Caspol.exe(代码访问安全策略工具)Caspol.exe (Code Access Security Policy Tool)

代码访问安全性 (CAS) 策略工具 (Caspol.exe) 使用户和管理员可修改计算机策略级别、用户策略级别和企业策略级别的安全策略。The Code Access Security (CAS) Policy tool (Caspol.exe) enables users and administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

重要

从 .NET Framework 4 开始,Caspol.exe 不再影响 CAS 策略,除非将 <legacyCasPolicy> 元素设置为 trueStarting with the .NET Framework 4, Caspol.exe does not affect CAS policy unless the <legacyCasPolicy> element is set to true. CasPol.exe 显示或修改的任何设置将只会影响选择使用 CAS 策略的应用程序。Any settings shown or modified by CasPol.exe will only affect applications that opt into using CAS policy. 有关详细信息,请参阅安全更改For more information, see Security Changes.

备注

64 位计算机同时包括 64 位和 32 位版本的安全策略。64-bit computers include both 64-bit and 32-bit versions of security policy. 若要确保你的策略更改同时应用于 32 位和 64 位应用程序,请同时运行 Caspol.exe 的 32 位和 64 位版本。To ensure that your policy changes apply to both 32-bit and 64-bit applications, run both the 32-bit and 64-bit versions of Caspol.exe.

代码访问安全性策略工具自动随 .NET Framework 和 Visual Studio 一起安装。The Code Access Security Policy tool is automatically installed with the .NET Framework and with Visual Studio. 可以在 32 位系统的 %windir%\Microsoft.NET\Framework\version 中或是 64 位系统的 %windir%\Microsoft.NET\Framework64\version 中找到 Caspol.exe。You can find Caspol.exe in %windir%\Microsoft.NET\Framework\version on 32-bit systems or %windir%\Microsoft.NET\Framework64\version on 64-bit systems. (例如,对于 64 位系统上的 .NET Framework 4,相应的位置是 %windir%\Microsoft.NET\Framework64\v4.030319\caspol.exe。)如果计算机并行运行多个 .NET Framework 版本,则可能会安装该工具的多个版本。(For example, the location is %windir%\Microsoft.NET\Framework64\v4.030319\caspol.exe for the .NET Framework 4 on a 64-bit system.) Multiple versions of the tool might be installed if your computer is running multiple versions of the .NET Framework side by side. 可以从安装目录运行该工具。You can run the tool from the installation directory. 但是,建议使用命令提示,这样就不需要导航到安装文件夹。However, we recommend that you use the Command Prompts, which does not require you to navigate to the installation folder.

在命令提示符处,键入以下内容:At the command prompt, type the following:

语法Syntax

caspol [options]  

参数Parameters

选项Option 说明Description
-addfulltrust assembly_file-addfulltrust assembly_file

oror

-af assembly_file-af assembly_file
将实现自定义安全对象(如自定义权限或自定义成员资格条件)的程序集添加到特定策略级别的完全信任程序集列表中。Adds an assembly that implements a custom security object (such as a custom permission or a custom membership condition) to the full trust assembly list for a specific policy level. assembly_file 参数指定要添加的程序集。The assembly_file argument specifies the assembly to add. 此文件必须用强名称签名。This file must be signed with a strong name. 可以通过强名称工具 (Sn.exe) 使用强名称对程序集进行签名。You can sign an assembly with a strong name using the Strong Name Tool (Sn.exe).

每当将包含自定义权限的权限集添加到策略时,必须将实现该自定义权限的程序集添加到该策略级别的完全信任列表中。Whenever a permission set containing a custom permission is added to policy, the assembly implementing the custom permission must be added to the full trust list for that policy level. 对于实现用于安全策略(如计算机策略)的自定义安全对象(如自定义代码组或成员资格条件)的程序集,应该总是将其添加到完全信任程序集列表中。Assemblies that implement custom security objects (such as custom code groups or membership conditions) used in a security policy (such as the machine policy) should always be added to the full trust assembly list. 注意: 如果实现自定义安全对象的程序集引用了其他程序集,则必须首先将被引用的程序集添加到完全信任程序集列表中。Caution: If the assembly implementing the custom security object references other assemblies, you must first add the referenced assemblies to the full trust assembly list. 使用 Visual Basic、C++ 和 JScript 创建的自定义安全对象分别引用 Microsoft.VisualBasic.dll、Microsoft.VisualC.dll 和 Microsoft.JScript.dll。Custom security objects created using Visual Basic, C++, and JScript reference either Microsoft.VisualBasic.dll, Microsoft.VisualC.dll, or Microsoft.JScript.dll, respectively. 默认情况下,完全信任程序集列表中不包含这些程序集。These assemblies are not in the full trust assembly list by default. 在添加自定义安全对象之前,必须将相应的程序集添加到完全信任列表中。You must add the appropriate assembly to the full trust list before you add a custom security object. 如果不这样做,将会破坏安全系统,导致所有程序集都无法加载。Failure to do so will break the security system, causing all assemblies to fail to load. 在这种情况中,Caspol.exe -all -reset 选项不会修复安全系统。In this situation, the Caspol.exe -all -reset option will not repair security. 若要修复安全系统,必须手动编辑安全文件,移除自定义安全对象。To repair security, you must manually edit the security files to remove the custom security object.
-addgroup {parent_label | parent_name} mship pset_name [flags]-addgroup {parent_label | parent_name} mship pset_name [flags]

