Privileged winforms deployment via IE 
Author Message
 Privileged winforms deployment via IE

Does dotnet support privileged (digitally signed?) browser-based .net
applications which are fully privileged (like signed Java applets?)

If so, are there any live examples on the Internet out there now?

Thanks,
 - Mitch Gallant



Sun, 14 Nov 2004 06:27:50 GMT  
 Privileged winforms deployment via IE
Yes, you can download a WinForm application through the browser, e.g.:

<a href="MyApp.exe">Try me</a>

The Code Evidence security will grant this app certain permissions depending
on where this app came from (intranet, extranet, etc.). If people download
your app from internet, you (or they) would need to add a new code group
through the MMC to the Runtime Security Policy, e.g. FriendlySite group and
amend the default policy setting for that zone to give special priviledges
to an assembly signed with a particular public key. I don't know of a public
sample showing all that.

--
Regards,
Marius Rochon
NOTE: This posting is provided "AS IS" with no warranties, and confers no
rights.

Quote:
> Does dotnet support privileged (digitally signed?) browser-based .net
> applications which are fully privileged (like signed Java applets?)

> If so, are there any live examples on the Internet out there now?

> Thanks,
>  - Mitch Gallant



Sun, 14 Nov 2004 12:38:15 GMT  
 Privileged winforms deployment via IE
Thanks. I have some experience with downloading privileges standalone
.net applications with modified Code group settings. In fact, there appears
to be a bug with the "Certificate evidence" stuff (but not for URL based
evidence) as discussed here:


 Subject: Re: Microsoft .NET Framework Service Pack
 Newsgroups: microsoft.public.dotnet.faqs, microsoft.public.dotnet.framework,
 microsoft.public.dotnet.framework.adonet, microsoft.public.dotnet.framework.aspnet,
 microsoft.public.dotnet.general, microsoft.public.dotnet.languages.vb
 Date: 2002-03-29 07:15:51 PST

Having to have an end user configure such a custom code-group is too difficult
for most end users! What I was looking for was something more like the user
having to make a simple decision on the fly (like signed applet, signed by official
cert from trusted CA) without the user having to make ANY other reconfigurations.
The bug I note in the 03/29/2002 posting above makes this all but impossible (with
the .net SP1 security settings).

Also, I was interested in a trusted .net application embedded (and possibly scriptable
from VBScript etc..) within a web-page (like a Java applet).

As a concrete example, how would you do something like this signed-applet win32
RAM usage monitor, conveniently embedded in a web-page:
   http://home.istar.ca/~neutron/memorywin32/

Thanks,
 - Mitch Gallant

Quote:

> Yes, you can download a WinForm application through the browser, e.g.:

> <a href="MyApp.exe">Try me</a>

> The Code Evidence security will grant this app certain permissions depending
> on where this app came from (intranet, extranet, etc.). If people download
> your app from internet, you (or they) would need to add a new code group
> through the MMC to the Runtime Security Policy, e.g. FriendlySite group and
> amend the default policy setting for that zone to give special priviledges
> to an assembly signed with a particular public key. I don't know of a public
> sample showing all that.

> --
> Regards,
> Marius Rochon
> NOTE: This posting is provided "AS IS" with no warranties, and confers no
> rights.


> > Does dotnet support privileged (digitally signed?) browser-based .net
> > applications which are fully privileged (like signed Java applets?)

> > If so, are there any live examples on the Internet out there now?

> > Thanks,
> >  - Mitch Gallant



Sun, 14 Nov 2004 21:44:01 GMT  
 Privileged winforms deployment via IE
Take a look at this article in June 2002 MSDN Magazine. It talks about
embedding .NET WinForms in a browser.

http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
--

-Ryan


Does dotnet support privileged (digitally signed?) browser-based .net
applications which are fully privileged (like signed Java applets?)

If so, are there any live examples on the Internet out there now?

