Search code examples
reporting-servicesweb-config.net-4.5code-access-securityfull-trust

Risks of "Full" trust mode


We are facing the slow performance issue on SSRS 11 and .NET 4.5.

A solution is to set trust mode to full in web.config. What are the risks of such modification?


Solution

  • First of all, you can provide a Full Trust level for only assemblies of your need via FullTrustAssembliesSection in web.config, and this can be done only for a signed assemblies:

    <system.web>
      <securityPolicy>
        <fullTrustAssemblies>
          <add assemblyName="MyCustomAssembly"
            version="1.0.0.0"
            publicKey="a 320 hex character representation
            of the public key blob used with a
            signed assembly"
          />
        </fullTrustAssemblies>
      </securityPolicy>
    </system.web>
    

    Note that

    The default policy for evaluating permissions grants full trust to the Global Assembly Cache (GAC) assemblies and partial trust to the other assemblies.

    And also note that you can configure trust level for an application in IIS.

    So this options can help you to determine which exactly assembly should run under FullTrust policy, and make other ones to defaults. If, however, you are still being concerning about the trust level for your application or some library, I suggest you to investigate the Trust Level table and answer the questions:

    • Does our application work with third-party components?
    • Are we running their code in minimal possible trust level?
    • What exactly should be able to do custom code in our application?
    • Could we manage this permission via identity for an application?
    • Could we manage this permission via CAS rules?
    • Could we move the third party code to separate sandbox ApplicationDomain?

    After that you can manage your application security as you would like. Hope this helps.

    See also:
    * ASP.NET Application Security in Hosted Environments * Security Practices: ASP.NET Security Practices at a Glance