Tales from the Evil Empire

Bertrand Le Roy's blog

News


Bertrand Le Roy

BoudinFatal's Gamercard

Tales from the Evil Empire - Blogged

Blogs I read

My other stuff

Archives

How important is medium trust to you?

(c) 2009 Bertrand Le roy I would be very grateful if you could drop me a note in comments answering the following questions:

  1. Do you run all, some or none of your web sites in medium trust?
  2. Why do you choose to run in that trust level?
  3. Are your sites externally hosted and if so does your hoster constrain the trust level?

Don’t read anything into this, I’d just like to see some different opinions on medium trust.

Comments

Daniel said:

It's important to me because it's important to my customers. Also, several cloud services require medium trust. You have to think around certain problems, but ultimately, it's a good exercise in "liberating constraints" to run all of your web sites in medium trust, and compile all of them on .NET and Mono.

# December 4, 2009 12:22 AM

donkiely said:

It is critical, for a variety of reasons. Most important, Web sites are more secure when running in medium trust (or a custom trust level with medium trust as a starting point). For this reason, many hosting companies wisely only allow medium trust, and some of my Web sites have to run in those environments.

# December 4, 2009 1:39 AM

PNasser said:

1. All of our sites (internal only) are run on medium

2. Need File and Environment Permissions

3. Internally hosted / servers can't get past the firewall in either direction

# December 4, 2009 2:11 AM

HeartattacK said:

1. Mostly full trust.

2. Mostly don't have a compelling reason to do meium trust.

3. The sites that are on shared hosting are hosted with different hosts. A few clients' hosts don't allow full trust. We're forced to do medium trust then. If the hosts allow it or if we're hosting on dedicated servers, we use full trust almost all the time.

# December 4, 2009 2:40 AM

Joannes Vermorel said:

I have been asking about the purpose of Medium Trust in the Windows Azure forums too just a few days ago.

Actually, since very basic .NET parts such as BinaryFormatter requires higher trust, we end-up using virtually everything running in full trust.

Although, I do understand the technical constraints of Medium Trust, I have never really seen the benefits for the app itself (I do understand the benefits for the shared hoster, but cheap VMs, this point is becoming moot).

For example, I think "User vs. Admin" under WinXP, I can see many benefits of not running as Admin for the end-user. Yet, for an ASP.NET app, I am not to see any clear actual benefits of medium trust for the app itself.

# December 4, 2009 2:46 AM

Andrei Rinea said:

I used to regard it with respect but now, since I develop larger and larger sites that run on VPSes or dedicated servers it is no more important to me.

However for very small businesses or personal sites it could be a thing to take into account.

# December 4, 2009 3:01 AM

David James said:

1. None

2. It's the default; all code is either trusted third party libraries, or developed in-house; hosting is customised with dedicated Windows accounts per-application and use Windows access controls.

3. Hosted on colo/dedicated servers we manage ourselves, so no.

# December 4, 2009 3:33 AM

Stephen M. Redd said:

Microsoft has done a poor job really explaining the concepts around code access security in general. The information is out there of course, but the entire system is simply too complex and convoluted to really grasp unless code access security is a prime focus of your job.

I'm sure at large shops this isn't much of a problem, but for smaller shops and independent developers, developing for medium trust can be difficult. Also, a LOT of third party code and components break at restricted trust, and the vendors (not understanding code access any better than the rest of us) don't document which exceptional permissions you need to setup.

So you can either muck about for hours on end trying to identify specifically which custom policy you need to setup to get the thing to work, or you can flip the trust level to full. After getting our backsides handed to us a the first few times trying to do the right thing with medium trust, we just stop bothering to try it anymore.

While code access security and all of the associated complexity is nice to have for the few shops that REALLY need it, I see little to no evidence that the majority of developers care about the topic at all. The defaults of full trust are expected to be reasonably secure (and they are in my opinion) so only those organizations with the resources on staff to care about code access will bother to use it.

Also, to date I have not seen a server or app hacked because the app ran in full trust. In every case I’ve heard of or seen myself, the application exposed the vulnerability through a necessary feature or function. In those cases, had the application been in a restricted trust level, the vulnerable component would have still necessitated an exception rule to the trust policy in order to function normally; and thus the exploit vulnerability would still have been present.

Most of the dangerous things a compromised application can do (send emails and read files and such) are things that it can also do in medium trust anyway... so targeting medium trust doesn't even seem to reduce the potential impact of a compromised application very much.  

Security conscious shops will put more effort into just making sure the web server isn’t too dangerous should it get compromised by restricting the server at the OS and network level. That’s far simpler than trying to understand CAS, and in the end probably a much more effective use of time and money.

Trust levels below medium aren't practical at all for any but the most trivial of applications.

The 4 different hosting providers I've used have all provided full trust. Most do tighten a few screws internally (like restricting IO to the hosted apps virtual directories only) but otherwise they let you have at it and just pray you don't host something stupid.

