Caspol.exe (程式碼存取安全性原則工具)Caspol.exe (Code Access Security Policy Tool)

程式碼存取安全性 (CAS) 原則工具 (Caspol.exe) 可以讓使用者和系統管理員修改電腦原則層級、使用者原則層級和企業原則層級的安全性原則。The Code Access Security (CAS) Policy tool (Caspol.exe) enables users and administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

重要

從 .NET Framework 4 開始,除非將 <legacyCasPolicy> 項目 設為 true,否則 Caspol.exe 不會影響 CAS 原則。Starting with the .NET Framework 4, Caspol.exe does not affect CAS policy unless the <legacyCasPolicy> element is set to true. 只有在您選擇使用 CAS 原則後,CasPol.exe 所顯示或修改的任何設定才會影響應用程式。Any settings shown or modified by CasPol.exe will only affect applications that opt into using CAS policy. 如需詳細資訊,請參閱安全性變更For more information, see Security Changes.

注意

64 位元電腦包含 64 位元和 32 位元版本的安全性原則。64-bit computers include both 64-bit and 32-bit versions of security policy. 為了確保您的原則變更同時套用至 32 位元和 64 位元應用程式,請執行 Caspol.exe 的 32 位元和 64 位元這兩種版本。To ensure that your policy changes apply to both 32-bit and 64-bit applications, run both the 32-bit and 64-bit versions of Caspol.exe.

程式碼存取安全性原則工具會自動隨 .NET Framework 和 Visual Studio 安裝。The Code Access Security Policy tool is automatically installed with the .NET Framework and with Visual Studio. 您可以在 32 位元系統上的 %windir%\Microsoft.NET\Framework\版本 或 64 位元系統上的 %windir%\Microsoft.NET\Framework64\版本 找到 Caspol.exeYou can find Caspol.exe in %windir%\Microsoft.NET\Framework\version on 32-bit systems or %windir%\Microsoft.NET\Framework64\version on 64-bit systems. (例如,64 位元系統上的 .NET Framework 4 位置是 %windir%\Microsoft.NET\Framework64\v4.030319\caspol.exe)。如果您的電腦並存執行多個版本的 .NET Framework,則可能會安裝此工具的多個版本。(For example, the location is %windir%\Microsoft.NET\Framework64\v4.030319\caspol.exe for the .NET Framework 4 on a 64-bit system.) Multiple versions of the tool might be installed if your computer is running multiple versions of the .NET Framework side by side. 您可以從安裝目錄執行此工具。You can run the tool from the installation directory. 不過,建議您使用命令提示字元,就不需要巡覽至安裝資料夾。However, we recommend that you use the Command Prompts, which does not require you to navigate to the installation folder.

在命令提示字元下輸入下列命令:At the command prompt, type the following:

語法Syntax

caspol [options]  

參數Parameters

選項Option 說明Description
-addfulltrust assembly_file-addfulltrust assembly_file

or

-af assembly_file-af assembly_file
將實作自訂安全物件 (例如,自訂授權或自訂成員資格條件) 的組件加入至特定原則層級的完全信任組件清單。Adds an assembly that implements a custom security object (such as a custom permission or a custom membership condition) to the full trust assembly list for a specific policy level. assembly_file 引數會指定要新增的組件。The assembly_file argument specifies the assembly to add. 此檔案必須使用強式名稱簽署。This file must be signed with a strong name. 您可以使用強式名稱工具 (Sn.exe),以強式名稱來簽署組件。You can sign an assembly with a strong name using the Strong Name Tool (Sn.exe).

只要將包含自訂權限的權限集合加入至原則,就必須將實作自訂權限的組件加入至該原則層級的完全信任清單。Whenever a permission set containing a custom permission is added to policy, the assembly implementing the custom permission must be added to the full trust list for that policy level. 實作安全性原則 (例如,電腦原則) 中所使用之自訂安全性物件 (例如自訂程式碼群組或成員資格條件) 的組件,應一律加入至完全信任組件清單。Assemblies that implement custom security objects (such as custom code groups or membership conditions) used in a security policy (such as the machine policy) should always be added to the full trust assembly list. 注意: 如果實作自訂安全性物件的組件參考其他組件,您必須先將參考的組件加入至完全信任組件清單中。Caution: If the assembly implementing the custom security object references other assemblies, you must first add the referenced assemblies to the full trust assembly list. 使用 Visual Basic、C++ 和 JScript 建立的自訂安全性物件會分別參考 Microsoft.VisualBasic.dll、Microsoft.VisualC.dll 或 Microsoft.JScript.dll。Custom security objects created using Visual Basic, C++, and JScript reference either Microsoft.VisualBasic.dll, Microsoft.VisualC.dll, or Microsoft.JScript.dll, respectively. 依預設,這些組件不在完全信任組件清單中。These assemblies are not in the full trust assembly list by default. 您必須在加入自訂安全性物件之前,先將適當的組件加入至完全信任清單中,You must add the appropriate assembly to the full trust list before you add a custom security object. 否則將會破壞安全性系統,造成所有的組件都無法載入。Failure to do so will break the security system, causing all assemblies to fail to load. 在這種情況下,Caspol.exe -all -reset 選項將不會修復安全性。In this situation, the Caspol.exe -all -reset option will not repair security. 若要修復安全性,您必須手動編輯安全性檔案,以移除自訂安全性物件。To repair security, you must manually edit the security files to remove the custom security object.
-addgroup {parent_label | parent_name} mship pset_name [flags]-addgroup {parent_label | parent_name} mship pset_name [flags]

