Deploying Security Policy
Important |
---|
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4. |
Security policy can be easily deployed in a Windows Installer (.msi) file. An .msi file is a self-contained installation package that can be deployed, installed, and uninstalled in a number of ways. For example, you can deploy an .msi file in any of the following ways:
Running the .msi file on the computer where you want to deploy the policy, either from the local disk or from a share.
Using Group Policy on Microsoft Windows servers.
Using Microsoft Systems Management Server (SMS).
Creating Windows Installer Files
The Mscorcfg.msc (.NET Framework Configuration Tool) provides a wizard for creating Windows Installer files. The wizard can create an Installer file that corresponds to one of the three configurable policy levels, but not all of them concurrently. If you are administering security policy for all three configurable levels, you must create three different Windows Installer files and deploy them individually.
The wizard creates the Installer file using the current policy settings of the computer where the wizard executes. For example, to create a user policy for deployment to a group of users, you configure the user policy on your current computer, create the Installer file with the wizard, then return the user policy of the current computer to its original state.
To create a Windows Installer file:
Run the .NET Framework Configuration tool (Mscorcfg.msc).
In the .NET Framework versions 1.0 and 1.1, type the following at the command prompt: %Systemroot%\Microsoft.NET\Framework\versionNumber\Mscorcfg.msc.
In the .NET Framework 2.0 and later, start the Visual Studio Command Prompt and type mscorcfg.msc. The SDK Command Prompt, which automatically sets the SDK environment variables that enable you to easily use .NET Framework tools, is included in the .NET Framework version 2.0 Software Development Kit (SDK). Subsequent releases of the .NET Framework are built incrementally on the .NET Framework version 2.0. Consequently, the SDK Command Prompt from the .NET Framework 2.0 SDK is the latest stand-alone SDK Command Prompt available. Alternatively, you may use the Visual Studio command prompts that are provided with Visual Studio 2005 and later versions.
In the left pane, right-click the Runtime Security Policy node.
From the menu, choose Create Deployment Package.
Follow the Deployment Package wizard instructions to create the .msi file.
When you deploy policy by using an installer file that is created by the Mscorcfg.msc (.NET Framework Configuration Tool), the following applies:
Policy installation affects only the version of the runtime that you targeted when you created the installation file. For example, if you use the .NET Framework Configuration tool version 2.0, your installation file changes only .NET Framework version 2.0 policy.
In some cases, the installer does not generate an error if installation of a new policy failed. To verify that policy was installed succesfully, inspect policy by using the .NET Framework Configuration tool, the Caspol.exe (Code Access Security Policy Tool), or by manually inspecting the policy files in a text editor after deployment.
To update the policy displayed by the .NET Framework Configuration tool, you must shut down the tool and restart it.
Custom Deployment
You can deploy Windows Installer files in several ways, including a startup script, e-mail distribution, or distribution from a shared drive. The easiest way to deploy security policy from a Windows Installer file is to run the file from the computer where you want to update the security policy. You can do this by simply double-clicking the .msi file. To roll back the installation, right-click the .msi file and choose Uninstall.
Make sure that the user account under which the policy is installed has adequate privileges to access the configuration files you are modifying. For example, if you are currently logged on using an account that does not have permission to modify the enterprise configuration file, and the .msi file you are deploying must modify the enterprise configuration file, the installation will not succeed. Note that the Windows Installer package does not produce an error if the current account does not have sufficient permission to modify the configuration file.
Group Policy Deployment
If you use a Windows server for policy administration, you can use Group Policy with a Windows Installer file to deploy security policy to the workstations on your network. Simply import the Installer file using the group policy MMC snap-in, or place the Installer file in a pre-existing directory that you use as an installation point. After you have configured Group Policy to publish the Installer file, the security policy will be updated the next time users log on to the network. Note that you must have a domain controller present on your network to deploy security policy using Group Policy. For more information about using Group Policy, see the Microsoft Windows Server Help.
SMS Deployment
You can use Microsoft Systems Management Server (SMS) to publish security policy to computers on a network. SMS is a standalone server product that manages software installation and configuration in large enterprises. SMS is particularly useful in Windows Server-based networks because it provides the Group Policy functionality that Windows Server-based networks have. Use one of the compatible methods to convert the .msi file into an SMS software package, then use SMS to install the package in the same way as any other software package. For more information about creating and deploying SMS software packages, see the SMS documentation.