Keyvan Nayyeri

This issue for us on [ASPnix] bit me to post this.  Medium trust issue in ASP.NET 2.0 is one of most common issues for developers on most of shared hosting environments.  Those of you who haven’t deployed an ASP.NET 2.0 application on a shared hosting server probably haven’t faced with this issue yet but you will soon!

ASP.NET 2.0 has been shipped with a new security feature to set the level of security trust on applications per server/application.  Server administrators can use this feature to increase their security.  By default .NET 2.0 users have Full level trust so you don’t see this on your development machines. But on most of shared hosting servers, administrators set this to Medium.  This will cause to some issues for applications if they use some special parts of .NET 2.0 in their code.  You can override this configuration in your web.config and change it to upper or lower level but again most of hosting providers don’t allow you to override this configuration.  This caused (and causes) many issues for .NET developers with their web applications.  Here I write a short story about this to give my own ideas and solutions.

For those who don’t know about this configuration I would say that this configuration is added to .NET 2.0 by Microsoft to help administrators and developers to deal with their application security easier.  Microsoft has grouped some operations in .NET and give them a level of security.  For example dealing with IO Files and OLEDB connections and several other operations are grouped in Medium trust level.  So once you set your level to Medium, you can’t use these operations in your web applications.  This isn’t fair because some operations are necessary for many applications.  Who can live without IO operations?!  I think Microsoft couldn’t make this configuration clear enough.  Seems that they wanted to help administrators to configure their security easier but this doesn’t mean that they have to set their trust level to lower levels.  Having a High trust level doesn’t mean to have non-secure applications (this is my idea and I say this based on what I got from Microsoft documentations) but unfortunately most of hosters think they should use lower levels to prevent any security issue.

Hosters have to think about security and they have to increase it.  Microsoft added this configuration to help them have a more secure server but there are some techniques to set custom trust levels.

If you don’t know how to set the trust level for your server/application, you should implement this in your machine.config/web.config.  To do this, you can add following line to your configuration file under node:

You can set the level to Full, High, Medium, Low, Minimal.

Also you can do more and lock applications to override this per application in machine.config:

As hosters have done this developers can’t override this configuration in their applications and all the problems bear from here!

But what’s the solution?  How can we find a mean point between hosters and developers?!  This is my own idea based on my experiences but I think this is a good solution:

Hosters can use custom trust level for their servers.  What does this mean?  This means they can enable some operations in a security level.  For example they can enable IO File operations and OLEDB connections for developers and leave other operations disabled in Medium trust level.

To do this and create a custom level based on Medium level, first go to $\%windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG and find a configuration file named web_mediumtrust.config then open and modify it.  Here I modified my configuration to give write access to my C:\Keyvan\Mydir directory.  In this file all of restricted operations are listed and you can change permissions for your needs.

After making all modifications rename this file to a meaningful name and copy it in the directory where your machine.config is located.  I named my file mycustommediumtrust.config.

Now add this line to your machine.config to enable this custom level of trust:

policyFile attribute is the name of modified file (mycustommediumtrust.config for my example).

This will enable some restricted operations on the server.

It’s good to know this is the most common issue for Community Server 2.0 on .NET 2.0.

For more information about Medium trust in ASP.NET 2.0 read this article and to learn how to write your applications based on code access security features in ASP.NET and get the full list of default trust levels and their restrictions read this one on MSDN.

I would get the help of forums and send an email to ask Scott Guthrie to give a short description about this topic on his blog because this is an important issue for me nowadays.