This is a follow up to an earlier post.
I found a much easier way to lock down trust levels for individual applications. Still the scenario is that you have multiple web applications on a server, some should run in partial trust, some should run in full trust (and maybe also different levels of partial trust).
The rule of thumb is, that you have to lock down the configuration at least one level higher in the hierarchy than the application you want to lock down. For our scenario this could be site or machine level config. The following web.config in your site root will do the trick (works for relative paths under the root and vdirs):
<configuration>
<location path=“App1“ allowOverride=“false“>
<system.web>
<trust level=“High“/>
</system.web>
</location>
<location path=“App2“ allowOverride=“false“>
<system.web>
<trust level=“Medium“ />
</system.web>
</location>
</configuration>
This sets the trust level for individual applications and the allowOverride prevents those applications from changing the settings. With the new configuration granularity we have in 2.0 it is even possible to partially lock down settings, e.g. the next sample locks the the trust level but still allows the individual applications to set the originUrl attribute.
<location path=“AppWebService“ allowOverride=“true“>
<system.web>
<trust level=“Medium“ lockAllAttributesExcept=“originUrl“/>
</system.web>
</location>
It is even possible to set this in global web.config by including the site name (don’t know if this is a new feature in 2.0, it was new to me at least). This allows some interesting scenarios…
<location path=“Default Web Site/AppDomainFun“ allowOverride=“false“>
<system.web>
<trust level=“Medium“/>
</system.web>
</location>
This makes it a much smoother story than the single policy file approach I described in my previous entry.
leastprivilege.com 