oror

-ag {parent_label | parent_name} mship pset_name [flags]-ag {parent_label | parent_name} mship pset_name [flags]
将新的代码组添加到代码组层次结构中。Adds a new code group to the code group hierarchy. 可以指定 parent_labelparent_nameYou can specify either the parent_label or parent_name. parent_label 参数指定代码组的标签(如 1.The parent_label argument specifies the label (such as 1. 或 1.1.),该代码组是要添加的代码组的父级。or 1.1.) of the code group that is the parent of the code group being added. parent_name 参数指定代码组的名称,该代码组是要添加的代码组的父级。The parent_name argument specifies the name of the code group that is the parent of the code group being added. 因为 parent_labelparent_name 可互换使用,所以 Caspol.exe 必须能够区分它们。Because parent_label and parent_name can be used interchangeably, Caspol.exe must be able to distinguish between them. 因此,parent_name 不能以数字开头。Therefore, parent_name cannot begin with a number. 此外,parent_name 只能包含 A-Z、0-9 和下划线字符。Additionally, parent_name can only contain A-Z, 0-9 and the underscore character.

mship 参数指定新代码组的成员资格条件。The mship argument specifies the membership condition for the new code group. 有关详细信息,请参见参阅本节后面的 mship 参数表。For more information, see the table of mship arguments later in this section.

pset_name 参数是将与新代码组关联的权限集的名称。The pset_name argument is the name of the permission set that will be associated with the new code group. 还可以为新代码组设置一个或多个 flagsYou can also set one or more flags for the new group. 有关详细信息,请参阅本节后面的 flags 参数表。For more information, see the table of flags arguments later in this section.
-addpset {psfile | psfile pset_name}-addpset {psfile | psfile pset_name}

oror

-ap {namedpsfile | psfile pset_name}-ap {namedpsfile | psfile pset_name}
将新的命名权限集添加到策略。Adds a new named permission set to policy. 权限集必须用 XML 编写并存储在 .xml 文件中。The permission set must be authored in XML and stored in an .xml file. 如果 XML 文件包含权限集的名称,则只指定该文件 (psfile)。If the XML file contains the name of the permission set, only that file (psfile) is specified. 如果 XML 文件不包含权限集名称,则必须同时指定 XML 文件名 (psfile) 和权限集名称 (pset_name)。If the XML file does not contain the permission set name, you must specify both the XML file name (psfile) and the permission set name (pset_name).

请注意,权限集中使用的所有权限都必须在全局程序集缓存中包含的程序集中进行定义。Note that all permissions used in a permission set must be defined in assemblies contained in the global assembly cache.
-a[ll]-a[ll] 指示此选项后面的所有选项都应用于计算机策略、用户策略和企业策略。Indicates that all options following this one apply to the machine, user, and enterprise policies. -all 选项始终引用当前登录的用户的策略。The -all option always refers to the policy of the currently logged-on user. 查看 -customall 选项,引用当前用户以外的用户的用户策略。See the -customall option to refer to the user policy of a user other than the current user.
-chggroup {label |name} {mship | pset_name |-chggroup {label |name} {mship | pset_name |

flags }flags }

oror

-cg {label |name} {mship | pset_name |-cg {label |name} {mship | pset_name |

flags }flags }
更改代码组的成员资格条件、权限集或者 exclusivelevelfinalnamedescription 标志的设置。Changes a code group's membership condition, permission set, or the settings of the exclusive, levelfinal, name, or description flags. 可以指定 labelname 中的任意一个。You can specify either the label or name. label 参数指定代码组的标签(如 1.The label argument specifies the label (such as 1. 或 1.1.)。or 1.1.) of the code group. name 参数指定要更改的代码组的名称。The name argument specifies the name of the code group to change. 因为 labelname 可互换使用,所以 Caspol.exe 必须能够区分它们。Because label and name can be used interchangeably, Caspol.exe must be able to distinguish between them. 因此,name 不能以数字开头。Therefore, name cannot begin with a number. 此外,name 只能包含 A-Z、0-9 和下划线字符。Additionally, name can only contain A-Z, 0-9 and the underscore character.

