The Code Access Security Policy tool enables users and administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.
The caspol.exe tool is a managed application. To execute managed applications you must use the clix application launcher.
clix caspol [options]
The following options can be specified using either a dash (-) or a slash (/).
| Option | Description |
|---|---|
| -addfulltrust assembly_file
or -af assembly_file |
Adds an assembly that implements a custom security object (such as a custom permission or a custom membership condition) to the full trust assembly list for a specific policy level. The assembly_file argument specifies the assembly to add. This file must be signed with a strong name. You can sign an assembly with a strong name using the Strong Name Tool (Sn.exe).
When a permission set containing a custom permission is added to policy, the assembly implementing the custom permission must be added to the full trust list for that policy level. In general, assemblies implementing custom security objects (such as custom code groups or membership conditions) used in a security policy (such as the machine policy) should be added to the full trust assembly list. If the assembly implementing the custom security object references other assemblies, those assemblies must also be added to the list, and so on. |
| -addgroup{parent_label | parent_name} mship pset_name [flags]
or -ag {parent_label | parent_name} mship pset_name [flags] |
Adds a new code group to the code group hierarchy. You can specify either the parent_label or parent_name. The parent_label argument specifies the label (such as 1. or 1.1.) of the code group that is the parent of the code group being added. The parent_name argument specifies the name of the code group that is the parent of the code group being added. Because parent_label and parent_name can be used interchangeably,
caspol.exe must be able to distinguish between them. Therefore, parent_name cannot begin with a number. Additionally, parent_name can only contain A-Z, 0-9 and the underscore character.
The mship argument specifies the membership condition for the new code group. For more information, see the table of mship arguments later in this section. The pset_name argument is the name of the permission set that will be associated with the new code group. You can also set one or more flags for the new group. For more information, see the table of flags arguments later in this section. |
| -addpset{psfile | psfile pset_name}
or -ap {named_psfile | psfile pset_name} |
Adds a new named permission set to policy. The permission set must be authored in XML and stored in an .xml file. If the .xml file contains the name of the permission set, only that file (psfile) is specified. If the .xml file does not contain the permission set name, you must specify both the .xml file name (psfile) and the permission set name (pset_name). |
| -a[ll] | Indicates that all options following this one apply to the computer, user, and enterprise policies. The -all option always refers to the policy of the currently logged-on user. See the -customall option to refer to the user policy of a user other than the current user. |
| -chggroup{label |name} {mship | pset_name |
flags or -cg{label |name} {mship | pset_name | flags |
Changes a code group's membership condition, permission set, or the settings of the
exclusive, levelfinal, name, or description flags.
You can specify either the label or name. The label argument specifies the label (such as 1. or 1.1.) of the code group.
The name argument specifies the name of the code group to change. Because label and name can be used interchangeably,
caspol.exe must be able to distinguish between them. Therefore, name cannot begin with a number. Additionally, name can only
contain A-Z, 0-9 and the underscore character.
The pset_name argument specifies the name of the permission set to associate with the code group. See the tables later in this section for information on the mship and flagsarguments. |
| -chgpset psfile pset_name
or -cp psfile pset_name |
Changes a named permission set. The psfile argument supplies the new definition for the permission set; it is a serialized permission set file in XML format. The pset_name argument specifies the name of the permission set you want to change. |
| -customall path
or -ca path |
Indicates that all options following this one apply to the computer, enterprise, and the specified custom user policies. You must specify the location of the custom user's security configuration file with the path argument. |
| -cu[stomuser]path | Allows the administration of a custom user policy that does not belong to the user on whose behalf caspol.exe is currently running. You must specify the location of the custom user's security configuration file with the path argument. |
| -enterprise
or -en |
Indicates that all options following this one apply to the enterprise level policy. Users who are not enterprise administrators do not have sufficient rights to modify the enterprise policy, although they can view it. In nonenterprise scenarios, this policy, by default, does not interfere with machine and user policy. |
| -e[xecution] {on | off} | Turns on or turns off the mechanism that checks for the permission to run before code starts to execute. |
| -f[orce] | Suppresses the tool's self-destruct test and changes the policy as specified by the user. Typically, caspol.exe determines whether any policy changes would prevent caspol.exe itself from running properly; if so, caspol.exe does not save the policy change and prints an error message. To force caspol.exe to change policy even if this prevents caspol.exe itself from running, use the -force option. |
| -h[elp] | Displays command syntax and options for caspol.exe. |
| -l[ist] | Lists the code group hierarchy and the permission sets for the specified machine, user, enterprise, or all policy levels. caspol.exe displays the code group's label first, followed by the name, if it is not null. |
| -listdescription | Lists all code group descriptions for the specified policy level. |
| -listfulltrust
or -lf |
Lists the contents of the full trust assembly list for the specified policy level. |
| -listgroups
or -lg |
Displays the code groups of the specified policy level or all policy levels. caspol.exe displays the code group's label first, followed by the name, if the name is not null. |
| -listpset or -lp | Displays the permission sets for the specified policy level or all policy levels. |
| -m[achine] | Indicates that all options following this one apply to the machine level policy. Users who are not administrators do not have sufficient rights to modify the machine policy, although they can view it. For administrators, -machine is the default. |
| -polchgprompt {on | off}
or -pp {on | off} |
Enables or disables the prompt that is displayed whenever caspol.exe is run using an option that would cause policy changes. |
| -quiet or -q |
Allows caspol.exe to be run from scripts with a single command. |
| -r[ecover] | Recovers policy from a backup file. Whenever a policy change is made, caspol.exe stores the old policy in a backup file. |
