locked
Customizing Trust Levels in IIS 7.0 RRS feed

  • Question

  • User-1842880510 posted

    <div>

    Hi folks;

    We have a problem.  We have a web site with a number of web applications residing under it.  Each of these web applications make use of a customize configuration file which was called web.config but really does not contain any of the standard elements of a web.config file.  The web site contains one directly called CustomWebConfig with the web.config residing under it and another called "OurWeb".  All of the web applications reside in folders under "OurWeb". 

    Our web site has been running on IIS 6.0 for a considerable time.  Now we have to move it to IIS 7.0.  Government Requirements state that the Web server must utilize the Medium Trust Level.  Medium Trust Level specifies that application have no access to any files outside of their application root.  This causes a problem since the web.config file is not under any application root.  Nor can it go under any specific application root as that would make in inaccessible to the other applications.  It seemed to me that there should be some way to allow an exception.  Sure enough I found that you can Customize a Trust Level.  I found a Word Doc on the web called "ASPNET35_HostingDeploymentGuide[1].doc"  which should the basics on how to customize a Trust Level config file.  Except it really wasn't all that basic.  It provided explicit instructions on how to customize the "Medium Trust Level" to add a new security class and named permission set to allow access to OLEDB database connections.  However, it did not really explain the various elements and attributes, what they were for and how to add permission to open a single specific folder.  (Although I've read that this can be done.)

    So I would appreciate it if anyone knowing how to add a permission set to do that or at least a source of detailed documentation on how to customize Trust Level config file I would appreciate it very much.

    Thanks in advance for your assistance.

    </div>

    Monday, May 5, 2014 4:32 PM

Answers

  • User-1842880510 posted

    As a solution.  I called MS support.  They reported that code like File.Open() needs to use certain overloads with additional parameters beyond the default.  We were also using

    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(); 
    

    We were required to use:

    sPath = "<actual system path>"
    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(sPath); 
    

    We were also instructed to change ALL of the attributes of the FileIOPermission, Like this

                              <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        Write="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        Append="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        PathDiscovery="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                />

    However we found that File.Exists() and Server.MapPath() still did not work.  (In fact, Server.MapPath() would not work even within the $AppDir$).

    So what we did was make the change to we ended up removing all calls to Server.MapPath(), and File.Exists(), and changing the alteration of the FileIOPermission to

                               <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="D:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"
                                />

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, September 12, 2014 10:19 AM

All replies

  • User1030553310 posted

    Hi joeller,

    Please try to use the location to achieve it: 

    <location allowOverride="false">
     <location path="d:\websites\customer1" allowOverride="true">
     <location path="d:\websites\customer2" allowOverride="true">
      <system.web>
        <securityPolicy>
        <!--set your trust leve here!-->      
    </securityPolicy>
        <trust level="Medium" originUrl="" />
      </system.web>
     </location>

    Reference:
    http://forums.iis.net/p/1197427/2048658.aspx?ASP+Trust+level+web+config

    Hope it helps.

    Best Regards,
    Terry Guo

    Tuesday, May 6, 2014 5:05 AM
  • User-1842880510 posted

    Bear in Mind I do NOT want to change the trust level of the entire server or even the application to be of a higher built-in Trust Level.  (i.e. I do NOT want to set the Trust level to High or Full for the application.)  I merely want to modify the Medium Trust Level to make this one little change.

    Someone suggested changing

    	Read=" $AppDir$"
    	To: Read="C:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"

    I found this in the web_mediumtrust.config file

                                <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="$AppDir$"
                                />

    So I presume they mean changing the Read attribute of the named permission FileIOPermission to read

                                <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="C:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="$AppDir$"
                                />

    Would this work in a custom Level file and change the server's web.config to add the custom level like:

    <location allowOverride="false">
      <system.web>
        <securityPolicy>
          <trustLevel name="Full" policyFile="internal" />
          <trustLevel name="High" policyFile="web_hightrust.config" />
          <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
          <trustLevel name="Low" policyFile="web_lowtrust.config" />
          <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
          <trustLevel name="Custom" policyFile="web_mediumtrustcustom.config"/>
        </securityPolicy>
        <trust level="Custom" originUrl="" />
      </system.web>
    </location>
    

    Also I saw this in an MSDN links

    For machine-wide enforcement, you can selectively assign trust levels using location elements in the root Web.config file

    Are they talking about the root web.config of the

    Tuesday, May 6, 2014 10:54 AM
  • User-1842880510 posted

    Please try to use the location to achieve it: 

    According link provided http://forums.iis.net/p/1197427/2048658.aspx?ASP+Trust+level+web+config the code in your code block is incorrect.  According to that link it should be

    <location allowOverride="false">
      <system.web>
        <securityPolicy>
        <!--set your trust leve here!-->      
    </securityPolicy>
        <trust level="Medium" originUrl="" />
      </system.web>
     </location>
     <location path="d:\websites\customer1" allowOverride="true">
     <location path="d:\websites\customer2" allowOverride="true">
    

    Tried both configurations and all the web apps on the site throw a 500 error and do not open.  

    Wednesday, July 30, 2014 12:05 PM
  • User-1842880510 posted

    Verified that according to http://msdn.microsoft.com/en-us/library/ff648344.aspx How To: Use Medium Trust in ASP.NET 2.0, the change made to read attribute of FileI/O IPermission element is what is supposed to be done.

    Problem is it did not work.   Attempted to make the change in custom level configs on both 2.0 and 4.0.30319.  Neither worked for  File I/O but oledb permission was able to be granted.

    Update 7/30/2014:

    Inadvertantly created new two new threads on same issue a couple of weeks later.  Please go to http://forums.iis.net/t/1214716.aspx?Problem+with+Custom+Trust+Levels+ with any ideas concerning this.

    Wednesday, July 30, 2014 12:13 PM
  • User-1842880510 posted

    As a solution.  I called MS support.  They reported that code like File.Open() needs to use certain overloads with additional parameters beyond the default.  We were also using

    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(); 
    

    We were required to use:

    sPath = "<actual system path>"
    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(sPath); 
    

    We were also instructed to change ALL of the attributes of the FileIOPermission, Like this

                              <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        Write="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        Append="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                        PathDiscovery="D:\TopFolder\wwwroot\folderLast;$AppDir$"
                                />

    However we found that File.Exists() and Server.MapPath() still did not work.  (In fact, Server.MapPath() would not work even within the $AppDir$).

    So what we did was make the change to we ended up removing all calls to Server.MapPath(), and File.Exists(), and changing the alteration of the FileIOPermission to

                               <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="D:\TopFolder\Folder2\wwwroot\FolderLast;$AppDir$"
                                />

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, September 12, 2014 10:19 AM