3.10 Ensure global .NET trust level is configured

Information

This only applies to .Net 2.0. Future versions have stopped supporting this feature.

An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions may access all resource types on a server and perform privileged operations, while applications that run with partial trust have varying levels of operating permissions and access to resources.

The possible values for the Level property of the TrustSection class are:
o Full: Specifies unrestricted permissions and grants the ASP.NET application permissions to access any resource that is subject to operating system security; all privileged operations are supported
o High: specifies a high level of code access security which limits the application from doing the following:
-- Call unmanaged code
-- Call serviced components
-- Write to the event log
-- Access Microsoft Windows Message Queuing queues
-- Access ODBC, OLD DB, or Oracle data sources
o Medium: specifies a medium level of code access security, which means that in addition to the restrictions for High, the ASP.NET application cannot do any of the following things:
-- Access files outside the application directory
-- Access the registry
o Low: specifies a low level of code access security, which means that in addition to the restrictions for Medium, the application is prevented from performing any of the following actions:
-- Write to the file system
-- Call the System.Security.CodeAccessPermission.Assert method to expand permissions to resources
-- Minimal: specifies a minimal level of code access security, which means that the application has only execute permission

It is recommended that the global .NET Trust Level be set to Medium or lower.

The CAS determines the permissions that are granted to the application on the server. Setting a minimal level of trust that is compatible with the applications will limit the potential harm that a compromised application could cause to a system.

NOTE: This section requires ASP.NET, but ASPNET45 and .Net Extensibility have not been found.

See Also

https://workbench.cisecurity.org/files/166