I was studying for .Net Certification today using Microsoft’s Self Study Kit for the 70-536 exam. In the chapter on Application Security, the book offers the following advice concerning Code Access Security (CAS) and the .Net Framework Configuration tool.: “As a developer, one of the first things you should do is adjust the permission set assigned to the My_Computer_Zone code group. By default, it’s set to Full Trust, which means any CAS statements in your applications will be completely ignored. Change this to the Everything permission set, which grants similar permissions but respects CAS statements in assemblies.”
Wow, that’s weird. By default (in XP SP2), the .Net-specific security settings are turned off for applications launched from your own PC? Sure enough, when I checked the .Net Framework Configuration tool’s setting for the “My Computer” zone, the default was Full Trust. Admittedly, I had never come across CAS issues in my own .Net development to date, but since I wanted to experiment with having my apps run in more secure configurations I thought the book’s suggestion was a good one. I changed the setting to “Everything”, effectively activating CAS for all local applications. For some reason, it didn’t occur to me that this might impact one of the commercial .Net applications installed on my PC. Surely in this age of increased security awareness among programmers, widely used applications would have learned to get by with less than full permissions on the PC.
The next time I rebooted my PC, the ATI Catalyst Control Centre failed to start, displaying a “Command line interface has encountered a problem” error message.
Having done various tweaks to my OS settings recently, I didn’t connect this error with the change to the .Net Framework Configuration until I Googled the problem and found that the most common solution was to reinstall the .Net runtime. I tried changing the .Net permissions for the “My Computer” zone back to the default, and the ATI Catalyst Centre was happy again.
The .Net Framework Configuration tool allows you to assign specific permissions to specific applications, so rather than leaving CAS disabled by default I gave ATI’s CLI.exe assembly Full Trust. The average user, though, isn’t going to bother with such a measured response — if they somehow managed to find a way to turn on CAS, they’ll promptly turn it off again.
Given that such a widely used consumer application as ATI Catalyst Control Centre doesn’t play nice with CAS, and given that few users are going to figure out how to enable CAS in the first place, I wonder if there’s much point in learning how to make my applications work with CAS settings (other than to pass the certification exam, of course). Is this a case of Microsoft not doing enough to make developers aware of this technology, or is the technology so flawed that Microsoft is happy to let it be neglected?
