locked
Customizing a Trust Level in IIS 7.0 RRS feed

  • Question

  • User-1842880510 posted

    Hi folks;

    We have a problem.  We have a web site with a number of web applications residing under it.  Each of these web applications make use of a customize configuration file which was called web.config but really does not contain any of the standard elements of a web.config file.  The web site contains one directly called CustomWebConfig with the web.config residing under it and another called "OurWeb".  All of the web applications reside in folders under "OurWeb". 

    Our web site has been running on IIS 6.0 for a considerable time.  Now we have to move it to IIS 7.0.  Government Requirements state that the Web server must utilize the Medium Trust Level.  Medium Trust Level specifies that application have no access to any files outside of their application root.  This causes a problem since the web.config file is not under any application root.  Nor can it go under any specific application root as that would make in inaccessible to the other applications.  It seemed to me that there should be some way to allow an exception.  Sure enough I found that you can Customize a Trust Level.  I found a Word Doc on the web called "ASPNET35_HostingDeploymentGuide[1].doc"  which should the basics on how to customize a Trust Level config file.  Except it really wasn't all that basic.  It provided explicit instructions on how to customize the "Medium Trust Level" to add a new security class and named permission set to allow access to OLEDB database connections.  However, it did not really explain the various elements and attributes, what they were for and how to add permission to open a single specific folder.  (Although I've read that this can be done.)

    So I would appreciate it if anyone knowing how to add a permission set to do that or at least a source of detailed documentation on how to customize Trust Level config file I would appreciate it very much.

    Thanks in advance for your assistance.

    Monday, May 5, 2014 4:30 PM

Answers

  • User-1842880510 posted

    As a solution.  I called MS support.  They reported that code like File.Open() needs to use certain overloads with additional parameters beyond the default.  We were also using

    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(); 
    

    We were required to use:

    sPath = "<actual system path>"
    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(sPath); 
    

    We were also instructed to change ALL of the attributes of the FileIOPermission, Like this

                              <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Write="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Append="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        PathDiscovery="D:\Inetpub\\wwwroot\NewWebConfig;$AppDir$"
                                />

    However we found that File.Exists() and Server.MapPath() still did not work.

    So what we did was make the change to we ended up removing all calls to Server.MapPath(), and File.Exists(), and changing the alteration of the FileIOPermission to

                               <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                />

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 12, 2014 11:00 AM

All replies

  • User-734925760 posted

    Hi,

    According to your description, you want to create a custom Trust Level. So far as I know, if we want to create a custom Trust Level, we need to  create a security policy file and then specify this file in the security policy section of the application web.config.

    The code below shows the securityPolicy section of a configuration file that maps the full trust level to a policy file:

    <system.web>
      <securityPolicy>
        <trustLevel name="Full" policyFile="internal"/>
      </securityPolicy>
    </system.web>

    For more information about Trust Levels and Policy Files, please refer to the link below:

    http://msdn.microsoft.com/en-us/library/wyts434y.aspx

    There is an same thread, please refer to the link below:

    http://forums.iis.net/t/1210864.aspx

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    Tuesday, May 6, 2014 5:29 AM
  • User-1842880510 posted

    The IIS forum entry is mine describing this same situation and which I entered a few minutes before putting in this one.

    I am reading the msdn link but in order to understand it you have to go to another link and in order to understand that you have to go to another link and in order to understand that you have to go to a fouurth link.

    Before I comment on you solution I need to read all of these links.  However, understand I do not want to give these apps a "High" trust level, I merely want to add 1 additional directory to those to which the apps have permission.

    Someone suggested changing

    	Read=" $AppDir$"
    	To: Read="C:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"

    I found this in the web_mediumtrust.config file

                                <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="$AppDir$"
                                />

    So I presume they mean changing the Read attribute of the named permission FileIOPermission to read

                                <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="C:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="$AppDir$"
                                />

    Would this work in a custom Level file and change the server's web.config to add the custom level like:

    <location allowOverride="false">
      <system.web>
        <securityPolicy>
          <trustLevel name="Full" policyFile="internal" />
          <trustLevel name="High" policyFile="web_hightrust.config" />
          <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
          <trustLevel name="Low" policyFile="web_lowtrust.config" />
          <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
          <trustLevel name="Custom" policyFile="web_mediumtrustcustom.config"/>
        </securityPolicy>
        <trust level="Custom" originUrl="" />
      </system.web>
    </location>
    

    Also I saw this in one of the links

    For machine-wide enforcement, you can selectively assign trust levels using location elements in the root Web.config file

    Which would seem to indicate this. 

    Tuesday, May 6, 2014 9:52 AM
  • User-1842880510 posted

    As a solution.  I called MS support.  They reported that code like File.Open() needs to use certain overloads with additional parameters beyond the default.  We were also using

    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(); 
    

    We were required to use:

    sPath = "<actual system path>"
    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(sPath); 
    

    We were also instructed to change ALL of the attributes of the FileIOPermission, Like this

                              <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Write="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Append="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        PathDiscovery="D:\Inetpub\\wwwroot\NewWebConfig;$AppDir$"
                                />

    However we found that File.Exists() and Server.MapPath() still did not work.

    So what we did was make the change to we ended up removing all calls to Server.MapPath(), and File.Exists(), and changing the alteration of the FileIOPermission to

                               <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                />

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 12, 2014 11:00 AM