| -remfulltrust assembly_file
or -rf assembly_file |
Removes an assembly from the full trust list of a policy level. This operation should be performed if a permission set that contains a custom permission is no longer used by policy. However, you should remove an assembly that implements a custom permission from the full trust list only if the assembly does not implement any other custom permissions that are still being used. When you remove an assembly from the list, you should also remove any other assemblies that it depends on. |
| -remgroup {label |name}
or -rg{label | name} |
Removes the code group specified by either its label or name. If the specified code group has child code groups, caspol.exe also removes all the child code groups. |
| -rempset pset_name
or -rp pset_name |
Removes the specified permission set from policy. The pset_name argument indicates which permission set to remove. caspol.exe removes the permission set only if it is not associated with any code group. The default (built-in) permission sets cannot be removed. |
| -reset
or -rs |
Returns policy to its default state and persists it to disk. This is useful whenever a changed policy seems to be beyond repair and you want to start over with the installation defaults. Resetting can also be convenient when you want to use the default policy as a starting point for modifications to specific security configuration files. For more information, see Manually Editing the Security Configuration Files. |
| -resolvegroup assembly_file
or -rsg assembly_file |
Shows the code groups that a specific assembly (assembly_file) belongs to. By default, this option displays the machine, user, and enterprise policy levels to which the assembly belongs. To view only one policy level, use this option with either the -machine, -user, or -enterprise option. |
| -resolveperm assembly_file
or -rsp assembly_file |
Displays all permissions that the specified (or default) level of security policy would grant the assembly if the assembly were allowed to run. The assembly_file argument specifies the assembly. If you specify the -all option, caspol.exe calculates the permissions for the assembly based on user, machine, and enterprise policy; otherwise, default behavior rules apply. |
| -s[ecurity] {on | off} | Turns code access security on or off. This option should be used only with extreme caution. |
| -u[ser] | Indicates that all options following this one apply to the user level policy for the user on whose behalf caspol.exe is running. For nonadministrative users, -user is the default. |
| -? | Displays command syntax and options for caspol.exe. |
The mship argument, which specifies the membership condition for a code group, can be used with the -addgroup and -chggroup options. To specify mship, use one of the following.
| Argument | Description |
|---|---|
| -all | Specifies all code. |
| -appdir | Specifies the application directory. If you specify -appdir as the membership condition, the URL evidence of the code is compared with the application directory evidence of that code. If both evidence values are the same, this membership condition is satisfied. |
| -custom xmlfile | Adds a custom membership condition. The mandatory xmlfile argument specifies the .xml file that contains XML serialization of the custom membership condition. |
| -hash hashAlg {-hex hashValue | -file assembly_file } | Specifies code that has the given assembly hash. To use a hash as a code group membership condition, you must specify either the hash value or the assembly file. |
| -pub { -cert cert_file_name | -file signed_file_name | -hex hex_string } |
Specifies code that has the given software publisher, as denoted by a certificate file, a signature on a file, or the hexadecimal representation of an X509 certificate. |
| -site website | Specifies code that has the given site of origin. For example:
-site www.proseware.com |
| -strong -file file_name {name | -noname} {version | -noversion} | Specifies code that has a specific strong name, as designated by the file name, the assembly name as a string, and the assembly version in the format major.minor.build.revision. For example:
-strong -file myAssembly.exe myAssembly 1.2.3.4 |
| -urlURL | Specifies code that originates from the given URL. |
| -zone zonename | Specifies code with the given zone of origin. The zonename argument can be one of the following values: MyComputer, Intranet, Trusted, Internet, or Untrusted. |
The flags argument, which can be used with the -addgroup and -chggroup options, is specified using one of the following.
| Argument | Description |
|---|---|
| -description "description" | If used with the -addgroup option, specifies the description for a code group to add. If used with the -chggroup option, specifies the description for a code group to edit. The description argument must be enclosed in double quotes. |
| -exclusive {on|off} | When set to on, indicates that only the permission set associated with the code group you are adding or modifying is considered when some code fits the membership condition of the code group. When this option is set to off, caspol.exe considers the permission sets of all matching code groups in the policy level. |
| -levelfinal {on|off} | When set to on, indicates that no policy level below the level in which the added or modified code group occurs is considered. This option is typically used at the machine policy level. For example, if you set this flag for a code group at the machine level and some code matches this code group's membership condition, caspol.exe does not calculate or apply the user level policy for this code. |
| -name "name" | If used with the -addgroup option, specifies the scripting name for a code group to add. If used with the -chggroup option, specifies the scripting name for a code group to edit. The name argument must be enclosed in double quotes. The name argument cannot begin with a number, and can only contain A-Z, 0-9, and the underscore character. On every change or addition of a scripting name, caspol.exe checks whether the added or changed name is unique in the code group hierarchy in which it is added or changed. Code groups can be referred to by this name instead of by their numeric label. The name is also highly useful for scripting purposes. |
Security policy is expressed using three policy levels: machine policy, user policy, and enterprise policy. The set of permissions that an assembly receives is determined by the intersection of the permission sets allowed by these three policy levels. Each policy level is represented by a hierarchical structure of code groups. Every code group has a membership condition that determines which code is a member of that group. A named permission set is also associated with each code group. This permission set specifies the permissions the CLI allows code to have if the code meets the membership condition. A code group hierarchy, together with its associated named permission sets, defines and maintains each level of security policy. You can use the-user, -customuser, -machine and -enterprise options to set the level of security policy.
