Privileged winforms deployment via IE
| Author |
Message |
|
Michel Gallan
#1 / 10
|
 Privileged winforms deployment via IE Does dotnet support privileged (digitally signed?) browser-based .net applications which are fully privileged (like signed Java applets?) If so, are there any live examples on the Internet out there now?
Thanks,
- Mitch Gallant
|
| Sun, 14 Nov 2004 06:27:50 GMT |
|
 |
|
Marius [MS
#2 / 10
|
Privileged winforms deployment via IE Yes, you can download a WinForm application through the browser, e.g.: <a href="MyApp.exe">Try me</a>
The Code Evidence security will grant this app certain permissions depending
on where this app came from (intranet, extranet, etc.). If people download
your app from internet, you (or they) would need to add a new code group
through the MMC to the Runtime Security Policy, e.g. FriendlySite group and
amend the default policy setting for that zone to give special priviledges
to an assembly signed with a particular public key. I don't know of a public
sample showing all that.
--
Regards,
Marius Rochon
NOTE: This posting is provided "AS IS" with no warranties, and confers no
rights.
Quote: > Does dotnet support privileged (digitally signed?) browser-based .net > applications which are fully privileged (like signed Java applets?) > If so, are there any live examples on the Internet out there now?
> Thanks,
> - Mitch Gallant
|
| Sun, 14 Nov 2004 12:38:15 GMT |
|
|
|
Michel Gallan
#3 / 10
|
Privileged winforms deployment via IE Thanks. I have some experience with downloading privileges standalone .net applications with modified Code group settings. In fact, there appears to be a bug with the "Certificate evidence" stuff (but not for URL based evidence) as discussed here:
Subject: Re: Microsoft .NET Framework Service Pack
Newsgroups: microsoft.public.dotnet.faqs, microsoft.public.dotnet.framework,
microsoft.public.dotnet.framework.adonet, microsoft.public.dotnet.framework.aspnet,
microsoft.public.dotnet.general, microsoft.public.dotnet.languages.vb
Date: 2002-03-29 07:15:51 PST
Having to have an end user configure such a custom code-group is too difficult
for most end users! What I was looking for was something more like the user
having to make a simple decision on the fly (like signed applet, signed by official
cert from trusted CA) without the user having to make ANY other reconfigurations.
The bug I note in the 03/29/2002 posting above makes this all but impossible (with
the .net SP1 security settings).
Also, I was interested in a trusted .net application embedded (and possibly scriptable
from VBScript etc..) within a web-page (like a Java applet).
As a concrete example, how would you do something like this signed-applet win32
RAM usage monitor, conveniently embedded in a web-page:
http://home.istar.ca/~neutron/memorywin32/
Thanks,
- Mitch Gallant
Quote:
> Yes, you can download a WinForm application through the browser, e.g.: > <a href="MyApp.exe">Try me</a>
> The Code Evidence security will grant this app certain permissions depending
> on where this app came from (intranet, extranet, etc.). If people download
> your app from internet, you (or they) would need to add a new code group
> through the MMC to the Runtime Security Policy, e.g. FriendlySite group and
> amend the default policy setting for that zone to give special priviledges
> to an assembly signed with a particular public key. I don't know of a public
> sample showing all that.
> --
> Regards,
> Marius Rochon
> NOTE: This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Does dotnet support privileged (digitally signed?) browser-based .net
> > applications which are fully privileged (like signed Java applets?)
> > If so, are there any live examples on the Internet out there now?
> > Thanks,
> > - Mitch Gallant
|
| Sun, 14 Nov 2004 21:44:01 GMT |
|
|
|
Ryan Farle
#4 / 10
|
Privileged winforms deployment via IE Take a look at this article in June 2002 MSDN Magazine. It talks about embedding .NET WinForms in a browser. http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
--
-Ryan
Does dotnet support privileged (digitally signed?) browser-based .net
applications which are fully privileged (like signed Java applets?)
If so, are there any live examples on the Internet out there now?
Thanks,
- Mitch Gallant
|
| Mon, 15 Nov 2004 00:35:46 GMT |
|
|
|
Michel Gallan
#5 / 10
|
Privileged winforms deployment via IE Thanks Ryan. This is what I was looking for! - Mitch Quote:
> Take a look at this article in June 2002 MSDN Magazine. It talks about > embedding .NET WinForms in a browser. > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> --
> -Ryan
> Does dotnet support privileged (digitally signed?) browser-based .net
> applications which are fully privileged (like signed Java applets?)
> If so, are there any live examples on the Internet out there now?
> Thanks,
> - Mitch Gallant
|
| Mon, 15 Nov 2004 01:47:29 GMT |
|
|
|
Michel Gallan
#6 / 10
|
Privileged winforms deployment via IE I read this excellent article carefully yesterday, and it is a great starting point for building "Rich Client" apps. with .net. Particularly useful is the dotted checklist in the section "Windows Forms". The article focuses on building such Rich Clients using the *partially*
trusted code default security settings, which the author emphasises is
powerful enough in itself. Having a *more* privileged Rich Client run
requires end-user configuration (typically by an administrator) of the
security policy, say using the .net Framework Admin. Tool.
