In our enviroment we have set the .Net trust level to 'Medium' and set override=False.

Now we want to allow some specific sites to run at full trust without every site owner being able to override the default medium level.  How can I do this? Would assume it involve some additional entries in the machine web.config file.

TIA

Antony 

I believe you can do this in IIS. Create a new application pool in IIS run it under local System. Warning: this is the highest level of permission you can give a website. Then you can go to your website from IIS and change the application pool to the one you just created. Hope this help you.

 Good Luck

Tareq

 Tareq,

thanks for the response.  We run each site/app in their own application pool using individual user accounts and don't want to  run them with a high level account.

I believe that we can do what we want by adding entries to the machine web.config, I just don't know the entries.

Antony 

Actually, even running the app pool as Local System won't get around CAS.  This is an ASP.NET code level check that isn't controlled by the process identity.

To change it, you must change it in the root web.config file.  But there are 2 considerations to be mindful of:

• Giving some people full trust violates the trust of the whole server, unless you and everyone else on the server trust them.  For example, you can set to full trust for your own admin site, but if you do it just because someone's site doesn't work in partial trust, that person now has access to get around the CAS security check which defeats the purpose of CAS.  So, for CAS to work properly, it needs to apply to everyone, not just some people.
• Every time you 'touch' web.config, an AppDomain recycle will occur on the entire server, so all InProc session state and caching will be lost and you'll have many slow first-page-loads. So, the change has a large impact on the server.

But, that said, if you decide to do it, here is how:

In your root web.config, under the <configuration> level, add something like this:

  <location allowOverride="false" path="Default Web Site">
    <system.web>
      <securityPolicy>
        <trustLevel name="Full" policyFile="internal"/>
        <trustLevel name="High" policyFile="web_hightrust.config"/>
        <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
        <trustLevel name="Low" policyFile="web_lowtrust.config"/>
        <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
      </securityPolicy>
      <trust level="Full" originUrl=""/>
    </system.web>
  </location>

This will apply to just the site set in the path attribute and can be set to any of the security policies defined, or Full, as in this example.

Thanks,

Scott

Cool Learned something new today.

Scott

thanks for the info. Just to make sure I am on the right path.  Am I right in thinking that "Default Web Site" in the

OWScott:

<location allowOverride="false" path="Default Web Site">

line refers to the site description in IIS and would work for any of the other site descriptions?

I am aware of the security implications but thanks for clarifying them.

Antony 

Hi Antony,

Yes, you're correct.  That is just the website name in IIS.  In theory it could be confused since IIS6 doesn't enforce site name uniqueness, (in fact, the metabase property is called ServerComment which doesn't even sound like a name of a site) but most people don't have duplicate site names for their own sake.

You can set it up subfolder too if you want, for example path="Site.com/subfolder".

Thanks,

Scott