or

-ag {parent_label | parent_name} mship pset_name [flags]-ag {parent_label | parent_name} mship pset_name [flags]
將新的程式碼群組加入至程式碼群組階層架構。Adds a new code group to the code group hierarchy. 您可以指定 parent_labelparent_nameYou can specify either the parent_label or parent_name. parent_label 引數會指定所新增程式碼群組之父代的程式碼群組標籤 (例如 1.The parent_label argument specifies the label (such as 1. 或 1.1.)。or 1.1.) of the code group that is the parent of the code group being added. parent_name 引數會指定要新增之程式碼群組父代的程式碼群組名稱。The parent_name argument specifies the name of the code group that is the parent of the code group being added. 由於 parent_labelparent_name 可以交替使用,所以 Caspol.exe 必須能夠區分這兩者。Because parent_label and parent_name can be used interchangeably, Caspol.exe must be able to distinguish between them. 因此,parent_name 不能以數字開頭。Therefore, parent_name cannot begin with a number. 此外,parent_name 只能包含 A-Z、0-9 以及底線字元。Additionally, parent_name can only contain A-Z, 0-9 and the underscore character.

mship 引數會指定新程式碼群組的成員資格條件。The mship argument specifies the membership condition for the new code group. 如需詳細資訊,請參閱本節稍後的 mship 引數表。For more information, see the table of mship arguments later in this section.

pset_name 引數是權限集合的名稱,其會與新的程式碼群組產生關聯。The pset_name argument is the name of the permission set that will be associated with the new code group. 您也可以為新群組設定一個或多個 flagsYou can also set one or more flags for the new group. 如需詳細資訊,請參閱本節稍後的 flags 引數表。For more information, see the table of flags arguments later in this section.
-addpset {psfile | psfile pset_name}-addpset {psfile | psfile pset_name}

or

-ap {namedpsfile | psfile pset_name}-ap {namedpsfile | psfile pset_name}
將新的具名權限集合加入至原則。Adds a new named permission set to policy. 權限集合必須以 XML 撰寫並儲存於 .xml 檔案中。The permission set must be authored in XML and stored in an .xml file. 如果 XML 檔案包含權限集合的名稱,則只會指定該檔案 (psfile)。If the XML file contains the name of the permission set, only that file (psfile) is specified. 如果 XML 檔案未包含權限集合名稱,則必須同時指定 XML 檔案名稱 (psfile) 和權限集合名稱 (pset_name)。If the XML file does not contain the permission set name, you must specify both the XML file name (psfile) and the permission set name (pset_name).

請注意,權限集合中使用的所有權限都必須在全域組件快取內含的組件中定義。Note that all permissions used in a permission set must be defined in assemblies contained in the global assembly cache.
-a[ll]-a[ll] 指出這個選項之後的所有選項都會套用至電腦、使用者和企業原則。Indicates that all options following this one apply to the machine, user, and enterprise policies. -all 選項一律會參考目前已登入使用者的原則。The -all option always refers to the policy of the currently logged-on user. 若要參考目前使用者以外的使用者原則,請參閱 -customall 選項。See the -customall option to refer to the user policy of a user other than the current user.
-chggroup {label |name} {mship | pset_name |-chggroup {label |name} {mship | pset_name |

flags }flags }

or

-cg {label |name} {mship | pset_name |-cg {label |name} {mship | pset_name |

flags }flags }
可變更程式碼群組的成員資格條件、權限集合或是 exclusivelevelfinalnamedescription 旗標的設定。Changes a code group's membership condition, permission set, or the settings of the exclusive, levelfinal, name, or description flags. 您可以指定 label 或是 nameYou can specify either the label or name. label 引數會指定程式碼群組的標籤 (例如 1.The label argument specifies the label (such as 1. 或 1.1.)。or 1.1.) of the code group. name 引數會指定要變更的程式碼群組名稱。The name argument specifies the name of the code group to change. 由於 labelname 可以交替使用,所以 Caspol.exe 必須能夠區分這兩者。Because label and name can be used interchangeably, Caspol.exe must be able to distinguish between them. 因此,name 不能以數字開頭。Therefore, name cannot begin with a number. 此外,name 只能包含 A-Z、0-9 以及底線字元。Additionally, name can only contain A-Z, 0-9 and the underscore character.