Mostly this works for them and holds down their tech support costs. The few hosts I've heard of running at medium trust get hammered with customers having problems getting their hosted apps to actually run. So in the end they either have to Swiss cheese their configurations on a customer-by-customer basis (expensive overhead on their part) or they lose a lot of customers to less restrictive hosting providers that don't limit the trust level so much.      

# December 4, 2009 3:34 AM

mjm2 said:

1) We run all our apps in medium trust.

2) Bcoz shared hosting server we use allow medium trust

3) Yes

# December 4, 2009 4:10 AM

Vasudeva. S said:

Medium Trust with a few modifications should be good enough for any site.  The File I/O is not supported in medium trust, so if you are creating a Captcha image then the application without File I/O permission will fail.  I guess it would be same to any file creation on the server as it requires I/O operation.  

# December 4, 2009 5:08 AM

Igor Latyshev said:

I run 50% of my sites in medium trust, hosted using external providers. All of my host providers constrain .NET environment to be in medium trust. It's quite important for me that existing libraries and frameworks run in medium trust unaffected.

Regards,

Igor Latyshev

# December 4, 2009 5:15 AM

Frederic Hallot said:

1. yes

2. external hosters

3. yes , yes

# December 4, 2009 5:25 AM

alexandershapovalov said:

My project at work are all in Full trust, because it's anyway intranet, so there is a small risk. And it's no problem with some popular frameworks such as NHibernate.

My personal websites are in medium trust because GoDaddy provides medium trust hosting. I can change hosting but for me there are no problem with medium trust. The only problem is Lazy load in NHibernate (I have to switch it off).

# December 4, 2009 7:26 AM

Frederico B. Emídio said:

1.I never use medium trust, only full trust.

2.I choose to use full trust ‘cause I normally use some reflection, Activator or CodeDom and other things like this.

3.The hoster I use nowadays uses full trust, but I had some problems in the past with other hosters

# December 4, 2009 7:37 AM

Garry said:

Internally I do not.

My hosted accounts are all a slightly customised version of medium trust(My ISP will not move on this). This gives me issues with the DNN framework and around relection.

I understand the reasons behind it, and it would be good if Visual Studio allowed for targeted deployments in a similar way it does for the version of the framework.

# December 4, 2009 8:08 AM

labilbe said:

As a user of NHibernate I need a fulltrust configuration.

# December 4, 2009 8:19 AM

alessandro said:

1) All in medium trust

2&3) Yup, externally hosted. This is the comfort zone trust level almost every webhoster out there has chosen to take apparently.

You simply end up giving up quite a bit to satisfy this trust level. Reflection for one is a big no no.

It's quite common or rather clever, to develop with the trust level set to medium trust explicitly in web.config ( just to ensure that your final product wont break when you up it to your webhost).

# December 4, 2009 8:20 AM

Mike said:

We design, code AND host sites for our clients. Some features of our CMS can't work in medium trust. But even then, we decide not to change the trust, but not to use those features. Precompilation allows us to do things in the dev-cycle that are not possible on the server in medium trust.

I guess the question becomes more urgent in .NET 4 when we could possible see a CMS offer dynamically compiled templates/plugins using script languages that run on the DLR. I have no idea how that would be impact by trust.

But the short story is that we don't change trust level. Seems like the right thing to do, because should we ever move the site to a different host, there might be a problem if we relied on a different than normal trust level.

Thanks!

# December 4, 2009 8:31 AM

joelvarty said:

Personally, I think medium trust is a waste of time and effort.  I've had external hosting providers turn it on without notifying us, or change the actual setting of what is enabled in medium trust, such as binary formatter for serialization.

It's my hope that better virtualization implementations on cloud platforms like Azure will make the notion that medium trust is more secure just go away.

# December 4, 2009 8:42 AM

Sébastien Ros said:

1. I run all my web sites in full trust

2. I deploy only my own web sites on them, so I don't want to bother with unconfidency

3. I think a CMS should be able to work in medium trust, because it targets a different user base, if that's what you mean

# December 4, 2009 8:50 AM

Craig said:

For internal development for my company, everything is done with full trust, simply because we're the only ones with access (hosted internally), and anything we do is easily traceable to who did it.  Medium trust would just cause complications that we would have to resolve on a case by case basis.

Obviously, it's invaluable to a hosted environment, though.  You never know who you're going to share a server with...  If I had anything important on a hosted site, I would want it protected.  The trust level just depends on what it is that needs protecting.

# December 4, 2009 9:13 AM

Joe Audette said:

On a dedicated server with only apps I have installed myself I never use medium trust. Most shared hosting environments do enforce medium trust or some custom variation. Presumably this protects the server and protects your site from mischief that other rogue apps on the server may try to do. I will say in those cases where I have had sites hosted under full trust in shared hosting I've never known of any problems (not that this means there never are any).

