How to: Grant Permissions to Folders and Assemblies (2003 System)

  • Article

Applies to

The information in this topic applies only to the specified Visual Studio Tools for Office projects and versions of Microsoft Office.

Project type

  • Document-level projects

  • Application-level projects

Microsoft Office version

  • Microsoft Office 2003

For more information, see Features Available by Application and Project Type.

The following procedures grant full trust permissions to an assembly or folder in a Visual Studio Tools for Office solution. Normally, you grant permissions to a specific assembly. If you have several assemblies, and you are certain that the location is secure, you can grant full trust to the folder where the assemblies are located. If you grant trust to the folder, all the assemblies in that folder and its subfolders are also trusted.

There are three ways to grant permissions to folders and assemblies in Office solutions:

  • Using the Trust Assemblies Location property in Visual Studio. (Useful only during development.)

    The Trust Assemblies Location property only works during development; it has no effect on end users. For this reason, you cannot use this method for deployment. For more information, see Properties in Visual Studio Tools for Office Projects.

  • Using the Microsoft .NET Framework 2.0 Configuration tool.

    This tool provides a graphical user interface for working with security policy. It is not included with Visual Studio 2008. You can download the tool as part of the .NET Framework 2.0 SDK from the Microsoft Download Center. For an example, see .NET Framework 2.0 Software Development Kit (SDK) (x86).

  • Using the Code Access Security Policy tool (Caspol.exe).

    This tool is a command-line interface for working with security policy.

Note

These are the basic steps for setting your own security policy, for the purpose of developing and testing assemblies. Do not use these steps to grant trust to assemblies or directories if you are not certain that they are safe and secure. For more information about setting security policy, see Deploying Security Policy and Configuring Code Groups Using the .NET Framework Configuration Tool (Mscorcfg.msc).

Using the Trust Assemblies Location Property

When you create a project, full trust based on location is granted by default. If the Trust Assemblies Location has changed, you can reapply the default settings.

To grant full trust to project assemblies on your development computer

  1. In Visual Studio, select the project node in Solution Explorer.

  2. In the Properties window, select Trust Assemblies Location.

  3. Set the property to true.

  4. On the Build menu, click Build Solution.

Using the .NET Framework 2.0 Configuration Tool

To install this tool, download and install the .NET Framework 2.0 Software Development Kit (SDK) from the Microsoft Download Center.

The procedure to follow depends on where the assembly or folder is located:

  • On your local computer.

  • On another computer on a network (or a mapped drive).

To grant full trust to an assembly or folder on your local computer

  1. In Control Panel, open Administrative Tools.

  2. Run Microsoft .NET Framework 2.0 Configuration.

    Note

    There might be several similar tools with names that start with Microsoft .NET Framework. Ensure that the configuration tool you use matches your version of the runtime.

  3. In the treeview on the left side, expand .NET Framework 2.0 Configuration, expand My Computer, expand Runtime Security Policy, expand User, expand Code Groups, expand All_Code, and then expand VSTOProjects.

    Note

    If you have not compiled a Visual Studio Tools for Office project before, you will not have the VSTOProjects folder. You can add the new code group to the All_Code root node, or you can compile a Visual Studio Tools for Office project to have the VSTOProjects folder created automatically.

    On the right is the VSTOProjects Code Group description, which has a Tasks section at the bottom of the page.

  4. In the Tasks section, click Add a Child Code Group.

    The Create Code Group wizard starts.

  5. Select Create a new code group, and type a name and description that will help you identify the project. Click Next.

  6. In the Choose the condition type for this code group list, click URL.

  7. In the URL box, type the full path to the assembly, or the path to the bin folder of the project followed by an asterisk (for example, c:\path\ExcelApplication1.dll or c:\path\ExcelApplication1\bin\*).

  8. Click Next.

    Note

    If you type the path to the bin folder, all assemblies in that folder and all its subfolders are granted full trust on your computer. Ensure that no unauthorized people have access to folders that are fully trusted, or someone could put a malicious assembly in the folder and the assembly would run with full trust.