Thanks,
 - Mitch Gallant



Mon, 15 Nov 2004 00:35:46 GMT  
 Privileged winforms deployment via IE
Thanks Ryan. This is what I was looking for!
 - Mitch
Quote:

> Take a look at this article in June 2002 MSDN Magazine. It talks about
> embedding .NET WinForms in a browser.

> http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> --

> -Ryan



> Does dotnet support privileged (digitally signed?) browser-based .net
> applications which are fully privileged (like signed Java applets?)

> If so, are there any live examples on the Internet out there now?

> Thanks,
>  - Mitch Gallant



Mon, 15 Nov 2004 01:47:29 GMT  
 Privileged winforms deployment via IE
I read this excellent article carefully yesterday, and it is a great
starting point for building "Rich Client" apps. with .net. Particularly
useful is the dotted checklist in the section "Windows Forms".

The article focuses on building such Rich Clients using the *partially*
trusted code default security settings, which the author emphasises is
powerful enough in itself. Having a *more* privileged Rich Client run
requires end-user configuration (typically by an administrator) of the
security policy, say using the .net Framework Admin. Tool.
Hopefully, the same author will have a forthcoming article
showing how to do this for:
  Certificate (signed-code) evidence
  URL code-origin evidence

Questions about deployment testing:
(1)The author mentions that browser-based
embedded controls can ONLY be tested from a web-server (and not locally
from the file system). Is there any workaround for this?
(2) Also, can the browser-embedded control apps be deployed from ANY web
server (author emphasis IIS virtual root deployment)?

 Thanks,
 - Mitch

Quote:

> Thanks Ryan. This is what I was looking for!
>  - Mitch


> > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > embedding .NET WinForms in a browser.

> > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > --

> > -Ryan



> > Does dotnet support privileged (digitally signed?) browser-based .net
> > applications which are fully privileged (like signed Java applets?)

> > If so, are there any live examples on the Internet out there now?

> > Thanks,
> >  - Mitch Gallant



Mon, 15 Nov 2004 23:09:41 GMT  
 Privileged winforms deployment via IE
however .... I can't get the simplest example working (the Controls.dll)
when deployed from an IIS local server (on custom port). With IE6, and
Win2000, the page simply displays blank blocks with no ListBoxs displayed.
Any ideas why this is happening?  I had used the "IIS lockdown tool" so i
gather is affects the ability to download a dll file from this server? (also, installed
URL scan security tool).
Thnx,
 - Mitch
Quote:

> I read this excellent article carefully yesterday, and it is a great
> starting point for building "Rich Client" apps. with .net. Particularly
> useful is the dotted checklist in the section "Windows Forms".

> The article focuses on building such Rich Clients using the *partially*
> trusted code default security settings, which the author emphasises is
> powerful enough in itself. Having a *more* privileged Rich Client run
> requires end-user configuration (typically by an administrator) of the
> security policy, say using the .net Framework Admin. Tool.
> Hopefully, the same author will have a forthcoming article
> showing how to do this for:
>   Certificate (signed-code) evidence
>   URL code-origin evidence

> Questions about deployment testing:
> (1)The author mentions that browser-based
> embedded controls can ONLY be tested from a web-server (and not locally
> from the file system). Is there any workaround for this?
> (2) Also, can the browser-embedded control apps be deployed from ANY web
> server (author emphasis IIS virtual root deployment)?

>  Thanks,
>  - Mitch


> > Thanks Ryan. This is what I was looking for!
> >  - Mitch


> > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > embedding .NET WinForms in a browser.

> > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > --

> > > -Ryan



> > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > applications which are fully privileged (like signed Java applets?)

> > > If so, are there any live examples on the Internet out there now?

> > > Thanks,
> > >  - Mitch Gallant



Tue, 16 Nov 2004 08:15:20 GMT  
 Privileged winforms deployment via IE
It worked fine for me.

