INFO: .NET Framework Change in Default Machine Level Security Policy (317399)


The information in this article applies to:

  • Microsoft .NET Framework 1.0 SP1
  • Microsoft .NET Framework Class Libraries 1.0
This article was previously published under Q317399

SUMMARY

When you install Microsoft .NET Framework 1.0 Service Pack 1 (SP1), the installation automatically sets a new defult policy that replaces the previous security policy that was in effect. The change in default security policy does not permit managed code that was downloaded from the Internet zone to run (as configured on the Security tab under Internet Options in Microsoft Internet Explorer). Previously, this code was permitted to run with a limited set of permissions roughly analogous to the permissions that script on a Web page would have within the browser. This is the only change. Use the Microsoft .NET Framework Configuration tool (Mscorcfg.msc) to review security policy to ensure that it is appropriate for your situation.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

318836 INFO: How to Obtain the Latest .NET Framework Service Pack

MORE INFORMATION

If you have configured security policy for the machine level, that policy will be saved before any change is made. To restore security policy to the previous configuration, use the following command: 
caspol -machine -recover
Note that you must recover the previous security policy before you make additional changes to security policy, because only the most recent (previous) security policy information is saved.

If you have already configured enterprise-level or user-level security policy, this change may also affect how security policy works, because policy configurations of all levels intersect to compute the resulting allowable permissions.

If you want to keep your customized machine-level security policy configuration and merge this change for the Internet zone, use the following procedure. Note that if you have already configured the Internet zone, this procedure will override that configuration.

  1. Open the .Net Framework Configuration tool (in Control Panel, double-click Administrative Tools, and then double-click Microsoft .Net Framework Configuration), and then right-click the Runtime Security Policy node.
  2. Select the Adjust Security Wizard.
  3. Accept the Make changes to this computer message, and then click Next.
  4. Select the Internet zone.
  5. Drag the vertical slider to No Trust, and then click Next.
  6. Click Finish to accept the policy change.
To adjust the machine-level common language runtime (CLR) security policy to the previous setting of Internet permission, follow these steps:
  1. Open the .NET Framework Configuration Wizard (in Control panel, double-click Administrative Tools, and then double-click Microsoft .NET Framework Configuration).
  2. Select Adjust zone security.
  3. Click Make changes to this computer to modify the machine-level policy (you must have administrator rights to do this).
  4. Select the Internet zone (on the upper bar).
  5. Drag the vertical slider to Low Trust.
  6. Review the summary of changes, and then click Finish.
This procedure does both of the following:
  • Sets the policy for code in the Internet zone to match the Internet permission setting.

    -and-

  • Applies the policy that grants permission to connect to the same Web site that the code comes from.
Modification Type:MajorLast Reviewed:6/28/2004
Keywords:kbMiscTools kbsetup kbSecurity kbConfig kbinfo KB317399 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.