pset_name 引數會指定要與程式碼群組產生關聯的權限集合名稱。The pset_name argument specifies the name of the permission set to associate with the code group. 如需 mshipflags 引數的詳細資訊,請參閱本節稍後的表格。See the tables later in this section for information on the mship and flags arguments.
-chgpset psfile pset_name-chgpset psfile pset_name

or

-cp psfile pset_name-cp psfile pset_name
變更具名權限集合。Changes a named permission set. psfile 引數為權限集合提供新定義,其為 XML 格式的序列化權限集合檔案。The psfile argument supplies the new definition for the permission set; it is a serialized permission set file in XML format. pset_name 引數會指定您想要變更的權限集合名稱。The pset_name argument specifies the name of the permission set you want to change.
-customall path-customall path

or

-ca path-ca path
指出這個選項之後的所有選項都會套用至電腦、企業和指定的自訂使用者原則。Indicates that all options following this one apply to the machine, enterprise, and the specified custom user policies. 您必須使用 path 引數來指定自訂使用者的安全性組態檔位置。You must specify the location of the custom user's security configuration file with the path argument.
-cu[stomuser] path-cu[stomuser] path 允許管理不屬於目前執行 Caspol.exe 之使用者的自訂使用者原則。Allows the administration of a custom user policy that does not belong to the user on whose behalf Caspol.exe is currently running. 您必須使用 path 引數來指定自訂使用者的安全性組態檔位置。You must specify the location of the custom user's security configuration file with the path argument.
-enterprise-enterprise

or

-en-en
指出這個選項之後的所有選項都會套用至企業層級原則。Indicates that all options following this one apply to the enterprise level policy. 不是企業系統管理員的使用者沒有足夠的權限可修改企業原則,但是可以檢視原則。Users who are not enterprise administrators do not have sufficient rights to modify the enterprise policy, although they can view it. 在非企業情節中,這個原則預設不會與電腦和使用者原則牴觸。In nonenterprise scenarios, this policy, by default, does not interfere with machine and user policy.
-e[xecution] {on | off}-e[xecution] {on | off} 開啟或關閉在程式碼開始執行前檢查要執行之權限的機制。Turns on or off the mechanism that checks for the permission to run before code starts to execute. 注意: 這個參數已在 .NET Framework 4 (含) 以後版本中移除。Note: This switch is removed in the .NET Framework 4 and later versions. 如需詳細資訊,請參閱安全性變更For more information, see Security Changes.
-f[orce]-f[orce] 抑制工具的自行解構測試,並依照使用者指定的方式變更原則。Suppresses the tool's self-destruct test and changes the policy as specified by the user. 一般來說,Caspol.exe 會檢查是否有造成 Caspol.exe 本身無法正常執行的任何原則變更,如果有的話,Caspol.exe 不會儲存該原則變更,而且會印出錯誤訊息。Normally, Caspol.exe checks whether any policy changes would prevent Caspol.exe itself from running properly; if so, Caspol.exe does not save the policy change and prints an error message. 若要強制 Caspol.exe 變更原則 (即使這個原則會造成 Caspol.exe 本身無法執行),請使用 –force 選項。To force Caspol.exe to change policy even if this prevents Caspol.exe itself from running, use the –force option.
-h[elp]-h[elp] 顯示 Caspol.exe 的命令語法和選項。Displays command syntax and options for Caspol.exe.
-l[ist]-l[ist] 列出程式碼群組階層架構以及所指定電腦、使用者、企業或所有原則層級的權限集合。Lists the code group hierarchy and the permission sets for the specified machine, user, enterprise, or all policy levels. Caspol.exe 會先顯示程式碼群組的標籤,後面接著名稱 (如果不是 null 的話)。Caspol.exe displays the code group's label first, followed by the name, if it is not null.
-listdescription-listdescription

or

-ld-ld
列出所指定原則層級的所有程式碼群組描述。Lists all code group descriptions for the specified policy level.
-listfulltrust-listfulltrust

or

-lf-lf
列出所指定原則層級的完全信任組件清單內容。Lists the contents of the full trust assembly list for the specified policy level.
-listgroups-listgroups

or

-lg-lg
顯示所指定原則層級或所有原則層級的程式碼群組。Displays the code groups of the specified policy level or all policy levels. Caspol.exe 會先顯示程式碼群組的標籤,後面接著名稱 (如果不是 null 的話)。Caspol.exe displays the code group's label first, followed by the name, if it is not null.
-listpset-lp-listpset or -lp 顯示所指定原則層級或所有原則層級的權限集合。Displays the permission sets for the specified policy level or all policy levels.
-m[achine]-m[achine] 指出這個選項之後的所有選項都會套用至電腦層級原則。Indicates that all options following this one apply to the machine level policy. 不是系統管理員的使用者沒有足夠的權限可修改電腦原則,但是可以檢視原則。Users who are not administrators do not have sufficient rights to modify the machine policy, although they can view it. 對於系統管理員, -machine 是預設值。For administrators, -machine is the default.
-polchgprompt {on | off}-polchgprompt {on | off}

or

-pp {on | off}-pp {on | off}
啟用或停用每當使用會造成原則變更的選項來執行 Caspol.exe 時所顯示的提示。Enables or disables the prompt that is displayed whenever Caspol.exe is run using an option that would cause policy changes.
-quiet-quiet