To me as a web developer Medium Trust has always been a hassle that I have had to deal with so that my apps can run in environments where it is enforced. So many things I've implemented only to find it doesn't work in Medium Trust and then have had to change the implementation or put in a workaround to support medium trust. Very glad that VirtualPathProviders will work in medium trust in ASP.NET 4 for one example. Other challenges under medium trust are Serialization where there are challenges with Binary or Soap Formatters and only Xml Serialization works easily, use of Reflection is very limited, supporting alternate databases is challenging unless the host installs the ado drivers in the GAC, etc, etc.

# December 4, 2009 9:56 AM

Erick Stubbs said:

1. no

2. we dont

3. externally hosted, not constrained.

# December 4, 2009 11:11 AM

Michael Johnson said:

My team currently is in the process of deploying our first ASP.NET website. We are deploying to Rackspace Cloud, which requires we run in medium trust.

This has caused problems for us. It means we have custom builds of NHibernate and Castle Windsor, which I personally would prefer not to have. But medium trust makes things different. My personal preference would be for the different trust levels to go away and just have everything work. But my guess is that will be easier said than done.

# December 4, 2009 11:54 AM

Milan said:

My hoster chooses to have medium trust enabled for all sites, and it is a little bit annoying. I usually do not hit wall, but when I do, I'm doomed or I have to do some havy workarounds.

# December 4, 2009 12:25 PM

Joe Enos said:

My personal sites are in medium trust, because I go through GoDaddy's standard hosting, which doesn't allow full trust.  I really don't like having to use medium trust, because it stops me from doing a lot of things, like ASP.NET chart controls or other similar charts, Anti-XSS, or several other things that should be straightforward in a web application, but are simply denied in medium trust.

After my contracts are up with GoDaddy, I may switch over somewhere else because of this.

# December 4, 2009 2:57 PM

Joannes Vermorel said:

+1 Stephen M. Redd

+1 joelvarty

# December 4, 2009 3:16 PM

Lenny Reed said:

1. All sites are required to be run in medium trust or a custom level derived from medium.  

2. Frankly, I dont wish to grant 100% control over my server and file system to some wannabe hacker.  Think of the damage that could be done just exploiting the System.IO namespace alone.  That in iteslf was enough of a case for me.

3. We dont usually have any externally hosted sites.

# December 4, 2009 4:15 PM

dc said:

I prefer full trust.  I do not like medium trust for these reasons:

- Medium trust seems to break seemingly 'normal' things you can do with asp.net.  There is no warning saying that something won't work in medium trust.  In other words I don't really know all the things medium trust does not allow so it's difficult for me to develop against it.

- A lot of 3rd party library do not work in Medium trust and that is out of my control.

I understand the benefits of medium trust as far as it is supposed to make a host safer and more secure, but I still do not like developing under medium trust.

# December 4, 2009 4:16 PM

Roger Martin said:

Medium trust does not allow progress indicators of file uploads in an ASP.NET app. This seems to be an unnecessary restriction that is not appreciated by users of my open source gallery web app Gallery Server Pro.

# December 4, 2009 10:55 PM

jeremyh said:

It would be good if all the starter kits from the asp.net site ran in medium trust or had clear steps on how to get around the issues. As this would help alot of people just starting out with asp.net.

# December 5, 2009 4:50 AM

Dave said:

I've had one major hang-up with medium-trust. I have never been able to get NHibernate to work under medium trust. From my own "research", it seems that most common 3rd party ORM packages do not support medium trust.  

# December 5, 2009 11:36 PM

mariner said:

I'm trying to use medium trust with a custom role provider but it is not that easy. Don't want to deploy anything to GAC so trying to use application's /bin folder. Have enabled allow partial trusted callers and strongnamed the assembly but still getting security errors in IIS7.

I think Microsoft need to make this easier to run with limited trust.

# December 7, 2009 11:32 AM

Jim H said:

I think medium trust is stupid.  It doesn't provide any better security in a shared hosting environment, unless all applications a forced use .Net and can't use any other language.  PHP, Classic ASP, etc.  don't run under medium trust, and therefore you can get around all of the trust issues if you wanted to by using another language.

# July 25, 2010 12:35 PM

Bertrand Le Roy said:

@Jim: PHP and ASP also run in a sandbox of sorts and what you can or cannot do can be restricted in similar ways. Plus, your hoster won't necessarily allow for classic ASP and PHP.

I'm not a big fan of medium trust myself but for the reasons you gave.

# July 25, 2010 11:23 PM

John said:

I've had only a couple of minor issues with developing sites for us in medium trust.  I can only think of one instance (PDF generation with Telerik reporting component) that required full trust.  I've used the DevExpress ORM and most of the controls in the Telerik ASP.Net suite with no problems in medium trust or Rackspace cloud hosting.

I agree with Stephen that MS has done a poor job explaining the differences in code access security.

# August 4, 2010 5:57 PM