Microsoft KB Archive/317399

= INFO: .NET Framework Change in Default Machine Level Security Policy =

Article ID: 317399

Article Last Modified on 6/28/2004

-

APPLIES TO


 * Microsoft .NET Framework 1.0 Service Pack 1
 * Microsoft .NET Framework Class Libraries 1.0

-



This article was previously published under Q317399



SUMMARY
When you install Microsoft .NET Framework 1.0 Service Pack 1 (SP1), the installation automatically sets a new defult policy that replaces the previous security policy that was in effect. The change in default security policy does not permit managed code that was downloaded from the Internet zone to run (as configured on the Security tab under Internet Options in Microsoft Internet Explorer). Previously, this code was permitted to run with a limited set of permissions roughly analogous to the permissions that script on a Web page would have within the browser. This is the only change. Use the Microsoft .NET Framework Configuration tool (Mscorcfg.msc) to review security policy to ensure that it is appropriate for your situation.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

318836 INFO: How to Obtain the Latest .NET Framework Service Pack



MORE INFORMATION
If you have configured security policy for the machine level, that policy will be saved before any change is made. To restore security policy to the previous configuration, use the following command: caspol -machine -recover Note that you must recover the previous security policy before you make additional changes to security policy, because only the most recent (previous) security policy information is saved.

If you have already configured enterprise-level or user-level security policy, this change may also affect how security policy works, because policy configurations of all levels intersect to compute the resulting allowable permissions.

If you want to keep your customized machine-level security policy configuration and merge this change for the Internet zone, use the following procedure. Note that if you have already configured the Internet zone, this procedure will override that configuration.


 * 1) Open the .Net Framework Configuration tool (in Control Panel, double-click Administrative Tools, and then double-click Microsoft .Net Framework Configuration), and then right-click the Runtime Security Policy node.
 * 2) Select the Adjust Security Wizard.
 * 3) Accept the Make changes to this computer message, and then click Next.
 * 4) Select the Internet zone.
 * 5) Drag the vertical slider to No Trust, and then click Next.
 * 6) Click Finish to accept the policy change.

To adjust the machine-level common language runtime (CLR) security policy to the previous setting of Internet permission, follow these steps:
 * 1) Open the .NET Framework Configuration Wizard (in Control panel, double-click Administrative Tools, and then double-click Microsoft .NET Framework Configuration).
 * 2) Select Adjust zone security.
 * 3) Click Make changes to this computer to modify the machine-level policy (you must have administrator rights to do this).
 * 4) Select the Internet zone (on the upper bar).
 * 5) Drag the vertical slider to Low Trust.
 * 6) Review the summary of changes, and then click Finish.

This procedure does both of the following:
 * Sets the policy for code in the Internet zone to match the Internet permission setting.

-and-


 * Applies the policy that grants permission to connect to the same Web site that the code comes from.

Additional query words: kbnetsearch kbsecurity kbcaspol kbNETFrame100sp1fix

Keywords: kbinfo kbmisctools kbsecurity kbsetup kbconfig KB317399

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.