or

-q-q
暫時停用通常會對造成原則變更的選項顯示的提示。Temporarily disables the prompt that is normally displayed for an option that causes policy changes. 不過,全域變更提示設定不會變更。The global change prompt setting does not change. 僅針對單一命令使用這個選項,如此才不會停用所有 Caspol.exe 命令的提示。Use the option only on a single command basis to avoid disabling the prompt for all Caspol.exe commands.
-r[ecover]-r[ecover] 從備份檔復原原則。Recovers policy from a backup file. 每當原則變更時,Caspol.exe 都會將舊原則儲存到備份檔中。Whenever a policy change is made, Caspol.exe stores the old policy in a backup file.
-remfulltrust assembly_file-remfulltrust assembly_file

or

-rf assembly_file-rf assembly_file
從原則層級的完全信任清單中移除組件。Removes an assembly from the full trust list of a policy level. 如果原則不再使用包含自訂權限的權限集合,則應該執行這項作業。This operation should be performed if a permission set that contains a custom permission is no longer used by policy. 不過,只有在組件未實作任何其他仍在使用的自訂權限時,才可以從完全信任清單中移除實作自訂權限的組件。However, you should remove an assembly that implements a custom permission from the full trust list only if the assembly does not implement any other custom permissions that are still being used. 當您從清單中移除組件時,也應該移除該組件所依存的任何其他組件。When you remove an assembly from the list, you should also remove any other assemblies that it depends on.
-remgroup {label |name}-remgroup {label |name}

or

-rg {label | name}-rg {label | name}
移除以標籤或名稱指定的程式碼群組。Removes the code group specified by either its label or name. 如果指定的程式碼群組包含子程式碼群組,Caspol.exe 也會移除所有子程式碼群組。If the specified code group has child code groups, Caspol.exe also removes all the child code groups.
-rempset pset_name-rempset pset_name

or

-rp pset_name-rp pset_name
從原則中移除指定的權限集合。Removes the specified permission set from policy. pset_name 引數會指出要移除的權限集合。The pset_name argument indicates which permission set to remove. 只有在權限集合未與任何程式碼群組相關聯時,Caspol.exe 才會將該權限集合移除。Caspol.exe removes the permission set only if it is not associated with any code group. 無法移除預設 (內建) 權限集合。The default (built-in) permission sets cannot be removed.
-reset-reset

or

-rs-rs
將原則回復到其預設狀態並保存 (Persist) 到磁碟中。Returns policy to its default state and persists it to disk. 每當變更的原則似乎無法修復,而您想要以安裝預設值重新開始時,這樣做會非常有用。This is useful whenever a changed policy seems to be beyond repair and you want to start over with the installation defaults. 當您想要使用預設原則做為修改特定安全性設定檔的起點時,重設也會很方便。Resetting can also be convenient when you want to use the default policy as a starting point for modifications to specific security configuration files. 如需詳細資訊,請參閱手動編輯安全性組態檔For more information, see Manually Editing the Security Configuration Files.
-resetlockdown-resetlockdown

or

-rsld-rsld
將原則回復為預設狀態的更嚴格版本並將它保存至磁碟,建立先前電腦原則的備份並將它保存至稱為 security.config.bac 的檔案。Returns policy to a more restrictive version of the default state and persists it to disk; creates a backup of the previous machine policy and persists it to a file called security.config.bac. 鎖定原則類似於預設原則,差別在於鎖定原則不會授與可從 Local IntranetTrusted SitesInternet 區域撰寫程式碼的權限,而且對應的程式碼群組沒有子程式碼群組。The locked down policy is similar to the default policy, except that the policy grants no permission to code from the Local Intranet, Trusted Sites, and Internet zones and the corresponding code groups have no child code groups.
-resolvegroup assembly_file-resolvegroup assembly_file

or

-rsg assembly_file-rsg assembly_file
顯示特定組件 (assembly_file) 所屬的程式碼群組。Shows the code groups that a specific assembly (assembly_file) belongs to. 根據預設,這個選項會顯示組件所屬的電腦、使用者和企業原則層級。By default, this option displays the machine, user, and enterprise policy levels to which the assembly belongs. 若只要檢視一個原則層級,請搭配使用這個選項與 -machine-user-enterprise 選項。To view only one policy level, use this option with either the -machine, -user, or -enterprise option.
-resolveperm assembly_file-resolveperm assembly_file