    Warning

    Do not grant permissions to an entire hard disk (such as C:\*) or to general folders such as My Documents, because you might grant permissions to cached assemblies from the Internet or from e-mail messages. Only grant permissions to specific project folders that contain assemblies you know are safe to run.

  9. Select Use existing permission set, and then select FullTrust from the list.

  10. Click Next.

  11. Click Finish.

To grant full trust to an assembly or folder on a network computer or mapped drive

  1. In Control Panel, open Administrative Tools.

  2. Run Microsoft .NET Framework 2.0 Configuration.

    Note

    There might be several similar tools with names that start with Microsoft .NET Framework. Ensure that the configuration tool you use matches your version of the runtime.

  3. In the treeview on the left side, expand .NET Framework 2.0 Configuration, expand My Computer, expand Runtime Security Policy, expand Machine, expand Code Groups, and then expand All_Code.

    Note

    You must be an administrator to grant full trust to an assembly or folder on a network computer, and trust must be granted at the Machine level instead of the User level.

  4. Right-click LocalIntranet_Zone under All_Code, and then click New.

    This assumes that the server you are using is in the Local Intranet zone. If it has been added to the Trusted Sites zone in Internet Explorer, right-click Trusted_Zone instead. If the assembly is on a mapped drive, you must use LocalIntranet_Zone.

  5. Type a name and description that will help you identify the project. Click Next.

  6. In the Choose the condition type for this code group list, click URL.

  7. In the URL box, type the full path to the assembly, or the path to the bin folder of the project followed by an asterisk (for example, \\ServerName\FolderName\ExcelApplication1.dll or https://ServerName/FolderName/ExcelApplication1/bin/*).

  8. Click Next.

    Note

    If you type the path to the bin folder, all assemblies in that folder and all its subfolders will be granted full trust on your computer. If you are not sure that these folders are secure, such broad permissions can be a security risk.

  9. Select Use existing permission set, and then select FullTrust from the list.

  10. Click Next.

  11. Click Finish.

Using the Code Access Security Policy Tool (Caspol.exe)

You can also grant full trust to a folder from a command prompt by using the Code Access Security Policy tool (Caspol.exe). For more information about Caspol.exe, see Code Access Security Policy Tool (Caspol.exe).

You can grant trust to a folder on your local computer at the User level with normal user permissions. To grant trust to a network location, you must have administrator privileges and change the security policy at the Machine level. The Machine policy level acts independently of the User policy level, and the Machine policy level does not grant full trust to the Intranet zone even if the User policy does. The policy levels must agree.

Tip

Type the commands manually. Copying and pasting the commands into the command prompt might result in Unknown Option errors.

To grant full trust to a local folder

  • Type the following command at the Visual Studio Command Prompt.

    caspol -u -ag All_Code -url 
C:\<FolderName>\<FolderName>\* FullTrust -n "<Name>" -d
"<Description>"

To grant full trust to a network folder

  • Type the following command at the Visual Studio Command Prompt.

    caspol -m -ag LocalIntranet_Zone -url 
\\<ServerName>\<FolderName>\* FullTrust -n "<Name>" -d 
"<Description>"

For more information, see How to: Add Code Groups Using Caspol.exe.

Note

After policy is deployed, everyone that is affected by the policy change must quit and then restart all Office applications used in the solution before the policy changes are enforced. If Microsoft Office Word is part of the solution, users must also quit and restart Microsoft Office Outlook. Also, if a user has opened a document or workbook in Internet Explorer, the process could still be running. Check Windows Task Manager to ensure there are no instances of the Office application. Other applications that host Office applications can also prevent the new permissions from being enforced. Users should quit all applications that use Office, hosted or stand-alone, when security policies are changed.

See Also

Tasks

How to: Remove Permissions from Folders and Assemblies (2003 System)

Concepts

Security Requirements to Run Office Solutions (2003 System)

Best Practices for Security in Office Solutions (2003 System)

Specific Security Considerations for Office Solutions

Code Groups

Securing Applications

Other Resources

Security in Office Solutions (2003 System)