pset_name 参数指定与代码组关联的权限集的名称。The pset_name argument specifies the name of the permission set to associate with the code group. 有关 mshipflags 参数的信息,请参见本节后面的表。See the tables later in this section for information on the mship and flags arguments.
-chgpset psfile pset_name-chgpset psfile pset_name

oror

-cp psfile pset_name-cp psfile pset_name
更改命名权限集。Changes a named permission set. psfile 参数为权限集提供新的定义;它是 XML 格式的序列化权限集文件。The psfile argument supplies the new definition for the permission set; it is a serialized permission set file in XML format. pset_name 参数指定要更改的权限集的名称。The pset_name argument specifies the name of the permission set you want to change.
-customall path-customall path

oror

-ca path-ca path
指示此选项后面的所有选项都应用于计算机策略、企业策略和指定的自定义用户策略。Indicates that all options following this one apply to the machine, enterprise, and the specified custom user policies. 必须用 path 参数指定自定义用户的安全配置文件的位置。You must specify the location of the custom user's security configuration file with the path argument.
-cu[stomuser] path-cu[stomuser] path 允许管理不属于当前 Caspol.exe 正代表其运行的用户的自定义用户策略。Allows the administration of a custom user policy that does not belong to the user on whose behalf Caspol.exe is currently running. 必须用 path 参数指定自定义用户的安全配置文件的位置。You must specify the location of the custom user's security configuration file with the path argument.
-enterprise-enterprise

oror

-en-en
指示此选项后面的所有选项都应用于企业级策略。Indicates that all options following this one apply to the enterprise level policy. 非企业管理员用户尽管可以查看企业级策略,但没有足够的权限修改它。Users who are not enterprise administrators do not have sufficient rights to modify the enterprise policy, although they can view it. 在非企业方案中,默认情况下此策略不干预计算机策略和用户策略。In nonenterprise scenarios, this policy, by default, does not interfere with machine and user policy.
-e[xecution] {on | off}-e[xecution] {on | off} 打开或关闭在代码开始执行前检查运行权限的机制。Turns on or off the mechanism that checks for the permission to run before code starts to execute. 注意: 在 .NET Framework 4 及更高版本中,此开关已删除。Note: This switch is removed in the .NET Framework 4 and later versions. 有关详细信息,请参阅安全更改For more information, see Security Changes.
-f[orce]-f[orce] 取消此工具的自销毁测试并按照用户的指定更改策略。Suppresses the tool's self-destruct test and changes the policy as specified by the user. 通常,Caspol.exe 会检查任何策略的更改是否会妨碍 Caspol.exe 本身的正常运行;如果是,则 Caspol.exe 不会保存策略更改,并会输出错误消息。Normally, Caspol.exe checks whether any policy changes would prevent Caspol.exe itself from running properly; if so, Caspol.exe does not save the policy change and prints an error message. 若即使在策略更改会妨碍 Caspol.exe 本身运行的情况下也要强制 Caspol.exe 更改策略,则使用 –force 选项。To force Caspol.exe to change policy even if this prevents Caspol.exe itself from running, use the –force option.
-h[elp]-h[elp] 显示 Caspol.exe 的命令语法和选项。Displays command syntax and options for Caspol.exe.
-l[ist]-l[ist] 列出代码组层次结构及指定的计算机、用户、企业或所有策略级别的权限集。Lists the code group hierarchy and the permission sets for the specified machine, user, enterprise, or all policy levels. Caspol.exe 首先显示代码组的标签,如果名称不是 null 的话,后面接着显示名称。Caspol.exe displays the code group's label first, followed by the name, if it is not null.
-listdescription-listdescription

oror

-ld-ld
列出指定策略级别的所有代码组描述。Lists all code group descriptions for the specified policy level.
-listfulltrust-listfulltrust

oror

-lf-lf
列出指定策略级别的完全信任程序集列表的内容。Lists the contents of the full trust assembly list for the specified policy level.
-listgroups-listgroups

oror

-lg-lg
显示指定策略级别或全部策略级别的代码组。Displays the code groups of the specified policy level or all policy levels. Caspol.exe 首先显示代码组的标签,如果名称不是 null 的话,后面接着显示名称。Caspol.exe displays the code group's label first, followed by the name, if it is not null.
-listpset or -lp-listpset or -lp 显示指定策略级别或全部策略级别的权限集。Displays the permission sets for the specified policy level or all policy levels.
-m[achine]-m[achine] 指示此选项后面的所有选项都应用于计算机级别策略。Indicates that all options following this one apply to the machine level policy. 非管理员用户尽管可以查看计算机策略,但没有足够的权限修改它。Users who are not administrators do not have sufficient rights to modify the machine policy, although they can view it. 对于管理员来说, -machine 是默认选项。For administrators, -machine is the default.
-polchgprompt {on | off}-polchgprompt {on | off}

oror

-pp {on | off}-pp {on | off}
启用或禁用每当 Caspol.exe 使用可能会导致策略更改的选项运行时所显示的提示。Enables or disables the prompt that is displayed whenever Caspol.exe is run using an option that would cause policy changes.
-quiet-quiet

