Dominick Baier has posted (titled Beware (=be aware) of ClickOnce default Settings) some startling results from research he completed with the .NET 2.0 RTM version of ClickOnce (beyond the excellent article he and Keith Brown co-wrote here based on the Beta 2 version). He points out the default settings of ClickOnce have changed in a significant way from Beta 2 to the RTM version:
Up to Beta 2 Microsoft chose the following default settings:
Intranet Zone & Trusted Sites: Permission Elevation allowed
Internet Zone: Elevation only allowed for applications signed by a trusted certificate with the “Code Signing†intended purpose.
Untrusted Sites: Permission elevation not allowed
and now:
Microsoft changed this default behaviour in 2.0 RTM – it is now:
Intranet Zone & Trusted Sites: Permission Elevation allowed
Internet Zone: Permission Elevation allowed
Untrusted Sites: Permission elevation not allowed
The significance of this is an unsuspecting user could run malicious .NET 2.0 code from the internet (through a ClickOnce application). This is true simply because the internet application can elevate its permissions after asking the user if it can do so through the standard ClickOnce "let me have permission" dialog!
Dominick summarizes the post with these warnings:
So what to do next?
Make sure you understand the implications of the ClickOnce default settings. You can configure this behavior in the registry. I provide some .reg files to lock down the prompting behavior that you can import. I also wrote an administrative template that can be used to centrally distribute theses settings via Active Directory Group Policy objects. Furthermore educate your users that they should never run executables directly from the internet if they are not 100% sure about what they are doing.
In particular, Dominick (in related posts) points to this article by Brian Noyes which indicates the following:
The registry key \HKLM\Software\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel is the one that allows you to customize the prompting behavior. This key is not present by default after a .NET Framework 2.0 installation, so you will have to create it manually if you want to customize these settings.
Dominick has provided these changes in the lockdown registry script. If you are writing ClickOnce applications, be sure to read this post and understand the issues as well as use his suggestions for locking down your own deployment.