or

-rsp assembly_file-rsp assembly_file
在允許組件執行的情況下,顯示指定 (或預設) 的安全性原則層級會授與該組件的所有權限。Displays all permissions that the specified (or default) level of security policy would grant the assembly if the assembly were allowed to run. assembly_file 引數會指定組件。The assembly_file argument specifies the assembly. 如果指定 -all 選項,Caspol.exe 會根據使用者、電腦和企業原則計算組件的權限;若未指定,則會套用預設行為規則。If you specify the -all option, Caspol.exe calculates the permissions for the assembly based on user, machine, and enterprise policy; otherwise, default behavior rules apply.
-s[ecurity] {on | off}-s[ecurity] {on | off} 開啟或關閉程式碼存取安全性。Turns code access security on or off. 指定 -s off 選項時,並不會停用以角色為基礎的安全性。Specifying the -s off option does not disable role-based security. 注意: 這個參數已在 .NET Framework 4 (含) 以後版本中移除。Note: This switch is removed in the .NET Framework 4 and later versions. 如需詳細資訊,請參閱安全性變更For more information, see Security Changes. 注意: 停用程式碼存取安全性時,所有的程式碼存取需求都會成功。Caution: When code access security is disabled, all code access demands succeed. 停用程式碼存取安全性會讓系統容易受惡意程式碼的攻擊,如病毒和破壞程式。Disabling code access security makes the system vulnerable to attacks by malicious code such as viruses and worms. 關閉安全性可獲得額外的效能,但是只有在已採取其他安全措施來協助確保整體系統安全性沒有漏洞的情況下,才可以這樣做。Turning off security gains some extra performance but should only be done when other security measures have been taken to help make sure overall system security is not breached. 其他安全性措施的範例,包括從公用網路中斷連結、用實際方法保全電腦等等。Examples of other security precautions include disconnecting from public networks, physically securing computers, and so on.
-u[ser]-u[ser] 指出這個選項之後的所有選項都會套用至執行 Caspol.exe 之使用者的使用者層級原則。Indicates that all options following this one apply to the user level policy for the user on whose behalf Caspol.exe is running. 對於非系統管理使用者, -user 是預設值。For nonadministrative users, -user is the default.
-?-? 顯示 Caspol.exe 的命令語法和選項。Displays command syntax and options for Caspol.exe.

mship 引數可以搭配 -addgroup-chggroup 選項使用,以指定程式碼群組的成員資格條件 。The mship argument, which specifies the membership condition for a code group, can be used with the -addgroup and -chggroup options. 系統會以 .NET Framework 類別的形式來實作每個 mship 引數。Each mship argument is implemented as a .NET Framework class. 若要指定 mship, ,請使用下列其中一種方式。To specify mship, use one of the following.

引數Argument 說明Description
-allcode-allcode 指定所有程式碼。Specifies all code. 如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.AllMembershipConditionFor more information about this membership condition, see System.Security.Policy.AllMembershipCondition.
-appdir-appdir 指定應用程式目錄。Specifies the application directory. 如果您將 –appdir 指定為成員資格條件,系統會比較程式碼的 URL 辨識項與該程式碼的應用程式目錄辨識項。If you specify –appdir as the membership condition, the URL evidence of code is compared with the application directory evidence of that code. 如果兩個辨識項的值相同,表示符合這個成員條件。If both evidence values are the same, this membership condition is satisfied. 如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.ApplicationDirectoryMembershipConditionFor more information about this membership condition, see System.Security.Policy.ApplicationDirectoryMembershipCondition.
-custom xmlfile-custom xmlfile 加入自訂成員資格條件。Adds a custom membership condition. 強制 xmlfile 引數會指定包含自訂成員資格條件之 XML 序列化的 .xml 檔。The mandatory xmlfile argument specifies the .xml file that contains XML serialization of the custom membership condition.
-hash hashAlg { -hex hashValue | -file assembly_file }-hash hashAlg {-hex hashValue | -file assembly_file } 指定具有指定組件雜湊的程式碼。Specifies code that has the given assembly hash. 若要使用雜湊做為程式碼群組成員資格條件,則必須指定雜湊值或組件檔。To use a hash as a code group membership condition, you must specify either the hash value or the assembly file. 如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.HashMembershipConditionFor more information about this membership condition, see System.Security.Policy.HashMembershipCondition.
-pub { -cert cert_file_name |-pub { -cert cert_file_name |

-file signed_file_name | -hex hex_string }-file signed_file_name | -hex hex_string }
指定具有所指軟體發行者的程式碼,該發行者的表示方式為憑證檔、檔案上的簽章或 X509 憑證的十六進位表示。Specifies code that has the given software publisher, as denoted by a certificate file, a signature on a file, or the hexadecimal representation of an X509 certificate. 如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.PublisherMembershipConditionFor more information about this membership condition, see System.Security.Policy.PublisherMembershipCondition.
-site website-site website 指定具有所指來源網站的程式碼。Specifies code that has the given site of origin. 例如:For example:

-site** www.proseware.com

如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.SiteMembershipConditionFor more information about this membership condition, see System.Security.Policy.SiteMembershipCondition.
-strong -file file_name {name | -noname} {version | -noversion}-strong -file file_name {name | -noname} {version | -noversion} 可指定具有特定強式名稱的程式碼,該名稱的指定方式為檔案名稱、組件名稱 (字串形式),以及格式為 major.minor.build.revision 的組件版本。Specifies code that has a specific strong name, as designated by the file name, the assembly name as a string, and the assembly version in the format major.minor.build.revision. 例如:For example:

-strong -file myAssembly.exe myAssembly 1.2.3.4-strong -file myAssembly.exe myAssembly 1.2.3.4

如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.StrongNameMembershipConditionFor more information about this membership condition, see System.Security.Policy.StrongNameMembershipCondition.
-url URL-url URL 指定來自所指 URL 的程式碼。Specifies code that originates from the given URL. 這個 URL 必須包括通訊協定,例如 http://ftp://The URL must include a protocol, such as http:// or ftp://. 此外,您可以使用萬用字元 (*) 指定來自特定 URL 的多個組件。Additionally, a wildcard character (*) can be used to specify multiple assemblies from a particular URL. 注意: 因為 URL 可以使用多個名稱來識別,所以將 URL 當做成員資格條件使用並不是確定程式碼識別的安全方法。Note: Because a URL can be identified using multiple names, using a URL as a membership condition is not a safe way to ascertain the identity of code. 請盡可能使用強式名稱 (Strong Name) 成員資格條件、發行者成員資格條件或雜湊成員資格條件。Where possible, use a strong name membership condition, a publisher membership condition, or the hash membership condition.