oror

-q-q
暂时禁用通常会为导致策略更改的选项显示的提示。Temporarily disables the prompt that is normally displayed for an option that causes policy changes. 全局更改提示设置不会发生更改。The global change prompt setting does not change. 应逐个命令地使用此选项以避免对所有的 Caspol.exe 命令禁用提示。Use the option only on a single command basis to avoid disabling the prompt for all Caspol.exe commands.
-r[ecover]-r[ecover] 从备份文件恢复策略。Recovers policy from a backup file. 每当策略更改时,Caspol.exe 会将旧的策略存储在备份文件中。Whenever a policy change is made, Caspol.exe stores the old policy in a backup file.
-remfulltrust assembly_file-remfulltrust assembly_file

oror

-rf assembly_file-rf assembly_file
从策略级别的完全信任列表中移除程序集。Removes an assembly from the full trust list of a policy level. 如果包含自定义权限的权限集不再由策略使用,则应该执行此操作。This operation should be performed if a permission set that contains a custom permission is no longer used by policy. 但是,仅当程序集不再实现任何其他仍在使用的自定义权限时,才应从完全信任列表中移除实现自定义权限的程序集。However, you should remove an assembly that implements a custom permission from the full trust list only if the assembly does not implement any other custom permissions that are still being used. 当从列表中移除程序集时,应同时移除它依赖的任何其他程序集。When you remove an assembly from the list, you should also remove any other assemblies that it depends on.
-remgroup {label |name}-remgroup {label |name}

oror

-rg {label | name}-rg {label | name}
移除由本身的标签或名称指定的代码组。Removes the code group specified by either its label or name. 如果指定的代码组有子代码组,则 Caspol.exe 还将移除所有子代码组。If the specified code group has child code groups, Caspol.exe also removes all the child code groups.
-rempset pset_name-rempset pset_name

oror

-rp pset_name-rp pset_name
从策略中移除指定的权限集。Removes the specified permission set from policy. pset_name 参数指示要移除的权限集。The pset_name argument indicates which permission set to remove. 仅当权限集不与任何代码组关联时,Caspol.exe 才会将其移除。Caspol.exe removes the permission set only if it is not associated with any code group. 无法移除默认(内置)权限集。The default (built-in) permission sets cannot be removed.
-reset-reset

oror

-rs-rs
使策略返回到默认状态并将其保存到磁盘上。Returns policy to its default state and persists it to disk. 每当已更改的策略似乎无法修复并且你想使用安装默认值重新开始时,这非常有用。This is useful whenever a changed policy seems to be beyond repair and you want to start over with the installation defaults. 当要使用默认策略作为修改特定安全配置文件的起点时,重置也非常方便。Resetting can also be convenient when you want to use the default policy as a starting point for modifications to specific security configuration files. 有关详细信息,请参阅手动编辑安全配置文件For more information, see Manually Editing the Security Configuration Files.
-resetlockdown-resetlockdown

oror

-rsld-rsld
将策略返回到限制更多的默认状态版本,并将其保存到磁盘;创建以前的计算机策略的备份,并将其保存到名为 security.config.bac 的文件中。Returns policy to a more restrictive version of the default state and persists it to disk; creates a backup of the previous machine policy and persists it to a file called security.config.bac. 锁定的策略类似于默认策略,但锁定的策略不向 Local IntranetTrusted SitesInternet 区域中的代码以及没有子代码组的对应代码组授予权限。The locked down policy is similar to the default policy, except that the policy grants no permission to code from the Local Intranet, Trusted Sites, and Internet zones and the corresponding code groups have no child code groups.
-resolvegroup assembly_file-resolvegroup assembly_file

oror

-rsg assembly_file-rsg assembly_file
显示特定的程序集 (assembly_file) 所属的代码组。Shows the code groups that a specific assembly (assembly_file) belongs to. 默认情况下,此选项显示程序集所属的计算机、用户和企业策略级别。By default, this option displays the machine, user, and enterprise policy levels to which the assembly belongs. 若要只查看一个策略级别,请将此选项与 -machine-user-enterprise 选项之一一起使用。To view only one policy level, use this option with either the -machine, -user, or -enterprise option.
-resolveperm assembly_file-resolveperm assembly_file