I have not run the lockdown tool (and no URLScan) on the server I tried it
on so maybe it is because of that???
--

-Ryan


however .... I can't get the simplest example working (the Controls.dll)
when deployed from an IIS local server (on custom port). With IE6, and
Win2000, the page simply displays blank blocks with no ListBoxs displayed.
Any ideas why this is happening?  I had used the "IIS lockdown tool" so i
gather is affects the ability to download a dll file from this server?
(also, installed
URL scan security tool).
Thnx,
 - Mitch

Quote:

> I read this excellent article carefully yesterday, and it is a great
> starting point for building "Rich Client" apps. with .net. Particularly
> useful is the dotted checklist in the section "Windows Forms".

> The article focuses on building such Rich Clients using the *partially*
> trusted code default security settings, which the author emphasises is
> powerful enough in itself. Having a *more* privileged Rich Client run
> requires end-user configuration (typically by an administrator) of the
> security policy, say using the .net Framework Admin. Tool.
> Hopefully, the same author will have a forthcoming article
> showing how to do this for:
>   Certificate (signed-code) evidence
>   URL code-origin evidence

> Questions about deployment testing:
> (1)The author mentions that browser-based
> embedded controls can ONLY be tested from a web-server (and not locally
> from the file system). Is there any workaround for this?
> (2) Also, can the browser-embedded control apps be deployed from ANY web
> server (author emphasis IIS virtual root deployment)?

>  Thanks,
>  - Mitch


> > Thanks Ryan. This is what I was looking for!
> >  - Mitch


> > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > embedding .NET WinForms in a browser.

> > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > --

> > > -Ryan



> > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > applications which are fully privileged (like signed Java applets?)

> > > If so, are there any live examples on the Internet out there now?

> > > Thanks,
> > >  - Mitch Gallant



Wed, 17 Nov 2004 01:47:25 GMT  
 Privileged winforms deployment via IE
OK thanks for verifying that. I also configured some settings via the Baseline
Security Analyzer that appear to have hosed the password settings on several
IIS related accounts :-(

Another point, can that simple ListBox example be deployed from any server,
or does the rich-client capability, for controls embedded in a web page, depend
in some way on it being served from an IIS server??

Thanks,
 - Mitch

Quote:

> It worked fine for me.

> I have not run the lockdown tool (and no URLScan) on the server I tried it
> on so maybe it is because of that???
> --

> -Ryan



> however .... I can't get the simplest example working (the Controls.dll)
> when deployed from an IIS local server (on custom port). With IE6, and
> Win2000, the page simply displays blank blocks with no ListBoxs displayed.
> Any ideas why this is happening?  I had used the "IIS lockdown tool" so i
> gather is affects the ability to download a dll file from this server?
> (also, installed
> URL scan security tool).
> Thnx,
>  - Mitch


> > I read this excellent article carefully yesterday, and it is a great
> > starting point for building "Rich Client" apps. with .net. Particularly
> > useful is the dotted checklist in the section "Windows Forms".

> > The article focuses on building such Rich Clients using the *partially*
> > trusted code default security settings, which the author emphasises is
> > powerful enough in itself. Having a *more* privileged Rich Client run
> > requires end-user configuration (typically by an administrator) of the
> > security policy, say using the .net Framework Admin. Tool.
> > Hopefully, the same author will have a forthcoming article
> > showing how to do this for:
> >   Certificate (signed-code) evidence
> >   URL code-origin evidence

> > Questions about deployment testing:
> > (1)The author mentions that browser-based
> > embedded controls can ONLY be tested from a web-server (and not locally
> > from the file system). Is there any workaround for this?
> > (2) Also, can the browser-embedded control apps be deployed from ANY web
> > server (author emphasis IIS virtual root deployment)?

> >  Thanks,
> >  - Mitch


> > > Thanks Ryan. This is what I was looking for!
> > >  - Mitch


> > > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > > embedding .NET WinForms in a browser.

> > > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > > --

> > > > -Ryan



> > > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > > applications which are fully privileged (like signed Java applets?)

> > > > If so, are there any live examples on the Internet out there now?