如需這個成員資格條件的詳細資訊,請參閱 System.Security.Policy.UrlMembershipConditionFor more information about this membership condition, see System.Security.Policy.UrlMembershipCondition.
-zone zonename-zone zonename 指定具有所指原始區域的程式碼。Specifies code with the given zone of origin. zonename 引數可以是下列其中一個值:MyComputerIntranetTrustedInternetUntrustedThe zonename argument can be one of the following values: MyComputer, Intranet, Trusted, Internet, or Untrusted. 如需這個成員資格條件的詳細資訊,請參閱 ZoneMembershipCondition 類別。For more information about this membership condition, see the ZoneMembershipCondition Class.

flags 引數是使用下列其中一種方式指定,並且可以搭配 –addgroup–chggroup 選項使用。The flags argument, which can be used with the –addgroup and –chggroup options, is specified using one of the following.

引數Argument 說明Description
-description "description"-description "description" 如果搭配 –addgroup 選項使用,可指定要新增的程式碼群組描述。If used with the –addgroup option, specifies the description for a code group to add. 如果搭配 –chggroup 選項使用,可指定要編輯的程式碼群組描述。If used with the –chggroup option, specifies the description for a code group to edit. description 引數必須括在雙引號中。The description argument must be enclosed in double quotes.
-exclusive {on|off}-exclusive {on|off} 設為 on 時,表示當部分程式碼符合程式碼群組的成員資格條件時,只會考慮與您要新增或修改的程式碼群組相關聯的權限集合。When set to on, indicates that only the permission set associated with the code group you are adding or modifying is considered when some code fits the membership condition of the code group. 這個選項設為 off 時,Caspol.exe 會考慮原則層級中所有相符程式碼群組的權限集合。When this option is set to off, Caspol.exe considers the permission sets of all matching code groups in the policy level.
-levelfinal {on|off}-levelfinal {on|off} 設為 on 時,表示不會考慮新增或修改程式碼群組所在層級之下的原則層級。When set to on, indicates that no policy level below the level in which the added or modified code group occurs is considered. 這個選項通常於電腦原則層級使用。This option is typically used at the machine policy level. 例如,如果您在電腦層級為程式碼群組設定這個旗標,而某個程式碼符合這個程式碼群組的成員資格條件,Caspol.exe 將不會為這個程式碼計算或套用使用者層級原則。For example, if you set this flag for a code group at the machine level and some code matches this code group's membership condition, Caspol.exe does not calculate or apply the user level policy for this code.
-name "name"-name "name" 如果搭配 –addgroup 選項使用,可指定要新增之程式碼群組的指令碼名稱。If used with the –addgroup option, specifies the scripting name for a code group to add. 如果搭配 -chggroup 選項使用,可指定要編輯之程式碼群組的指令碼名稱。If used with the -chggroup option, specifies the scripting name for a code group to edit. name 引數必須括在雙引號中。The name argument must be enclosed in double quotes. name 引數不能以數字開頭,而且只能包含 A-Z、0-9 和底線字元。The name argument cannot begin with a number, and can only contain A-Z, 0-9, and the underscore character. 您可以藉由這個 name 來參考程式碼群組,而不是藉由其數值標籤。Code groups can be referred to by this name instead of by their numeric label. name 對於編寫指令碼也非常有用。The name is also highly useful for scripting purposes.

備註Remarks

安全性原則是使用三個原則層級表示:電腦原則、使用者原則和企業原則。Security policy is expressed using three policy levels: machine policy, user policy, and enterprise policy. 組件收到的權限集合是由這三種原則層級允許的權限集合交集所決定。The set of permissions that an assembly receives is determined by the intersection of the permission sets allowed by these three policy levels. 每個原則層級是以程式碼群組的階層結構表示。Each policy level is represented by a hierarchical structure of code groups. 每個程式碼群組都具有成員資格條件,用以判斷哪一個程式碼是該群組的成員。Every code group has a membership condition that determines which code is a member of that group. 具名權限集合也會與每個程式碼群組相關聯。A named permission set is also associated with each code group. 這個權限集合會指定執行階段允許符合成員資格條件的程式碼具備的權限。This permission set specifies the permissions the runtime allows code that satisfies the membership condition to have. 程式碼群組階層架構與相關聯的具名權限集合一起定義並維護每一個層級的安全性原則。A code group hierarchy, along with its associated named permission sets, defines and maintains each level of security policy. 您可以使用 –user-customuser–machine-enterprise 選項來設定安全性原則的層級。You can use the –user, -customuser, –machine and -enterprise options to set the level of security policy.