oror

-rsp assembly_file-rsp assembly_file
显示在允许运行程序集的情况下指定的(或默认的)安全策略级别将会授予程序集的所有权限。Displays all permissions that the specified (or default) level of security policy would grant the assembly if the assembly were allowed to run. assembly_file 参数指定程序集。The assembly_file argument specifies the assembly. 如果指定 -all 选项,则 Caspol.exe 将基于用户策略、计算机策略和企业策略计算程序集的权限;否则,应用默认的行为规则。If you specify the -all option, Caspol.exe calculates the permissions for the assembly based on user, machine, and enterprise policy; otherwise, default behavior rules apply.
-s[ecurity] {on | off}-s[ecurity] {on | off} 打开或关闭代码访问安全性。Turns code access security on or off. 指定 -s off 选项不会禁用基于角色的安全性。Specifying the -s off option does not disable role-based security. 注意: 在 .NET Framework 4 及更高版本中,此开关已删除。Note: This switch is removed in the .NET Framework 4 and later versions. 有关详细信息,请参阅安全更改For more information, see Security Changes. 注意: 当禁用代码访问安全性时,所有代码访问要求都会成功。Caution: When code access security is disabled, all code access demands succeed. 禁用代码访问安全性会使系统容易受到恶意代码(如病毒和蠕虫)的攻击。Disabling code access security makes the system vulnerable to attacks by malicious code such as viruses and worms. 关闭安全性会在某些方面提高性能,但应该只有在已采取其他安全性措施以确保整个系统安全性不受破坏时才可以使用。Turning off security gains some extra performance but should only be done when other security measures have been taken to help make sure overall system security is not breached. 其他的安全防范措施包括与公共网络断开连接、从物理上保证计算机的安全等等。Examples of other security precautions include disconnecting from public networks, physically securing computers, and so on.
-u[ser]-u[ser] 指示此选项后面的所有选项都应用于 Caspol.exe 正在代表其运行的用户的用户级别策略。Indicates that all options following this one apply to the user level policy for the user on whose behalf Caspol.exe is running. 对于非管理员用户来说, -user 是默认选项。For nonadministrative users, -user is the default.
-?-? 显示 Caspol.exe 的命令语法和选项。Displays command syntax and options for Caspol.exe.

指定代码组的成员资格条件的 mship 参数可以与 -addgroup 选项和 -chggroup 选项一起使用。The mship argument, which specifies the membership condition for a code group, can be used with the -addgroup and -chggroup options. 每个 mship 参数都作为 .NET Framework 类实现。Each mship argument is implemented as a .NET Framework class. 若要指定 mship,请使用下列参数之一。To specify mship, use one of the following.

参数Argument 说明Description
-allcode-allcode 指定所有代码。Specifies all code. 有关此成员资格条件的详细信息,请参阅 System.Security.Policy.AllMembershipConditionFor more information about this membership condition, see System.Security.Policy.AllMembershipCondition.
-appdir-appdir 指定应用程序目录。Specifies the application directory. 如果指定 –appdir 作为成员资格条件,则代码的 URL 证据将与代码的应用程序目录证据进行比较。If you specify –appdir as the membership condition, the URL evidence of code is compared with the application directory evidence of that code. 如果两个证据值相同,则满足此成员资格条件。If both evidence values are the same, this membership condition is satisfied. 有关此成员资格条件的详细信息,请参阅 System.Security.Policy.ApplicationDirectoryMembershipConditionFor more information about this membership condition, see System.Security.Policy.ApplicationDirectoryMembershipCondition.
-custom xmlfile-custom xmlfile 添加自定义成员资格条件。Adds a custom membership condition. 强制性 xmlfile 参数指定包含自定义成员资格条件的 XML 序列化的 .xml 文件。The mandatory xmlfile argument specifies the .xml file that contains XML serialization of the custom membership condition.
-hash hashAlg { -hex hashValue | -file assembly_file }-hash hashAlg {-hex hashValue | -file assembly_file } 指定具有给定程序集哈希的代码。Specifies code that has the given assembly hash. 若要使用哈希作为代码组成员资格条件,则必须指定哈希值或程序集文件。To use a hash as a code group membership condition, you must specify either the hash value or the assembly file. 有关此成员资格条件的详细信息,请参阅 System.Security.Policy.HashMembershipConditionFor more information about this membership condition, see System.Security.Policy.HashMembershipCondition.
-pub { -cert cert_file_name |-pub { -cert cert_file_name |

-file signed_file_name | -hex hex_string }-file signed_file_name | -hex hex_string }
指定具有给定软件发行者的代码,软件发行者由证书文件、文件上的签名或 X509 证书的十六进制表示形式来指示。Specifies code that has the given software publisher, as denoted by a certificate file, a signature on a file, or the hexadecimal representation of an X509 certificate. 有关此成员资格条件的详细信息,请参阅 System.Security.Policy.PublisherMembershipConditionFor more information about this membership condition, see System.Security.Policy.PublisherMembershipCondition.
-site website-site website 指定具有给定源站点的代码。Specifies code that has the given site of origin. 例如:For example:

-site** www.proseware.com

有关此成员资格条件的详细信息,请参阅 System.Security.Policy.SiteMembershipConditionFor more information about this membership condition, see System.Security.Policy.SiteMembershipCondition.
-strong -file file_name {name | -noname} {version | -noversion}-strong -file file_name {name | -noname} {version | -noversion} 指定具有特定强名称的代码,强名称由文件名、字符串形式的程序集名称和 major.minor.build.revision 格式的程序集版本指示。Specifies code that has a specific strong name, as designated by the file name, the assembly name as a string, and the assembly version in the format major.minor.build.revision. 例如:For example:

-strong -file myAssembly.exe myAssembly 1.2.3.4-strong -file myAssembly.exe myAssembly 1.2.3.4

