|
In my tutorial yesterday here at DevConnections I tossed the slides for the last half (those are for your reference) and basically spent the time demonstrating varioius aspects of ClickOnce: deployment, versioning, security, download on demand, globalization and offline data deployment. Whew, even without slides that was a lot to cover, and we opened many a can of worms that just leads to additional questions on the entire lifecycle of a smart client app deployed with ClickOnce.
One thing that really hit home is the “rights” users have to install applications. There are a variety of answers to that question, some of which were only vaguely answered in our discussion, and one item I wanted to follow up on...which I did with my colleague Brian Noyes.
Q. Who can install a click once application?
Any user can click a link to a ClickOnce application and install the application. If the appilcation requires greater trust than the zone they are installed from will grant (Intranet, Internet, My Computer) they will be prompted to approve the installation.
HA! That's that part I wasn't expecting (thanks Brian)...because I thought that ClickOnce was secure by default, meaning...users can't just click “ok“ to accept the download and elevation of application privileges...apparently I'm wrong...and I could swear I remembered speaking to someone “who knew“ about this in the past...but my memory may fail me...too much stuff in there I guess.
Q. What's the prompt for?
The download prompt is for one thing only: do you want to elevate security of this application you are downloading, beyond the security settings for its zone?
Are you sure? Are you REALLY sure?
And away we go, the app gets all the security it needs to run...that is, if there is sufficient permissions to complete the installation...
Q. Are users ALWAYS prompted to elevate security?
They are prompted every time the application is updated if it requires additional permissions beyond what the zone allowed.
UNLESS...the certificate is installed in the trusted publishers section of the certificate store, and if the issuer of the certificate is installed in the trusted roots section. Administrators can push the certs out to machines within the domain so that users are not prompted to elevate security for trusted publishers.
For non-trusted publishers, users will continue to be asked...WHAT??!? Yep, users by default have the right to “decide“ if they want to trust an application...and yes, it could be an application that when run deletes that special project they have been slaving over...or some other malicious behavior... and all because they were asked a question to which they responded...
duh...ok!
Q. Can administrators protect users from downloading untrusted applications?
Yes. If the prompting behavior is turned off, only applications that are trusted (cert has been installed) will be allowed to elevate security. Other apps can only run within the confines of the zone they belong to. So, if you install the application with an MSI, you get My Computer zone, and that grants full trust by default. Internet or Intranet downloads are granted less.
To turn off prompting behavior, set up the registry key:
KLM\Software\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel
From Brian Noyes MSDN article:
The registry key \HKLM\Software\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel is the one that allows you to customize the prompting behavior. This key is not present by default after a .NET Framework 2.0 installation, so you will have to create it manually if you want to customize these settings.
Under that registry key, you can add any of 5 string values, named MyComputer, LocalIntranet, Internet, TrustedSites, and UntrustedSites. These correspond to their respective zones. As a value for these, you can set one of three strings: Enabled, Disabled, or AuthenticodeRequired. Enabled is the default for the MyComputer, LocalIntranet and TrustedSites zones. The Internet default is AuthenticodeRequired, and the UntrustedSites default is Disabled. Table 2 shows the values that you can set for each zone and their effects. Figure 4 shows the registry key values set to their default behavior, but keep in mind this key does not exist by default so you will typically only create it if you are going to set them to different values than the defaults.
My take on this, the key should have been enabled by default. Why?
To make life difficult for users? no
To make life difficult for Mort? no
To make it difficult to accidentally trust a malicious third party and give them full access to the machine? yes, absolutely
So, administrators get your SMS push ready and get that registry setting up and running...pronto! Unless you don't concern yourself with the users ability to install apps to the corporate domain.
Conclusions:
- by default anyone can install an application and elevate trust unless admins turn off the prompting features
- applications that have publisher certificates installed are trusted to elevate security
- application installations over the Web or via MSI still may need administrative if the bootstrapper calls for adding components to the GAC, or downloading SQL Server Express which requires an admin as well...so ClickOnce is not necessarily removing the pain of installing complex applications...but it sure makes it easy for apps that don't require admin installation privileges
- in any case, once installed updates that don't bootstrap additional functionality that requires admin installation rights...can be easily handled by any user
Hope this is helpful to those that were new to ClickOnce...since we really couldn't get through all the nit picky details in my talk.
Please visit my collegue Brian's talk tomorrow for more:
Wed 2:00-3:15pm - VSM351: Secure Smart Client ClickOnce Deployments
Unless you want to come to my talk on Indigo/WCF security:
Wed 2:00-3:15pm - VID304: Indigo and Security: Experience the Magic
See you around!
|