If you want to execute .NET assembly’s from a network share (as an example) you need to increase permissions for this file. Per default you are only allowed to execute local .NET assemblies.
You uniquely identifying a .NET assembly by added a “Strong Name”. A “Strong Name” consists of the public key token, culture, version and PE file name. To sign a .Net assembly with a “Strong Name” you need the sn.exe utility from a MS SDK (for example the MSI SDK) and the caspol.exe utility from .NET v2.
Step-by-Step guide to sign a .NET assembly with an strong name:
1. Generate a new key pair:
1 | > sn.exe -k keypair.snk |
2. Extract the public key:
1 | > sn.exe -p keypair.snk pkey.pub |
3. disassembly a.NET assemby:
1 | > ildasm.exe YourFile.exe /out:YourFile.il |
4. re-assembly the.NET assembly and sign it with an “Strong name“:
1 | > ilasm.exe YourFile.il /KEY: keypair.snk |
5. check the file, is it signed now?:
1 | > sn.exe -vf YourFile.exe |
You may add now the public key of our strong name to the local machine. But first we need to know the public key (as hex value):
1 | > sn.exe -tp pkey.pub |
Now we add the strong name to our workstation:
1 | > caspol.exe -machine -addgroup 1 -strong -hex 002400000… -noname -noversion FullTrust -n "GROUP-NAME" -description "DESCRIPTION" |
The default “caspol.exe” directory is C:\Windows\Microsoft.NET\Framework\v2.0.50727. To verify the .NET permissions use those two commands:
1 2 | > caspol.exe -ld (list description) > caspol.exe -lg (list groups) |
The advantage using strong names .NET assembly is, you are certain that the assembly is NOT modified and you might increase the permission for this assembly (may run directly from a share).
Another approach (but less secure) to increase .NET permissions is to add an URL as identifier:
1 | > caspol.exe -machine -addgroup 1 -url \server\share\path\* FullTrust -n "GROUP-NAME" -description "DESCRIPTION" |
Group 1 (-addgroup 1) is the root code group.