Hopefully, the same author will have a forthcoming article
showing how to do this for:
Certificate (signed-code) evidence
URL code-origin evidence
Questions about deployment testing:
(1)The author mentions that browser-based
embedded controls can ONLY be tested from a web-server (and not locally
from the file system). Is there any workaround for this?
(2) Also, can the browser-embedded control apps be deployed from ANY web
server (author emphasis IIS virtual root deployment)?
Thanks,
- Mitch
Quote:
> Thanks Ryan. This is what I was looking for! > - Mitch
> > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > embedding .NET WinForms in a browser.
> > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > --
> > -Ryan
> > Does dotnet support privileged (digitally signed?) browser-based .net
> > applications which are fully privileged (like signed Java applets?)
> > If so, are there any live examples on the Internet out there now?
> > Thanks,
> > - Mitch Gallant
|
| Mon, 15 Nov 2004 23:09:41 GMT |
|
|
|
Michel Gallan
#7 / 10
|
Privileged winforms deployment via IE however .... I can't get the simplest example working (the Controls.dll) when deployed from an IIS local server (on custom port). With IE6, and Win2000, the page simply displays blank blocks with no ListBoxs displayed. Any ideas why this is happening? I had used the "IIS lockdown tool" so i gather is affects the ability to download a dll file from this server? (also, installed URL scan security tool). Thnx, - Mitch Quote:
> I read this excellent article carefully yesterday, and it is a great > starting point for building "Rich Client" apps. with .net. Particularly > useful is the dotted checklist in the section "Windows Forms". > The article focuses on building such Rich Clients using the *partially*
> trusted code default security settings, which the author emphasises is
> powerful enough in itself. Having a *more* privileged Rich Client run
> requires end-user configuration (typically by an administrator) of the
> security policy, say using the .net Framework Admin. Tool.
> Hopefully, the same author will have a forthcoming article
> showing how to do this for:
> Certificate (signed-code) evidence
> URL code-origin evidence
> Questions about deployment testing:
> (1)The author mentions that browser-based
> embedded controls can ONLY be tested from a web-server (and not locally
> from the file system). Is there any workaround for this?
> (2) Also, can the browser-embedded control apps be deployed from ANY web
> server (author emphasis IIS virtual root deployment)?
> Thanks,
> - Mitch
> > Thanks Ryan. This is what I was looking for!
> > - Mitch
> > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > embedding .NET WinForms in a browser.
> > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > --
> > > -Ryan
> > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > applications which are fully privileged (like signed Java applets?)
> > > If so, are there any live examples on the Internet out there now?
> > > Thanks,
> > > - Mitch Gallant
|
| Tue, 16 Nov 2004 08:15:20 GMT |
|
|
|
Ryan Farle
#8 / 10
|
Privileged winforms deployment via IE It worked fine for me. I have not run the lockdown tool (and no URLScan) on the server I tried it
on so maybe it is because of that???
--
-Ryan
however .... I can't get the simplest example working (the Controls.dll)
when deployed from an IIS local server (on custom port). With IE6, and
Win2000, the page simply displays blank blocks with no ListBoxs displayed.
Any ideas why this is happening? I had used the "IIS lockdown tool" so i
gather is affects the ability to download a dll file from this server?
(also, installed
URL scan security tool).
Thnx,
- Mitch
Quote:
> I read this excellent article carefully yesterday, and it is a great > starting point for building "Rich Client" apps. with .net. Particularly > useful is the dotted checklist in the section "Windows Forms". > The article focuses on building such Rich Clients using the *partially*
> trusted code default security settings, which the author emphasises is
> powerful enough in itself. Having a *more* privileged Rich Client run
> requires end-user configuration (typically by an administrator) of the
> security policy, say using the .net Framework Admin. Tool.
> Hopefully, the same author will have a forthcoming article
> showing how to do this for:
> Certificate (signed-code) evidence
> URL code-origin evidence
> Questions about deployment testing:
> (1)The author mentions that browser-based
> embedded controls can ONLY be tested from a web-server (and not locally
> from the file system). Is there any workaround for this?
> (2) Also, can the browser-embedded control apps be deployed from ANY web
> server (author emphasis IIS virtual root deployment)?
> Thanks,
> - Mitch
> > Thanks Ryan. This is what I was looking for!
> > - Mitch
> > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > embedding .NET WinForms in a browser.
> > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > --
> > > -Ryan
> > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > applications which are fully privileged (like signed Java applets?)
> > > If so, are there any live examples on the Internet out there now?
> > > Thanks,
> > > - Mitch Gallant
|
| Wed, 17 Nov 2004 01:47:25 GMT |
|
|
|
Michel Gallan
#9 / 10
|
Privileged winforms deployment via IE OK thanks for verifying that. I also configured some settings via the Baseline Security Analyzer that appear to have hosed the password settings on several IIS related accounts :-( Another point, can that simple ListBox example be deployed from any server,
or does the rich-client capability, for controls embedded in a web page, depend
in some way on it being served from an IIS server??
