Trust Levels in ASP.net

Trust levels let you define security rules. They define what types of operations an application can perform, such as reading from disk or accessing the registry. Each trust level has an associated policy file, except for Full trust. When an application runs with Full trust, code access security places no restrictions on the resources and operations that the application is allowed to access. Access to resources is based on operating system security and Microsoft Windows® access control lists (ACLs). Full trust is mapped to an internal handler, so it is not possible to edit the user rights to perform operations for an application. Full trust is effectively the absence of an application domain policy, and therefore it never has an associated policy file.

To protect ASP.NET applications, you can restrict access to resources and the operations that they can perform. You do this by setting the <trust> element to a predefined trust level in either the machine-level Web.config file or the application’s Web.config file.

The following list describes the predefined trust levels:

Full 

Applications that run at Full trust level can execute arbitrary native code in the process context in which they run. Because of the inherent risks that come with running in Full trust mode, this mode is not recommended in a shared environment except when every Web site uses its own application pool and application pool identity.

Important   The default trust level is Full trust. You should evaluate the security requirements for your environment and set the trust level appropriately.

High 

Code in High trust applications can use most .NET Framework permissions that support partial trust. This mode is often appropriate for trusted applications that you want to run with fewer user rights in order to mitigate risks. For example, this level provides the same access as Full trust, but restricts access to unmanaged code and COM interop.

Medium

Code in Medium trust applications can read and write in its own application directories and can interact with Microsoft SQL Server™ databases. However, by default, the user rights that are needed to access OLE DB and ODBC are not granted to Medium trust applications. Medium trust is the recommended setting for a shared server, because it allows connections to SQL Server databases and restricts most other user rights to the application root structure.

Low 

Code in Low trust applications can read its own application resources but cannot make any out-of-process calls, such as calls to a database, to the network, and so on. By using Low trust, you effectively lock applications down to their application directory and remove all access to system resources.

Minimal

Code in Minimal trust applications can execute but cannot interact with any protected resources. Minimal trust may be appropriate for mass hosting sites that want to support dynamic generation of Hypertext Markup Language (HTML) and isolated business logic.

The definition of the trust levels is essentially the same from ASP.NET version 1.1 through version 4. However, some of the user rights or operations that can be granted at each trust level vary slightly. For example, in ASP.NET 2.0 and later, Medium trust code can enable access to OLE DB APIs.

For information about how to run ASP.NET applications in a hosted environment, including trust levels and code access security, download the Microsoft Solution for Windows-based Hosting version 3.5 tool kit from the Microsoft download center. For information about hosting environments and architecture, see the Hosting Guidance for the Microsoft Web Platform on the IIS.net Web site.

Download Visual Studio 2010 and .NET Framework 4 Training Kit – February Release

The Visual Studio 2010 and .NET Framework 4 Training Kit includes presentations, hands-on labs, and demos. This content is designed to help you learn how to utilize the Visual Studio 2010 features and a variety of framework technologies including:

  • C# 4.0
  • Visual Basic 10
  • F#
  • Parallel Extensions
  • Windows Communication Foundation
  • Windows Workflow
  • Windows Presentation Foundation
  • ASP.NET 4
  • Windows 7
  • Entity Framework
  • ADO.NET Data Services
  • Managed Extensibility Framework
  • Visual Studio Team System

This version of the Training Kit works with Visual Studio 2010 RC and .NET Framework 4 RC.

  • Supported Operating Systems: Windows 7; Windows Server 2008; Windows Vista

Visual Studio 2010 RC .NET Framework 4 RC.

Instructions

Download and launch the self-extracting package. The Training Kit will uncompress to the selected folder and launch a HTML browser for the content.

Download Visual Studio 2010 and .NET Framework 4 Training Kit – February Release