Yes, since my last post, I tested it and found that to be true...
I have to say I have a big problem with that, from a security perspective, in that the previous CASPol methods allowed me to declare only specific files as being trusted (as my previous posts indicate), but the new, supposedly better, method is to say, Oh, yeah AutoCAD can load whatever the heck it wants! (I realize this is not an AutoCAD issue but a MS .NET 4+ issue)
I am going to have to take another look at all this from a security perspective, and inform the powers that be of my findings.
Not two minutes before I loaded my email and saw your reply (I am at home now ~9:30 pm GMT -7:00), I did find a potential solution that MIGHT re-enable the legacy CASPol behavior. But as yet I have not investigated it enough to understand whether this should be applied to my add-ins or to the acad.exe.config. And I can't test it until I get back to work tomorrow.
<configuration> <runtime> <NetFx40_LegacySecurityPolicy enabled="true"/> </runtime> </configuration>
I can say for sure (I think) that applying it to my add-ins will not solve the problem of AutoCAD being able to load whatever it wants, or nothing at all, from remote sources, so I assume I am supposed to add this to the acad.exe.config file (possibly in place of, or possibly as well as, the LoadFromRemoteSources value?)
Seriously, I just found it right before I saw your reply, so I have not had the time to investigate it further.
and if dgorsman wants to weigh in on this, I'd be happy to hear any input you might have, and perhaps more importantly, future searchers on this issue can learn from it.
P.S. Alfred, I know your native tongue is not English, but I promise you my German is worse than your English. So I hope you understand the nuances of what I posted. I didn't try to change my language for non-English speakers. I'm not really sure how to do that, honestly.
for me and for just a few tries, I didn't get the parameter NetFx40_LegacySecurityPolicy to work, setting it to false or to true does not make any difference to the settings I do with CASPOL. So the type of sandboxing of earlier Frameworks seems not to come back to Framework4.
I tried to activate and to deactivate directories with CASPOL, makes no difference, it's just the settings in the ACAD.EXE.CONFIG that makes it working or not.
BUT what is interesting: until now I only saw the parameter loadFromRemoteSources to be the (only) toggle for having the rights to load assemblies from network or not. Now with your parameter NetFx40_LegacySecurityPolicy (=true) it seems to be this is also a toggle for making the assembly loader to trust network-drives.
But looking at >>>this site about NetFx40_LegacySecurityPolicy<<< we should be careful as there are some issues for assamblies not installed in the GAC! Of course I haven't had any issues as I haven't done any performance tests now.
Sorry, for the moment I didn't find a way (for Framework 4 based assemblies) to create security-rights for just specific network-based folders, and so also not for files, but I never played with files security in this context yet.
- alfred -
Ingenieur Studio HOLLAUS ... www.hollaus.at
Sorry if that came off a bit harsh. I'm working on getting a handle on the finer points of DataSets, DataTables, and DataGrid/TreeView controls while being dragged away every 15 minutes by users with easily solved problems. NOT conducive to getting anything done.
Our IT is pretty locked down, but its also a different department with the servers and the supervisors in another city. There is no corporate mandate for local/network storage so I'm free to do whats looks best. We have a couple of local admins but they have all sorts of IT things to get done. I wrote the update EXE in far less time than it would have taken to submit the proposal, let them bump it to the head office (and promptly forget about it), remind them I *need* this done, and finally get something which sort of (but doesn't really) get the job done, *plus* getting them to force certain files to unlock overnight so they can be replaced, yadda yadda yadda... Its just easier to follow the established routines of other programs and be done with it.
Oh, and the updater EXE isn't a "blind" folder watcher - it reads an XML manifest file so it knows precisely which files to be updating (plus any registry entries to handle demand-loading).
If you are going to fly by the seat of your pants, expect friction burns.
Adopt. Adapt. Overcome. Or be overcome.
Sounds familiar. I am actually working on some code to allow paste operations into a DataGridView control. I was befuddled to find that there is no automatic paste handling when I created my latest form that uses a DGV.
I am in a small to medium sized Commercial Engineering firm, about 70 people here in the office, with an IT staff of 2. It does take me some time to get things done if it requires any equipment or software purchase, but with the file locks, I just shoot her an email, and she sends me one back saying who has the file(s) locked, then I check to see if they are in the office, and if not, I ask her to break the lock.
That said, as my previous couple of posts indicated, I have just discovered that for AutoCAD 2012 (or more precisely the .NET 4.0), setting the LoadFromRemoteSources = True means AutoCAD will load anything it is asked to load from anywhere, regardless of CASPol settings. So I am probably going to want to change the way we do things now, but that will require me convincing the President that it is a problem (shouldn't be too hard, he's no fool).
I was able to get the behavior I am looking for with <NetFx40_LegacySecurityPolicy enabled="true"/>.
