There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter

Using CASPOL to Fully Trust a Network Share

<note warning>The .NET 4.0 Framework does not apply CAS policy by default. Any settings modified by CasPol will only affect applications that opt into using CAS policy. Please see for more information.</note>

Network shares get “LocalIntranet” permission by default. If you use the IP address of the server or if you use the FQDN of the server, that share will get “Internet” permissions. I find this common when I use domain-based DFS (\\domain.local\dfs\share). Since I trust these share locations, I find myself constantly updating the code access security policy so that I can run .Net applications from network share locations.

If I wanted to trust everything on the share \\server\share, the command:

CasPol.exe -m -pp off -ag 1.2 -url file://///server/share/* FullTrust
  • -m - modify the machine level of the policy. This is needed, since the machine level is where all of the default policy lives.
  • -pp off - Turns the confirmation prompt off
  • -ag 1.2 - add a code group under group 1.2. In the default policy, group 1.2 is the “LocalIntranet” group, so the new code group that we're creating will only be checked if the file comes from the intranet.
  • -url file://///server/share/* - The membership condition for the new code group is should be a UrlMembershipCondition
  • FullTrust - The permission set to grant assemblies that match the code group.

Sometimes I map that drive to the local system and when you do that you have to slightly modify the above -url pattern to file:///F:/*

<note important>If you are running a 64-bit system, make sure to run caspol.exe on both the 32-bit version and the 64-bit version of the framework…</note>

I also run my development tools inside a VM on my laptop and so I map drives back to the host system. These are the commands that I use to allow me to use those drives as if they were local drives:

caspol.exe -m -pp off -ag 1 -url "file:///D:/*" FullTrust
caspol.exe -m -pp off -ag 1 -url "file:///L:/*" FullTrust

The difference here is that I'm adding the code group to the “LocalComputer” instead of the “LocalIntranet”.

Copyright © 2022 by Julian Easterling. SOME RIGHTS RESERVED.
Privacy Policy              Terms of Use             

Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.

All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.