如需安全性原則以及執行階段如何決定要授與程式碼之權限的詳細資訊,請參閱安全性原則管理For more information about security policy and how the runtime determines which permissions to grant to code, see Security Policy Management.

參考程式碼群組和權限集合Referencing Code Groups and Permission Sets

為了簡化階層架構中程式碼群組的參考, -list 選項會以縮排方式顯示程式碼群組清單與其數字標籤 (1、1.1、1.1.1,以此類推)。To facilitate references to code groups in a hierarchy, the -list option displays an indented list of code groups along with their numerical labels (1, 1.1, 1.1.1, and so on). 其他以程式碼群組為目標的命令列作業也會使用數字標籤參考特定程式碼群組。The other command-line operations that target code groups also use the numerical labels to refer to specific code groups.

具名權限集合是藉由其名稱參考。Named permission sets are referenced by their names. –list 選項會顯示程式碼群組清單,後接該原則中可用的具名權限集合清單。The –list option displays the list of code groups followed by a list of named permission sets available in that policy.

Caspol.exe 行為Caspol.exe Behavior

-s[ecurity] {on | off} 以外的所有選項都會使用安裝 Caspol.exe 的 .NET Framework 版本。All options except -s[ecurity] {on | off} use the version of the .NET Framework that Caspol.exe was installed with. 如果您執行的 Caspol.exe 是使用 X 版的執行階段進行安裝,則變更只會套用至該版本。If you run the Caspol.exe that was installed with version X of the runtime, the changes apply only to that version. 其他並存的執行階段安裝 (如果有的話) 則不受影響。Other side-by-side installations of the runtime, if any, are not affected. 如果您從命令列執行 Caspol.exe,而不是在特定執行階段版本的目錄中執行,則該工具會從路徑中的第一個執行階段版本目錄執行 (通常是安裝的最新執行階段版本)。If you run Caspol.exe from the command line without being in a directory for a specific runtime version, the tool is executed from the first runtime version directory in the path (usually the most recent runtime version installed).

-s[ecurity] {on | off} 選項是整個電腦的作業。The -s[ecurity] {on | off} option is a computer-wide operation. 關閉程式碼存取安全性會終止電腦上所有 Managed 程式碼和所有使用者的安全性檢查。Turning off code access security terminates security checks for all managed code and for all users on the computer. 如果已安裝並存的 .NET Framework 版本,這個命令會關閉電腦上安裝之所有版本的安全性。If side-by-side versions of the .NET Framework are installed, this command turns off security for every version installed on the computer. 雖然 -list 選項會顯示安全性已關閉,但是不會對其他使用者清楚指出安全性已關閉。Although the -list option shows that security is turned off, nothing else clearly indicates for other users that security has been turned off.

當未具備管理權限的使用者執行 Caspol.exe 時,除非指定 –machine 選項,否則所有選項都會參考使用者層級原則。When a user without administrative rights runs Caspol.exe, all options refer to the user level policy unless the –machine option is specified. 當系統管理員執行 Caspol.exe 時,除非指定 –user 選項,否則所有選項都會參考電腦原則。When an administrator runs Caspol.exe, all options refer to the machine policy unless the –user option is specified.

Caspol.exe 必須具有與 Everything 權限集合對等的權限才能運作。Caspol.exe must be granted the equivalent of the Everything permission set to function. 此工具有保護機制,可防止原則遭到修改,而造成 Caspol.exe 無法獲得執行所需的權限。The tool has a protective mechanism that prevents policy from being modified in ways that would prevent Caspol.exe from being granted the permissions it needs to run. 如果您嘗試進行這類變更,Caspol.exe 會通知您要求的原則變更將中斷工具,並且拒絕原則變更。If you try to make such changes, Caspol.exe notifies you that the requested policy change will break the tool, and the policy change is rejected. 您可以使用 –force 選項,針對特定命令關閉這項保護機制。You can turn this protective mechanism off for a given command by using the –force option.

手動編輯安全性設定檔Manually Editing the Security Configuration Files

三個安全性設定檔分別對應 Caspol.exe 支援的三個原則層級:一個對應到電腦原則、一個對應到所指使用者的原則,還有一個對應到企業原則。Three security configuration files correspond to the three policy levels supported by Caspol.exe: one for the machine policy, one for a given user's policy, and one for the enterprise policy. 只有在使用 Caspol.exe 變更電腦、使用者或企業原則時,才會在磁碟上建立這些檔案。These files are created on disk only when machine, user, or enterprise policy is changed using Caspol.exe. 如有需要,您可以在 Caspol.exe 中使用 –reset 選項,將預設的安全性原則儲存到磁碟中。You can use the –reset option in Caspol.exe to save the default security policy to disk, if needed.