Thanks,
- Mitch
Quote:
> It worked fine for me. > I have not run the lockdown tool (and no URLScan) on the server I tried it
> on so maybe it is because of that???
> --
> -Ryan
> however .... I can't get the simplest example working (the Controls.dll)
> when deployed from an IIS local server (on custom port). With IE6, and
> Win2000, the page simply displays blank blocks with no ListBoxs displayed.
> Any ideas why this is happening? I had used the "IIS lockdown tool" so i
> gather is affects the ability to download a dll file from this server?
> (also, installed
> URL scan security tool).
> Thnx,
> - Mitch
> > I read this excellent article carefully yesterday, and it is a great
> > starting point for building "Rich Client" apps. with .net. Particularly
> > useful is the dotted checklist in the section "Windows Forms".
> > The article focuses on building such Rich Clients using the *partially*
> > trusted code default security settings, which the author emphasises is
> > powerful enough in itself. Having a *more* privileged Rich Client run
> > requires end-user configuration (typically by an administrator) of the
> > security policy, say using the .net Framework Admin. Tool.
> > Hopefully, the same author will have a forthcoming article
> > showing how to do this for:
> > Certificate (signed-code) evidence
> > URL code-origin evidence
> > Questions about deployment testing:
> > (1)The author mentions that browser-based
> > embedded controls can ONLY be tested from a web-server (and not locally
> > from the file system). Is there any workaround for this?
> > (2) Also, can the browser-embedded control apps be deployed from ANY web
> > server (author emphasis IIS virtual root deployment)?
> > Thanks,
> > - Mitch
> > > Thanks Ryan. This is what I was looking for!
> > > - Mitch
> > > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > > embedding .NET WinForms in a browser.
> > > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > > --
> > > > -Ryan
> > > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > > applications which are fully privileged (like signed Java applets?)
> > > > If so, are there any live examples on the Internet out there now?
> > > > Thanks,
> > > > - Mitch Gallant
|
| Wed, 17 Nov 2004 02:56:04 GMT |
|
|
|
Michel Gallan
#10 / 10
|
Privileged winforms deployment via IE I recovered the functionality of my IIS5 / Win2000 Pro and can now get the rich client to work. For those interested, one can apply IIS Lockdown (with built-in URLScan) and still run asp/asp.net applications. Here is the summary thread: Subject: Re: How to get IIS5 functional again
Date: Sun, 02 Jun 2002 19:55:45 -0400
Newsgroups: microsoft.public.security
Final question: For rich dotnet clients, why do you need to deploy them
from an IIS server? They don't *appear* to use aspnet functionality, but
deploying from any server other than IIS does not seem to work.
- Mitch
Quote:
> OK thanks for verifying that. I also configured some settings via the Baseline > Security Analyzer that appear to have hosed the password settings on several > IIS related accounts :-( > Another point, can that simple ListBox example be deployed from any server,
> or does the rich-client capability, for controls embedded in a web page, depend
> in some way on it being served from an IIS server??
> Thanks,
> - Mitch
> > It worked fine for me.
> > I have not run the lockdown tool (and no URLScan) on the server I tried it
> > on so maybe it is because of that???
> > --
> > -Ryan
> > however .... I can't get the simplest example working (the Controls.dll)
> > when deployed from an IIS local server (on custom port). With IE6, and
> > Win2000, the page simply displays blank blocks with no ListBoxs displayed.
> > Any ideas why this is happening? I had used the "IIS lockdown tool" so i
> > gather is affects the ability to download a dll file from this server?
> > (also, installed
> > URL scan security tool).
> > Thnx,
> > - Mitch
> > > I read this excellent article carefully yesterday, and it is a great
> > > starting point for building "Rich Client" apps. with .net. Particularly
> > > useful is the dotted checklist in the section "Windows Forms".
> > > The article focuses on building such Rich Clients using the *partially*
> > > trusted code default security settings, which the author emphasises is
> > > powerful enough in itself. Having a *more* privileged Rich Client run
> > > requires end-user configuration (typically by an administrator) of the
> > > security policy, say using the .net Framework Admin. Tool.
> > > Hopefully, the same author will have a forthcoming article
> > > showing how to do this for:
> > > Certificate (signed-code) evidence
> > > URL code-origin evidence
> > > Questions about deployment testing:
> > > (1)The author mentions that browser-based
> > > embedded controls can ONLY be tested from a web-server (and not locally
> > > from the file system). Is there any workaround for this?
> > > (2) Also, can the browser-embedded control apps be deployed from ANY web
> > > server (author emphasis IIS virtual root deployment)?
> > > Thanks,
> > > - Mitch
> > > > Thanks Ryan. This is what I was looking for!
> > > > - Mitch
> > > > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > > > embedding .NET WinForms in a browser.
> > > > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > > > --
> > > > > -Ryan
> > > > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > > > applications which are fully privileged (like signed Java applets?)
> > > > > If so, are there any live examples on the Internet out there now?
> > > > > Thanks,
> > > > > - Mitch Gallant
|
| Fri, 19 Nov 2004 23:15:06 GMT |
|
| |
|
