Although they present a simplified development model, ASP.NET applications are fully fledged .NET applications that run on the CLR. ASP.NET pages and associated code-behind modules are compiled into .NET assemblies prior to execution. As such, ASP.NET applications are subject to the runtime's code-access security controls, which we discussed in Chapter 5 through Chapter 9. However, ASP.NET applications represent a different application model than we focused on in those chapters.
With ASP.NET applications, you are not facing the problem of protecting your machines from highly mobile code downloaded from a variety of untrusted and potentially questionable sources. Usually, you are dealing with a smaller number of ASP.NET applications from known sources that are being uploaded to a shared hosting server. Your primary concerns are ensuring that the ASP.NET application code cannot tamper with the operation of the operating system, affect other hosted applications, or gain undesired levels of access to internal network-based resources.
Under the default code-access security policy (which we discussed in Chapter 9), all ASP.NET applications execute with full and unrestricted access, because they run from the local machine. Given the concerns we have just outlined, this is clearly not acceptable. ASP.NET implements code-access security in a way that allows the capabilities of each ASP.NET application to be constrained to a safe and secure level.
To configure ...