# Additional Security Considerations in Windows Forms

The following sections discuss how to work with the Clipboard, perform window manipulation, and call the Windows API from applications that are running in a partial trust environment.

## Clipboard Access

The UIPermission class controls access to the Clipboard, and the associated UIPermissionClipboard enumeration value indicates the level of access. The following table shows the possible permission levels.

UIPermissionClipboard value Description
AllClipboard The Clipboard can be used without restriction.
OwnClipboard The Clipboard can be used with some restrictions. The ability to put data on the Clipboard (Copy or Cut command operations) is unrestricted. Intrinsic controls that accept paste, such as a text box, can accept Clipboard data, but user controls cannot programmatically read from the Clipboard.
NoClipboard The Clipboard cannot be used.

By default, the Local Intranet zone receives AllClipboard access and the Internet zone receives OwnClipboard access. This means that the application can copy data to the Clipboard, but the application cannot programmatically paste to or read from the Clipboard. These restrictions prevent programs without full trust from reading content copied to the Clipboard by another application. If your application requires full Clipboard access but you do not have the permissions, you will have to elevate the permissions for your application. For more information about elevating permissions, see General Security Policy Administration.

## Window Manipulation

The UIPermission class also controls permission to perform window manipulation and other UI-related actions, and the associated UIPermissionWindow enumeration value indicates the level of access. The following table shows the possible permission levels.

By default, the Local Intranet zone receives AllWindows access and the Internet zone receives SafeTopLevelWindows access. This means that in the Internet zone, the application can perform most windowing and UI actions, but the window's appearance will be modified. The modified window displays a balloon notification when first run, contains modified title bar text, and requires a close button on the title bar. The balloon notification and the title bar identify to the user of the application that the application is running under partial trust.

UIPermissionWindow value Description
AllWindows Users can use all windows and user input events without restriction.
SafeTopLevelWindows Users can use only safer top-level windows and safer subwindows for drawing, and can use only user input events for the user interface within those top-level windows and subwindows. These safer windows are clearly labeled and have minimum and maximum size restrictions. The restrictions prevent potentially harmful spoofing attacks, such as imitating system logon screens or the system desktop, and restricts programmatic access to parent windows, focus-related APIs, and use of the ToolTip control,
SafeSubWindows Users can use only safer subwindows for drawing, and can use only user input events for the user interface within that subwindow. A control displayed within a browser is an example of a safer subwindow.
NoWindows Users cannot use any windows or user interface events. No user interface can be used.

Each permission level identified by the UIPermissionWindow enumeration allows fewer actions than the level above it. The following tables indicate the actions that are restricted by the SafeTopLevelWindows and SafeSubWindows values. For exact permissions that are required for each member, see the reference for that member in the .NET Framework class library documentation.

SafeTopLevelWindows permission restricts the actions listed in the following table.

Component Restricted actions
Application - Setting the SafeTopLevelCaptionFormat property.
Control - Getting the Parent property.
- Setting the Region property.
- Calling the FindForm , Focus, FromChildHandle and FromHandle, PreProcessMessage, ReflectMessage, or SetTopLevel method.
- Calling the GetChildAtPoint method if the control returned is not a child of the calling control.
- Modify control focus inside a container control.
Cursor - Setting the Clip property.
- Calling the Hide method.
DataGrid - Calling the ProcessTabKey method.
Form - Getting the ActiveForm or MdiParent property.
- Setting the ControlBox, ShowInTaskbar, or TopMost property.
- Setting the Opacity property below 50%.
- Setting the WindowState property to Minimized programmatically.
- Calling the Activate method.
- Using the None, FixedToolWindow, and SizableToolWindowFormBorderStyle enumeration values.
NotifyIcon - Using the NotifyIcon component is completely restricted.

The SafeSubWindows value restricts the actions listed in the following table, in addition to the restrictions placed by the SafeTopLevelWindows value.

Component Restricted actions
CommonDialog - Showing a dialog box derived from the CommonDialog class.
Control - Calling the CreateGraphics method.
- Setting the Cursor property.
Cursor - Setting the Current property.
MessageBox - Calling the Show method.

### Hosting Third-Party Controls

Another kind of window manipulation can occur if your forms host third-party controls. A third-party control is any custom UserControl that you have not developed and compiled yourself. Although the hosting scenario is hard to exploit, it is theoretically possible for a third-party control to expand its rendering surface to cover the entire area of your form. This control could then mimic a critical dialog box, and request information such as username/password combinations or bank account numbers from your users.

To limit this potential risk, use third-party controls only from vendors you can trust. If you use third-party controls you have downloaded from an unverifiable source, we recommend that you review the source code for potential exploits. After you've verified that the source is non-malicious, you should compile the assembly yourself to ensure that the source matches the assembly.

## Windows API Calls

If your application design requires calling a function from the Windows API, you are accessing unmanaged code. In this case the code's actions to the window or operating system cannot be determined when you are working with Windows API calls or values. The SecurityPermission class and the UnmanagedCode value of the SecurityPermissionFlag enumeration control access to unmanaged code. An application can access unmanaged code only when it is granted the UnmanagedCode permission. By default, only applications that are running locally can call unmanaged code.

Some Windows Forms members provide unmanaged access that requires the UnmanagedCode permission. The following table lists the members in the System.Windows.Forms namespace that require the permission. For more information about the permissions that are required for a member, see the .NET Framework class library documentation.

Component Member
Application - AddMessageFilter method
- CurrentInputLanguage property
- Exit method
CommonDialog - HookProc method
- OwnerWndProc\ method
- Reset method
- RunDialog method
Control - CreateParams method
- DefWndProc method
- DestroyHandle method
- WndProc method
Help - ShowHelp methods
- ShowHelpIndex method
NativeWindow - NativeWindow class
Screen - FromHandle method
SendKeys - Send method
- SendWait method

If your application does not have permission to call unmanaged code, your application must request UnmanagedCode permission, or you must consider alternative ways of implementing features; in many cases, Windows Forms provides a managed alternative to Windows API functions. If no alternative means exist and the application must access unmanaged code, you will have to elevate the permissions for the application.

Permission to call unmanaged code allows an application to perform most anything. Therefore, permission to call unmanaged code should only be granted for applications that come from a trusted source. Alternatively, depending on the application, the piece of application functionality that makes the call to unmanaged code could be optional, or enabled in the full trust environment only. For more information about dangerous permissions, see Dangerous Permissions and Policy Administration. For more information about elevating permissions, see General Security Policy Administration.