有关此成员资格条件的详细信息,请参阅 System.Security.Policy.StrongNameMembershipConditionFor more information about this membership condition, see System.Security.Policy.StrongNameMembershipCondition.
-url URL-url URL 指定源自给定 URL 的代码。Specifies code that originates from the given URL. URL 必须包含一个协议,如 http://ftp://The URL must include a protocol, such as http:// or ftp://. 此外,可以使用通配符 (*) 指定来自特定 URL 的多个程序集。Additionally, a wildcard character (*) can be used to specify multiple assemblies from a particular URL. 注意: 由于 URL 可以用多个名称标识,使用 URL 作为成员条件不是确定代码标识的安全方式。Note: Because a URL can be identified using multiple names, using a URL as a membership condition is not a safe way to ascertain the identity of code. 应尽可能使用强名称成员条件、发行者成员条件或哈希成员条件。Where possible, use a strong name membership condition, a publisher membership condition, or the hash membership condition.

有关此成员资格条件的详细信息,请参阅 System.Security.Policy.UrlMembershipConditionFor more information about this membership condition, see System.Security.Policy.UrlMembershipCondition.
-zone zonename-zone zonename 指定具有给定源区域的代码。Specifies code with the given zone of origin. Zonename 参数可以是下列值之一:MyComputerIntranetTrustedInternetUntrustedThe zonename argument can be one of the following values: MyComputer, Intranet, Trusted, Internet, or Untrusted. 有关此成员资格条件的更多信息,请参见 ZoneMembershipCondition 类。For more information about this membership condition, see the ZoneMembershipCondition Class.

可与 –addgroup–chggroup 选项一起使用的 flags 参数,可使用下列参数之一指定。The flags argument, which can be used with the –addgroup and –chggroup options, is specified using one of the following.

参数Argument 说明Description
-description “description” -description "description" –addgroup 选项一起使用时,指定要添加的代码组的描述。If used with the –addgroup option, specifies the description for a code group to add. –chggroup 选项一起使用时,指定要编辑的代码组的描述。If used with the –chggroup option, specifies the description for a code group to edit. description 参数必须用双引号引起来。The description argument must be enclosed in double quotes.
-exclusive {on|off}-exclusive {on|off} 设置为 on 时,指示当某些代码符合代码组的成员资格条件时,只考虑与正在添加或修改的代码组关联的权限集。When set to on, indicates that only the permission set associated with the code group you are adding or modifying is considered when some code fits the membership condition of the code group. 当此选项设置为 off 时,Caspol.exe 考虑策略级别中所有匹配的代码组的权限集。When this option is set to off, Caspol.exe considers the permission sets of all matching code groups in the policy level.
-levelfinal {on|off}-levelfinal {on|off} 当设置为 on 时,指示不考虑低于已添加或修改的代码组所在的级别的策略级别。When set to on, indicates that no policy level below the level in which the added or modified code group occurs is considered. 此选项通常在计算机策略级别上使用。This option is typically used at the machine policy level. 例如,如果在计算机级别上为代码组设置此标志,并且某个代码与此代码组的成员资格条件匹配,则 Caspol.exe 不会计算或应用此代码的用户级别策略。For example, if you set this flag for a code group at the machine level and some code matches this code group's membership condition, Caspol.exe does not calculate or apply the user level policy for this code.
-name “name” -name "name" –addgroup 选项一起使用时,指定要添加的代码组的脚本名称。If used with the –addgroup option, specifies the scripting name for a code group to add. -chggroup 选项一起使用时,指定要编辑的代码组的脚本名称。If used with the -chggroup option, specifies the scripting name for a code group to edit. name 参数必须用双引号引起。The name argument must be enclosed in double quotes. name参数不能以数字开头,只能包含 A-Z、0-9 和下划线字符。The name argument cannot begin with a number, and can only contain A-Z, 0-9, and the underscore character. 代码组可以按此 name 而非其数字标签引用。Code groups can be referred to by this name instead of by their numeric label. name 对于撰写脚本也非常有用。The name is also highly useful for scripting purposes.

备注Remarks

安全策略使用三个策略级别来表示:计算机策略、用户策略和企业策略。Security policy is expressed using three policy levels: machine policy, user policy, and enterprise policy. 程序集收到的权限集由这三个策略级别允许的权限集的交集确定。The set of permissions that an assembly receives is determined by the intersection of the permission sets allowed by these three policy levels. 每个策略级别都用代码组的分层结构表示。Each policy level is represented by a hierarchical structure of code groups. 每个代码组都有一个确定哪个代码是该组成员的成员资格条件。Every code group has a membership condition that determines which code is a member of that group. 命名权限集也与每个代码组关联。A named permission set is also associated with each code group. 此权限集指定运行时允许满足成员资格条件的代码拥有的权限。This permission set specifies the permissions the runtime allows code that satisfies the membership condition to have. 代码组层次结构连同其关联的命名权限集一起定义并维护每个安全策略级别。A code group hierarchy, along with its associated named permission sets, defines and maintains each level of security policy. 可以使用 –user-customuser–machine-enterprise 选项设置安全策略级别。You can use the –user, -customuser, –machine and -enterprise options to set the level of security policy.