The assemblies that had been granted trust loaded fine, but assemblies that had not been granted trust did not load. (There was no error thrown, which is what I would have seen in previous versions of .NET, but at least the assembly did not load)
My guess is that you had both <NetFx40_LegacySecurityPolicy enabled="true"/> and LoadFromRemoteSources = True?
You have to take out LoadFromRemoteSources, and Replace it with LegacySecurityPolicy. I have currently only tried it on two machines (one Win7 64 bit, ACAD 2012 64bit, and one XP 32 bit, and ACAD 2012 32bit) but both machines seem to be doing what they are supposed to now. Glad you pointed that out to me, I thought they were already obeying the CAS policies.
Oh, and I don't think the issue about Native assemblies not loaded in the GAC will be a problem for me. I don't have any Native assemblies, and this setting should only apply to AutoCAD. I'll come back to this post later if I do see any strange behavior related to this setting. (and I'm going to tell Kean about it, so maybe he'll do another post)
>> My guess is that you had both
No, I haven't had them both in the config-file, either the LoadFromExternalSource or the NetFx40_LegacySecurityPolicy.
What I want to ask now is to the following statement:
>> The assemblies that had been granted trust loaded fine
Can you describe me what you do to get a "granted trusted assembly"? Do you define that with the CASPOL-utility or am I missing now something?
If it's CASPOL, then for my testing environment I had removed all groups defined with CASPOL -ag, then I have tried each one of the parameters in the config and in both situations I had success loading the DLL's into AutoCAD (using _NETLOAD). But to be honest, if I really had every situation CASPOL off/on, LoadFromExternalResource off/on, NetFx40_LegacySecurityPolicy off/on correct sorted out? I'm not as sure as I should be (except of I had not both active within the same config) and will it verify again when I know what your definition of granted trusted assembly is.
- alfred -
Ingenieur Studio HOLLAUS ... www.hollaus.at
Yes, with CasPol.exe. This is an example of what I use.
Or if it is a XP 32 bit machine, CASpol.exe is in this directory
(yeah, I know, there is probably a system variable to get the path to the Framework directory)
I make a .bat file that has one line for each assembly that a user has access too (I have about 4 different types of users, on 2 different types of machines, resulting in 8 different batch files, plus 2 more for a special assembly that only has about 5 authorized users, some on 32bit, some on 64bit)
I tested on of the standard users machines, and yesterday before changing the acad.exe.config, that user was able to load the restricted assembly (sort of, he didn't have a registration code, so he couldn't actually run it, but it did load and prompt him to enter the registration code).
Today after changing the .config file, he is still able to load the assemblies he is supposed to load, but the restricted assembly does not load.
Thank you for your testing and even if I blame myself now, maybe somebody else has the same troubles so I describe what I did wrong in my first tests (for message 12 from this thread).
My primary problem was that I thought that CASPOL from the "Framework 2.x" folder does influence the same security-settings as the CASPOL.EXE from "Framework 4.x"-folder does.
And I always played with the older release, did a
CASPOL.EXE -m -reset
to be sure that all is back to default, but it is not. And so my test-results with different settings in the ACAD.EXE.CONFIG where different to yours as I didn't realise that I have some Framework 4 - settings allowing things to be used.
I had to start the CASPOL.EXE from the "Framework 4.x"-directory to come then to the same result like you have.
Thank you for kicking me into the right direction!
So now I'm also able to use the directory- and filebased security-settings
Thx again, - alfred -
Ingenieur Studio HOLLAUS ... www.hollaus.at
I don't know if this is the best way for deploying a dll from a single network location but this is how I am doing it...
I created a lisp file that loads the dll which is put into in my users Startup Suite, this lisp file is also network accessible. So if I make a change to the dll I recompile and copy it to the network location and just increment the number in the filename and then I update the lisp file with the new filename for the dll. The only issue is the users tools dont get updated until they restart there AutoCAD, so I just send out a mass email to remind them to if it's an important update. This is the easiest solution I came up with.
TJK77, all this methods listed on the forum look very cumbersome not to mention intimidating. Except yours TJK77. When I initially asked the question I did not even think about the version of the framework, I am currently running 3.5 and am dreading yet another move towards 4.0 .
As I am reminiscing the good old lisp/vba and the ease of how things used to be I have to remind myself to keep searing for strength to pass this learning curve and that somehow it will all pay off after the dust settles.
At the current time I am not seeking any overwhelming solutions, my current goal is to convert thousands of vba line of code to vb.net and to be able to load them to several dozens of users. As users start finding bugs I would like to be able to easily update the dll until all or most bugs are gone. Only after I have achieved I can focus on more elegant ways to deal with the challenges that Mr. Bill has introduced.