Administering Security Policy


In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

Administrators can configure security policy so that individual sites and publishers have more or fewer permissions than default policy allows. For example, an administrator can specify that all code downloaded from the Web site of a trusted business partner has the set of all permissions. The same administrator might specify that all other code from the Internet be given a more restricted set of permissions, such as limited access to isolated storage and to the use of safer user interface functionality.

To view or modify security policy, you must be granted the administrative access SecurityPermission. Understanding the common language runtime's security policy model will help you administer security policy effectively.

You can use the .NET Framework Configuration tool or the Code Access Security Policy tool to administer security policy for the enterprise, machine, or user levels. These tools support the following tasks:

  • Viewing policy, code groups, or permission sets.

  • Creating, modifying, and removing named permission sets.

  • Adding, modifying, and deleting code groups.

  • Assigning permissions and attributes to code groups.

  • Analyzing security settings on assemblies.

  • Undoing policy changes.

See Also


Caspol.exe (Code Access Security Policy Tool)

Mscorcfg.msc (.NET Framework Configuration Tool)


Security Policy Model

Other Resources

Security Policy Best Practices

Security Policy Management