dasBlonde - ClickOnce Deployments - Who's allowed to install that app? How can they be stopped?

Wednesday, November 09, 2005

« BlogJetting for DevConnections | Main | ACTION ITEMS - Post Dev Connections »

ClickOnce Deployments - Who's allowed to install that app? How can they be stopped?

In my tutorial yesterday here at DevConnections I tossed the slides for the last half (those are for your reference) and basically spent the time demonstrating varioius aspects of ClickOnce: deployment, versioning, security, download on demand, globalization and offline data deployment. Whew, even without slides that was a lot to cover, and we opened many a can of worms that just leads to additional questions on the entire lifecycle of a smart client app deployed with ClickOnce.

One thing that really hit home is the “rights” users have to install applications. There are a variety of answers to that question, some of which were only vaguely answered in our discussion, and one item I wanted to follow up on...which I did with my colleague Brian Noyes.

Q. Who can install a click once application?

Any user can click a link to a ClickOnce application and install the application. If the appilcation requires greater trust than the zone they are installed from will grant (Intranet, Internet, My Computer) they will be prompted to approve the installation.

HA! That's that part I wasn't expecting (thanks Brian)...because I thought that ClickOnce was secure by default, meaning...users can't just click “ok“ to accept the download and elevation of application privileges...apparently I'm wrong...and I could swear I remembered speaking to someone “who knew“ about this in the past...but my memory may fail me...too much stuff in there I guess.

Q. What's the prompt for?

The download prompt is for one thing only: do you want to elevate security of this application you are downloading, beyond the security settings for its zone?

Are you sure? Are you REALLY sure?

And away we go, the app gets all the security it needs to run...that is, if there is sufficient permissions to complete the installation...

Q. Are users ALWAYS prompted to elevate security?

They are prompted every time the application is updated if it requires additional permissions beyond what the zone allowed.

UNLESS...the certificate is installed in the trusted publishers section of the certificate store, and if the issuer of the certificate is installed in the trusted roots section. Administrators can push the certs out to machines within the domain so that users are not prompted to elevate security for trusted publishers.

For non-trusted publishers, users will continue to be asked...WHAT??!? Yep, users by default have the right to “decide“ if they want to trust an application...and yes, it could be an application that when run deletes that special project they have been slaving over...or some other malicious behavior... and all because they were asked a question to which they responded...

duh...ok!

Q. Can administrators protect users from downloading untrusted applications?

Yes. If the prompting behavior is turned off, only applications that are trusted (cert has been installed) will be allowed to elevate security. Other apps can only run within the confines of the zone they belong to. So, if you install the application with an MSI, you get My Computer zone, and that grants full trust by default. Internet or Intranet downloads are granted less.

To turn off prompting behavior, set up the registry key:

KLM\Software\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel

From Brian Noyes MSDN article:

The registry key \HKLM\Software\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel is the one that allows you to customize the prompting behavior. This key is not present by default after a .NET Framework 2.0 installation, so you will have to create it manually if you want to customize these settings.

Under that registry key, you can add any of 5 string values, named MyComputer, LocalIntranet, Internet, TrustedSites, and UntrustedSites. These correspond to their respective zones. As a value for these, you can set one of three strings: Enabled, Disabled, or AuthenticodeRequired. Enabled is the default for the MyComputer, LocalIntranet and TrustedSites zones. The Internet default is AuthenticodeRequired, and the UntrustedSites default is Disabled. Table 2 shows the values that you can set for each zone and their effects. Figure 4 shows the registry key values set to their default behavior, but keep in mind this key does not exist by default so you will typically only create it if you are going to set them to different values than the defaults.

My take on this, the key should have been enabled by default. Why?

To make life difficult for users? no

To make life difficult for Mort? no

To make it difficult to accidentally trust a malicious third party and give them full access to the machine? yes, absolutely

So, administrators get your SMS push ready and get that registry setting up and running...pronto! Unless you don't concern yourself with the users ability to install apps to the corporate domain.

Conclusions:

by default anyone can install an application and elevate trust unless admins turn off the prompting features
applications that have publisher certificates installed are trusted to elevate security
application installations over the Web or via MSI still may need administrative if the bootstrapper calls for adding components to the GAC, or downloading SQL Server Express which requires an admin as well...so ClickOnce is not necessarily removing the pain of installing complex applications...but it sure makes it easy for apps that don't require admin installation privileges
in any case, once installed updates that don't bootstrap additional functionality that requires admin installation rights...can be easily handled by any user

Hope this is helpful to those that were new to ClickOnce...since we really couldn't get through all the nit picky details in my talk.

Please visit my collegue Brian's talk tomorrow for more:

Wed 2:00-3:15pm - VSM351: Secure Smart Client ClickOnce Deployments

Unless you want to come to my talk on Indigo/WCF security:

Wed 2:00-3:15pm - VID304: Indigo and Security: Experience the Magic

See you around!

Thursday, November 10, 2005 7:10:08 PM (GMT Standard Time, UTC+00:00)

Great job at DevConnections, Michele! Thank you for your insights and well prepared presentations! Of all sessions I attended, I feel that I received the most useful information from yours. Hope you found some time to enjoy Vegas!

Joe Ammendolia

Thursday, November 10, 2005 11:16:25 PM (GMT Standard Time, UTC+00:00)

Loved your talks. I didn't even go to the Click Once one and now I am interested. My favorite was your performance optimization for ASP.NET. The conference as a whole was too detailed for a non-hands on envirnoment - but you did a great job of hitting the Developer, Architect and Manager in me. Yes, I like the pretty pictures at the end. Soon my hair will go pointy and my IT staff will give me an etch-a-sketch in place of a laptop.

Mark Schwartz

Sunday, November 13, 2005 2:09:38 AM (GMT Standard Time, UTC+00:00)

Hi..
First of all thanks for this gr8 detailed post..

I am planning to comeup with FAQ related to ClickOnce on my blog and i found very good info on this post..

Can i have permission to re-post the contain of this post on my blog?

thanks and regards,
gaurang

Gaurang

Saturday, December 31, 2005 5:04:39 AM (GMT Standard Time, UTC+00:00)

These days sleep there is rapid increase in sleep disorder cases, sleep disorder collectively known as insomania, Improper sleep can lead to high BP, irritation & Depression, so its better to take proper rest and do proper exercise to avoid the dread full situation like insomania and anxiety.Although medication like without doctor consultation.http://www.ambien-xanax-zoloft.com.