locked
Changing SfB IIS .Net Trust Levels RRS feed

  • Question

  • Hi,

    After changing .Net Trust Levels for SfB FE from Full to medium. SfB seems to be not working. Is there any way that I can do it? If so, what are the necessary steps to get it to medium?

    Tuesday, March 20, 2018 3:18 AM

Answers

  • Hi BensonL ,

    Based on my search ,you should set the IIS .Net Trust Levels to full. According to the IIS .Net Trust Levels, I find the following things.

    The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:

    •We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".

    •We have provided guidance to host(s) that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).

    •We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.

    Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.

    Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:

    Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place.

    To address security vulnerabilities:

    - There aren't any security vulnerabilities

    - We just do not artificially restrict what the code can do.

    - We have to configure it properly and do things like, not run it as a domain admin and prevent it from calling unmanaged code by setting it to High trust.

    - Now we are saying that if you do not want it to be able to access things make sure you use a proper account context and configure proper security on your resources.”


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by BensonL Thursday, March 22, 2018 1:58 AM
    Wednesday, March 21, 2018 7:56 AM

All replies

  • Hi Ben,

    I don't believe changing these levels is supported by Microsoft. May I ask why you changed them?

     - Craig
    blog.chiffers.com

    Tuesday, March 20, 2018 5:06 AM
  • Hi Craig,

    Is there any article that I can refer to by Microsoft that I can use it to explain to my client?

    Tuesday, March 20, 2018 7:52 AM
  • Hi BensonL ,

    Based on my search ,you should set the IIS .Net Trust Levels to full. According to the IIS .Net Trust Levels, I find the following things.

    The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:

    •We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".

    •We have provided guidance to host(s) that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).

    •We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.

    Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.

    Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:

    Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place.

    To address security vulnerabilities:

    - There aren't any security vulnerabilities

    - We just do not artificially restrict what the code can do.

    - We have to configure it properly and do things like, not run it as a domain admin and prevent it from calling unmanaged code by setting it to High trust.

    - Now we are saying that if you do not want it to be able to access things make sure you use a proper account context and configure proper security on your resources.”


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by BensonL Thursday, March 22, 2018 1:58 AM
    Wednesday, March 21, 2018 7:56 AM
  • Thank you Leon,

    I will relate that to my client.

    Thursday, March 22, 2018 1:58 AM