有关安全策略以及运行时如何确定授予代码何种权限的更多信息,请参见安全策略管理For more information about security policy and how the runtime determines which permissions to grant to code, see Security Policy Management.

引用代码组和权限集Referencing Code Groups and Permission Sets

为使在层次结构中引用代码组更容易, -list 选项显示了代码组的缩进式列表及其数字标签(1、1.1、1.1.1 依此类推)。To facilitate references to code groups in a hierarchy, the -list option displays an indented list of code groups along with their numerical labels (1, 1.1, 1.1.1, and so on). 其他以代码组为目标的命令行操作也使用数字标签来引用特定的代码组。The other command-line operations that target code groups also use the numerical labels to refer to specific code groups.

命名权限集按其名称引用。Named permission sets are referenced by their names. –list 选项显示代码组的列表,后面紧跟在该策略中可用的命名权限集的列表。The –list option displays the list of code groups followed by a list of named permission sets available in that policy.

Caspol.exe 行为Caspol.exe Behavior

-s[ecurity] {on | off} 之外的所有选项使用与 Caspol.exe 一起安装的 .NET Framework 的版本。All options except -s[ecurity] {on | off} use the version of the .NET Framework that Caspol.exe was installed with. 如果运行的 Caspol.exe 是与运行时的 X 版本一起安装的,则更改只应用于该版本。If you run the Caspol.exe that was installed with version X of the runtime, the changes apply only to that version. 运行时的其他并行安装(如果有)不受影响。Other side-by-side installations of the runtime, if any, are not affected. 如果不是在特定运行时版本的目录中从命令行运行 Caspol.exe,则从路径中的第一个运行时版本目录(通常是安装的最新的运行时版本)中执行此工具。If you run Caspol.exe from the command line without being in a directory for a specific runtime version, the tool is executed from the first runtime version directory in the path (usually the most recent runtime version installed).

-s[ecurity] {on | off} 选项是整个计算机范围的操作。The -s[ecurity] {on | off} option is a computer-wide operation. 关闭代码访问安全性将终止对计算机上的所有托管代码和所有用户的安全性检查。Turning off code access security terminates security checks for all managed code and for all users on the computer. 如果同时安装了 .NET Framework 的多个版本,则此命令将关闭计算机上安装的每个版本的安全性。If side-by-side versions of the .NET Framework are installed, this command turns off security for every version installed on the computer. 尽管 -list 选项表明已经关闭安全性,但对于其他用户,没有任何其他指示清楚表明安全性已关闭。Although the -list option shows that security is turned off, nothing else clearly indicates for other users that security has been turned off.

当没有管理权限的用户运行 Caspol.exe 时,除非指定了 –machine 选项,否则所有选项都将引用用户级别策略。When a user without administrative rights runs Caspol.exe, all options refer to the user level policy unless the –machine option is specified. 当管理员运行 Caspol.exe 时,除非指定了 –user 选项,否则所有选项都将引用计算机策略。When an administrator runs Caspol.exe, all options refer to the machine policy unless the –user option is specified.

Caspol.exe 必须被授予等效于 Everything 权限集的权限才能运行。Caspol.exe must be granted the equivalent of the Everything permission set to function. 该工具有保护机制,可防止以阻碍授予 Caspol.exe 运行所需权限的方式修改策略。The tool has a protective mechanism that prevents policy from being modified in ways that would prevent Caspol.exe from being granted the permissions it needs to run. 如果尝试做这种更改,Caspol.exe 将通知你所请求的策略更改会中断该工具的运行,并且策略更改被拒绝。If you try to make such changes, Caspol.exe notifies you that the requested policy change will break the tool, and the policy change is rejected. 可以通过使用 –force 选项为给定的命令关闭此保护机制。You can turn this protective mechanism off for a given command by using the –force option.

手动编辑安全配置文件Manually Editing the Security Configuration Files

三个安全配置文件与 Caspol.exe 支持的三个策略级别相对应:一个用于计算机策略,一个用于给定用户的策略,一个用于企业策略。Three security configuration files correspond to the three policy levels supported by Caspol.exe: one for the machine policy, one for a given user's policy, and one for the enterprise policy. 仅当使用 Caspol.exe 更改了计算机、用户或企业策略时,才会在磁盘上创建这些文件。These files are created on disk only when machine, user, or enterprise policy is changed using Caspol.exe. 如果需要,可以使用 Caspol.exe 中的 –reset 选项将默认安全策略保存到磁盘。You can use the –reset option in Caspol.exe to save the default security policy to disk, if needed.