在大部分狀況下,不建議手動編輯安全性設定檔。In most cases, manually editing the security configuration files is not recommended. 不過,有些情況下會需要修改這些檔案,例如系統管理員想要編輯特定使用者的安全性設定檔。But there might be scenarios in which modifying these files becomes necessary, such as when an administrator wants to edit the security configuration for a particular user.

範例Examples

-addfulltrust-addfulltrust

假設已將包含自訂權限的權限集合加入至電腦原則。Assume that a permission set containing a custom permission has been added to machine policy. 這個自訂權限是在 MyPerm.exe 中實作,而 MyPerm.exe 會參考 MyOther.exe 中的類別。This custom permission is implemented in MyPerm.exe, and MyPerm.exe references classes in MyOther.exe. 這兩個組件都必須加入至完全信任組件清單。Both assemblies must be added to the full trust assembly list. 下列命令會將 MyPerm.exe 組件加入至電腦原則的完全信任清單。The following command adds the MyPerm.exe assembly to the full trust list for the machine policy.

caspol -machine -addfulltrust MyPerm.exe  

下列命令會將 MyOther.exe 組件加入至電腦原則的完全信任清單。The following command adds the MyOther.exe assembly to the full trust list for the machine policy.

caspol -machine -addfulltrust MyOther.exe  

-addgroup-addgroup

下列命令會將子程式碼群組加入至電腦原則程式碼群組階層架構的根。The following command adds a child code group to the root of the machine policy code group hierarchy. 新的程式碼群組是 Internet 區域的成員,並且與 Execution 權限集合產生關聯。The new code group is a member of the Internet zone and is associated with the Execution permission set.

caspol -machine -addgroup 1.  -zone Internet Execution  

下列命令會新增子節點群組,可提供共用 \\netserver\netshare 近端內部網路權限。The following command adds a child code group that gives the share \\netserver\netshare local intranet permissions.

caspol -machine -addgroup 1. -url \\netserver\netshare\* LocalIntranet  

-addpset-addpset

下列命令會將 Mypset 權限集合加入至使用者原則。The following command adds the Mypset permission set to the user policy.

caspol -user -addpset Mypset.xml Mypset  

-chggroup-chggroup

下列命令會將標記為 1.2. 之程式碼群組的使用者原則中的權限集合,變更為The following command changes the permission set in the user policy of the code group labeled 1.2. Execution 權限集合。to the Execution permission set.

caspol -user -chggroup 1.2. Execution  

下列命令會變更標記為 1.2.1. 之程式碼群組的預設原則成員資格條件,The following command changes the membership condition in the default policy of the code group labeled 1.2.1. 並且變更 exclusive 旗標的設定。and changes the setting of the exclusive flag. 系統會將成員資格條件定義為源自 Internet 區域的程式碼,而且會開啟 exclusive 旗標。The membership condition is defined to be code that originates from the Internet zone and the exclusive flag is switched on.

caspol -chggroup 1.2.1. -zone Internet -exclusive on  

-chgpset-chgpset

下列命令會將名稱為 Mypset 的權限集合變更為 newpset.xml 中包含的權限集合。The following command changes the permission set with name Mypset to the permission set contained in newpset.xml. 請注意,目前版本不支援變更程式碼群組階層架構所使用的權限集合。Note that the current release does not support changing permission sets that are being used by the code group hierarchy.

caspol -chgpset Mypset newpset.xml  

-force-force

下列命令會讓使用者原則的根程式碼群組 (標記為 1) 與 Nothing 具名權限集合產生關聯。The following command causes the user policy's root code group (labeled 1) to be associated with the Nothing named permission set. 這樣會使 Caspol.exe 無法執行。This prevents Caspol.exe from running.

caspol -force -user -chggroup 1 Nothing  

-recover-recover

下列命令會復原最近儲存的電腦原則。The following command recovers the most recently saved machine policy.

caspol -machine -recover  

-remgroup-remgroup

下列命令會將標記為 1.1 的程式碼群組移除。The following command removes the code group labeled 1.1. 如果這個程式碼群組有任何子程式碼群組,則這些群組也會一併刪除。If this code group has any child code groups, those groups are also deleted.

caspol -remgroup 1.1.  

-rempset-rempset

下列命令會將 Execution 權限集合從使用者原則中移除。The following command removes the Execution permission set from the user policy.

caspol -user -rempset Execution  

下列命令會將 Mypset 從使用者原則層級中移除。The following command removes Mypset from the user policy level.

caspol -rempset MyPset  

-resolvegroup-resolvegroup

下列命令會顯示 myassembly 所屬之電腦原則的所有程式碼群組。The following command shows all code groups of the machine policy that myassembly belongs to.

caspol -machine -resolvegroup myassembly  

下列命令會顯示 myassembly 所屬之電腦、企業和指定之自訂使用者原則的所有程式碼群組。The following command shows all code groups of the machine, enterprise, and specified custom user policy that myassembly belongs to.

caspol -customall "c:\config_test\security.config" -resolvegroup myassembly  

-resolveperm-resolveperm

下列命令會依據電腦和使用者原則層級計算 testassembly 的權限。The following command calculates the permissions for testassembly based on the machine and user policy levels.

caspol -all -resolveperm testassembly  

另請參閱See also