkipVerification
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Socket and Web.
1.3. Zone - Internet: Internet
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.6. StrongName - 0024000004800000940000000: Everything

As you might expect, the following command functions in much the same way, except that it displays only the permission sets for your current configuration.

CASPol -listpset

Although this hello.dll example had very few restricted permissions, you can see how using the CASPOL utility to view restrictions for a specific assembly allows you to discover which permissions your assembly needs to run. Similarly, using the CASPol -list command reveals the permissions available to you as a user or administrator.


Hope this article would have helped you in understanding the CASPOL Tool in VB.NET.


More Articles

© 2020 DotNetHeaven. All rights reserved.