多数情况下,不建议手动编辑安全配置文件。In most cases, manually editing the security configuration files is not recommended. 但在某些情况下可能需要修改这些文件,如当管理员想编辑特定用户的安全配置文件时。But there might be scenarios in which modifying these files becomes necessary, such as when an administrator wants to edit the security configuration for a particular user.

示例Examples

-addfulltrust-addfulltrust

假设已经将一个包含自定义权限的权限集添加到计算机策略。Assume that a permission set containing a custom permission has been added to machine policy. 该自定义权限在 MyPerm.exe 中实现,而 MyPerm.exe 引用 MyOther.exe 中的类。This custom permission is implemented in MyPerm.exe, and MyPerm.exe references classes in MyOther.exe. 这两个程序集都必须添加到完全信任程序集列表中。Both assemblies must be added to the full trust assembly list. 下面的命令将 MyPerm.exe 程序集添加到计算机策略的完全信任列表中。The following command adds the MyPerm.exe assembly to the full trust list for the machine policy.

caspol -machine -addfulltrust MyPerm.exe  

下面的命令将 MyOther.exe 程序集添加到计算机策略的完全信任列表中。The following command adds the MyOther.exe assembly to the full trust list for the machine policy.

caspol -machine -addfulltrust MyOther.exe  

-addgroup-addgroup

下面的命令将子代码组添加到计算机策略代码组层次结构的根位置。The following command adds a child code group to the root of the machine policy code group hierarchy. 新的代码组是 Internet 区域的成员,并与 Execution 权限集关联。The new code group is a member of the Internet zone and is associated with the Execution permission set.

caspol -machine -addgroup 1.  -zone Internet Execution  

下面的命令将添加一个子代码组,该代码组授予共享 \\netserver\netshare 本地 Intranet 权限。The following command adds a child code group that gives the share \\netserver\netshare local intranet permissions.

caspol -machine -addgroup 1. -url \\netserver\netshare\* LocalIntranet  

-addpset-addpset

下面的命令将 Mypset 权限集添加到用户策略。The following command adds the Mypset permission set to the user policy.

caspol -user -addpset Mypset.xml Mypset  

-chggroup-chggroup

下面的命令将标记为 1.2. 的代码组的用户策略中的权限集The following command changes the permission set in the user policy of the code group labeled 1.2. 更改为 Execution 权限集。to the Execution permission set.

caspol -user -chggroup 1.2. Execution  

下面的命令更改标记为 1.2.1. 的代码组的默认策略中的成员资格条件,The following command changes the membership condition in the default policy of the code group labeled 1.2.1. 并更改 exclusive 标志的设置。and changes the setting of the exclusive flag. 该成员资格条件被定义为源自 Internet 区域的代码,并且 exclusive 标志已打开。The membership condition is defined to be code that originates from the Internet zone and the exclusive flag is switched on.

caspol -chggroup 1.2.1. -zone Internet -exclusive on  

-chgpset-chgpset

下面的命令将名为 Mypset 的权限集更改为包含在 newpset.xml 中的权限集。The following command changes the permission set with name Mypset to the permission set contained in newpset.xml. 请注意,当前版本不支持更改正在由代码组层次结构使用的权限集。Note that the current release does not support changing permission sets that are being used by the code group hierarchy.

caspol -chgpset Mypset newpset.xml  

-force-force

下面的命令使用户策略的根代码组(标记为 1)与 Nothing 命名权限集关联。The following command causes the user policy's root code group (labeled 1) to be associated with the Nothing named permission set. 这将阻止 Caspol.exe 运行。This prevents Caspol.exe from running.

caspol -force -user -chggroup 1 Nothing  

-recover-recover

下面的命令恢复最近保存的计算机策略。The following command recovers the most recently saved machine policy.

caspol -machine -recover  

-remgroup-remgroup

下面的命令移除标记为 1.1 的代码组。The following command removes the code group labeled 1.1. 如果该代码组有任何子代码组,则这些代码组也将被删除。If this code group has any child code groups, those groups are also deleted.

caspol -remgroup 1.1.  

-rempset-rempset

下面的命令从用户策略中移除 Execution 权限集。The following command removes the Execution permission set from the user policy.

caspol -user -rempset Execution  

下面的命令从用户策略级别中移除 MypsetThe following command removes Mypset from the user policy level.

caspol -rempset MyPset  

-resolvegroup-resolvegroup

下面的命令显示 myassembly 所属的计算机策略的所有代码组。The following command shows all code groups of the machine policy that myassembly belongs to.

caspol -machine -resolvegroup myassembly  

下面的命令显示 myassembly 所属的计算机策略、企业策略和指定的自定义用户策略的所有代码组。The following command shows all code groups of the machine, enterprise, and specified custom user policy that myassembly belongs to.

caspol -customall "c:\config_test\security.config" -resolvegroup myassembly  

-resolveperm-resolveperm

下面的命令基于计算机策略级别和用户策略级别计算 testassembly 的权限。The following command calculates the permissions for testassembly based on the machine and user policy levels.

caspol -all -resolveperm testassembly  

请参阅See also