> > > > Thanks,
> > > >  - Mitch Gallant



Wed, 17 Nov 2004 02:56:04 GMT  
 Privileged winforms deployment via IE
I recovered the functionality of my IIS5 / Win2000 Pro and can now get the
rich client to work. For those interested, one can apply IIS Lockdown (with
built-in URLScan) and still run asp/asp.net applications. Here is the summary
thread:

Subject:  Re: How to get IIS5 functional again
       Date: Sun, 02 Jun 2002 19:55:45 -0400

       Newsgroups: microsoft.public.security

Final question:  For rich dotnet clients, why do you need to deploy them
from an IIS server? They don't *appear* to use aspnet functionality, but
deploying from any server other than IIS does not seem to work.

 - Mitch

Quote:

> OK thanks for verifying that. I also configured some settings via the Baseline
> Security Analyzer that appear to have hosed the password settings on several
> IIS related accounts :-(

> Another point, can that simple ListBox example be deployed from any server,
> or does the rich-client capability, for controls embedded in a web page, depend
> in some way on it being served from an IIS server??

> Thanks,
>  - Mitch


> > It worked fine for me.

> > I have not run the lockdown tool (and no URLScan) on the server I tried it
> > on so maybe it is because of that???
> > --

> > -Ryan



> > however .... I can't get the simplest example working (the Controls.dll)
> > when deployed from an IIS local server (on custom port). With IE6, and
> > Win2000, the page simply displays blank blocks with no ListBoxs displayed.
> > Any ideas why this is happening?  I had used the "IIS lockdown tool" so i
> > gather is affects the ability to download a dll file from this server?
> > (also, installed
> > URL scan security tool).
> > Thnx,
> >  - Mitch


> > > I read this excellent article carefully yesterday, and it is a great
> > > starting point for building "Rich Client" apps. with .net. Particularly
> > > useful is the dotted checklist in the section "Windows Forms".

> > > The article focuses on building such Rich Clients using the *partially*
> > > trusted code default security settings, which the author emphasises is
> > > powerful enough in itself. Having a *more* privileged Rich Client run
> > > requires end-user configuration (typically by an administrator) of the
> > > security policy, say using the .net Framework Admin. Tool.
> > > Hopefully, the same author will have a forthcoming article
> > > showing how to do this for:
> > >   Certificate (signed-code) evidence
> > >   URL code-origin evidence

> > > Questions about deployment testing:
> > > (1)The author mentions that browser-based
> > > embedded controls can ONLY be tested from a web-server (and not locally
> > > from the file system). Is there any workaround for this?
> > > (2) Also, can the browser-embedded control apps be deployed from ANY web
> > > server (author emphasis IIS virtual root deployment)?

> > >  Thanks,
> > >  - Mitch


> > > > Thanks Ryan. This is what I was looking for!
> > > >  - Mitch


> > > > > Take a look at this article in June 2002 MSDN Magazine. It talks about
> > > > > embedding .NET WinForms in a browser.

> > > > > http://msdn.microsoft.com/msdnmag/issues/02/06/rich/rich.asp
> > > > > --

> > > > > -Ryan



> > > > > Does dotnet support privileged (digitally signed?) browser-based .net
> > > > > applications which are fully privileged (like signed Java applets?)

> > > > > If so, are there any live examples on the Internet out there now?

> > > > > Thanks,
> > > > >  - Mitch Gallant



Fri, 19 Nov 2004 23:15:06 GMT  
 
 [ 10 post ] 

 Relevant Pages 

1. WinForms-based Client Deployment?

2. IE and downloaded controls & privileges

3. Winform deployment via the IIS

4. Displaying winforms in IE

5. Host IE from within a winforms app.

6. IE and ASP.NET deployment ?

7. Connection Point to Event Interface in CHtmlView IE Control via IDispatch

8. Expired Page / I.E. HELP !

9. Disable I.E. AutoFill in ASP.NET app

10. Who knows ,,, Redirect IE URL as IE

11. I.E. icon ?

12. IE 4 incompatible with IE 5???

 

 
Powered by phpBB® Forum Software