To facilitate references to code groups in a hierarchy, the -list option displays an indented list of code groups along with their numerical labels (1, 1.1, 1.1.1, and so on). The other command-line operations that target code groups also use the numerical labels to refer to specific code groups.
Named permission sets are referenced by their names. The -list option displays the list of code groups followed by a list of named permission sets available in that policy.
All options use the runtime version that caspol.exe was installed with. If you run the Code Access Security Policy tool that was installed with version X of the runtime, the changes apply only to that version of the runtime. Other side-by-side installations of the runtime, if any, are not affected. If you run caspol.exe from the command line without being in a versioned runtime directory, the tool is executed from the first runtime directory in the path (usually the most recent runtime version installed).
When a user without administrative rights runs caspol.exe, all options refer to the user level policy unless the -machine option is specified. When an administrator runs caspol.exe, all options refer to the machine policy unless the -user option is specified.
The Code Access Security Policy tool must be granted the equivalent of the Everything permission set to function. The tool has a protective mechanism that prevents policy from being modified in ways that would prevent caspol.exe from being granted the permissions it needs to run. If you try to make such changes, caspol.exe notifies you that the requested policy change will break the tool, and the policy change is rejected. You can turn this protective mechanism off for a given command by using the -force option.
Three security configuration files correspond to the three policy levels supported by Code Access Security Policy tool: one for the machine policy, one for a given user's policy, and one for the enterprise policy. These files are created on disk only when machine, user, or enterprise policy is changed using caspol.exe. You can use the -reset option in caspol.exe to save the default security policy to disk, if needed.
In most cases, it is recommended that you do not manually edit the security configuration files. However, might be necessary to modify these files, such as when an administrator wants to edit the security configuration for a particular user.
-addfulltrust
Assume that a permission set containing a custom permission has been added to machine policy. This custom permission is implemented in MyPerm.exe, and MyPerm.exe references classes in MyOther.exe. Both assemblies must be added to the full trust assembly list. The following command adds the MyPerm.exe assembly to the full trust list for the machine policy.
caspol -machine -addfulltrust MyPerm.exe
The following command adds the MyOther.exe assembly to the full trust list for the machine policy.
caspol -machine -addfulltrust MyOther.exe
-addgroup
The following command adds a child code group to the root of the machine policy code group hierarchy. The new code group is a member of the Internet zone and is associated with the Execution permission set.
caspol -machine -addgroup 1. -zone Internet Execution
-addpset
The following command adds the Mypset permission set to the user policy.
caspol -user -addpset Mypset.xml Mypset
-chggroup
The following command changes the permission set in the user policy of the code group labeled 1.2. to the Execution permission set.
caspol -user -chggroup 1.2. Execution
The following command changes the membership condition in the default policy of the code group labeled 1.2.1. and changes the setting of the exclusive flag. The membership condition is defined to be code that originates from the Internet zone and the exclusive flag is switched on.
caspol -chggroup 1.2.1. -zone Internet -exclusive on
-chgpset
The following command changes the permission set with name Mypset to the permission set contained in newpset.xml. Note that the current release does not support changing permission sets that are being used by the code group hierarchy.
caspol -chgpset Mypset newpset.xml
-force
The following command causes the user policy's root code group (labeled 1) to be associated with the Nothing named permission set. This prevents caspol.exe from running.
caspol -force -user -chggroup 1 Nothing
-recover
The following command recovers the most recently saved machine policy.
caspol -machine -recover
-remgroup
The following command removes the code group labeled 1.1. If this code group has any child code groups, those groups are also deleted.
caspol -remgroup 1.1.
-rempset
The following command removes the Execution permission set from the user policy.
caspol -user -rempset Execution
The following command removes Mypset from the user policy level.
caspol -rempset MyPset
-resolvegroup
The following command shows all code groups of the machine policy that myassembly belongs to.
caspol -machine -resolvegroup myassembly
The following command shows all code groups of the machine, enterprise, and specified custom user policy that myassembly belongs to.
caspol -customall "c:\config_test\security.config" -resolvegroup myassembly
-resolveperm
The following command calculates the permissions for testassembly based on the machine and user policy levels.
caspol -all resolveperm testassembly
Copyright (c) 2006 Microsoft Corporation. All rights reserved.