Default Security Policy
.gif "Important note") Important |
|---|
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4. |
Machine policy is set by default to the values shown in the following tables. Because the policy levels are intersected when determining the allowed permission set, the machine policy settings actually determine the default security policy. Note that these tables represent the named permission sets and permissions used by the default policy settings and not all the named permission sets and permissions available to customize security policy.
The following table shows the default code groups for machine policy and the named permissions sets they receive by default. For example, code that originates from the local computer is assigned to the My Computer Zone and receives full trust by default.
Code group |
Named permission set received by default |
|---|---|
|
Full Trust |
|
Local Intranet |
|
Internet |
|
Nothing |
Note
In the .NET Framework 1.0 Service Pack 1 and Service Pack 2, the Internet Zone Code Group receives the Nothing named permission set. In all other releases of the .NET Framework, the Internet Zone code group receives the Internet named permissions set, as described in the preceding table.
Although the All Code group receives the Nothing permission set by default, this does not mean that none of the code has permissions, because matching code groups are combined (called a union) to calculate the allowed permission set.
The following table shows the individual permissions that constitute the default permission sets. The column on the left lists individual permission objects, while the columns on the right represent the configuration of those objects in the permission sets. For example, code that originates from the Local Intranet Zone receives the Local Intranet Permission Set. This table shows that the Local Intranet Permission Set consists of unrestricted DNSPermission, unrestricted FileDialogPermission, and so on. Note that code from the Internet Zone does not receive the Internet Permission Set by default; instead it receives the Nothing Permission Set.
Permission |
Full Trust Permission Set (Unrestricted access to all permissions including those not listed) |
Nothing Permission Set (No permissions, no right to execute) |
Local Intranet Permission Set |
Internet Permission Set |
|---|---|---|---|---|
Unrestricted |
No Access |
No Access |
||
Unrestricted |
No Access |
Read Username (environmental variable) |
No Access |
|
Unrestricted |
No Access |
No Access |
||
Unrestricted |
No Access |
|||
Unrestricted |
No Access |
Disk Quota of 9223372036854775807 |
Disk Quota of 512000 |
|
Unrestricted |
No Access |
|||
Unrestricted |
No Access |
No Access |
||
Unrestricted |
No Access |
|||
Unrestricted |
No Access |
Although the default security policy is suitable for many situations, administrators can modify or customize security policy to tailor it to the specific needs of their organizations. For details, see Administering Security Policy.
Note that code is subject to the additional restrictions associated with the inherent LinkDemand for full trust automatically performed by assemblies placed in the global assembly cache. Unless the AllowPartiallyTrustedCallersAttribute is applied to an assembly in the global assembly cache, all code that does not receive the Full Trust permission set will generate a SecurityException when it attempts to link to the assembly. For more information and a list of assemblies that have the AllowPartiallyTrustedCallersAttribute, see Using Libraries from Partially Trusted Code.
See Also
Concepts
Using Libraries from Partially Trusted Code