The WinOps Blog

Option

Description

-addfulltrust assembly_file

or

-af assembly_file

Adds an assembly that implements a custom security object (such as a custom permission or a custom membership condition) to the full trust assembly list for a specific policy level. The assembly_file argument specifies the assembly to add. This file must be signed with a strong name. You can sign an assembly with a strong name using the Strong Name Tool (Sn.exe).

Whenever a permission set containing a custom permission is added to policy, the assembly implementing the custom permission must be added to the full trust list for that policy level. Assemblies that implement custom security objects (such as custom code groups or membership conditions) used in a security policy (such as the machine policy) should always be added to the full trust assembly list.

-addgroup {parent_label | parent_name} mship pset_name [flags]

or

-ag {parent_label | parent_name} mship pset_name [flags]

Adds a new code group to the code group hierarchy. You can specify either the parent_label or parent_name. The parent_label argument specifies the label (such as 1. or 1.1.) of the code group that is the parent of the code group being added. The parent_name argument specifies the name of the code group that is the parent of the code group being added. Because parent_label and parent_name can be used interchangeably, Caspol.exe must be able to distinguish between them. Therefore, parent_name cannot begin with a number. Additionally, parent_name can only contain A-Z, 0-9 and the underscore character.

The mship argument specifies the membership condition for the new code group. For more information, see the table of mship arguments later in this section.

The pset_name argument is the name of the permission set that will be associated with the new code group. You can also set one or more flags for the new group. For more information, see the table of flags arguments later in this section.

-addpset {psfile | psfile pset_name}

or

-ap {named_psfile | psfile pset_name}

Adds a new named permission set to policy. The permission set must be authored in XML and stored in an .xml file. If the XML file contains the name of the permission set, only that file (psfile) is specified. If the XML file does not contain the permission set name, you must specify both the XML file name (psfile) and the permission set name (pset_name).

Note that all permissions used in a permission set must be defined in assemblies contained in the global assembly cache.

-a[ll]

Indicates that all options following this one apply to the machine, user, and enterprise policies. The -all option always refers to the policy of the currently logged-on user. See the -customall option to refer to the user policy of a user other than the current user.

-chggroup {label |name} {mship | pset_name |

flags }

or

-cg {label |name} {mship | pset_name |

flags }

Changes a code group's membership condition, permission set, or the settings of the exclusive, levelfinal, name, or description flags. You can specify either the label or name. The label argument specifies the label (such as 1. or 1.1.) of the code group. The name argument specifies the name of the code group to change. Because label and name can be used interchangeably, Caspol.exe must be able to distinguish between them. Therefore, name cannot begin with a number. Additionally, name can only contain A-Z, 0-9 and the underscore character.

The pset_name argument specifies the name of the permission set to associate with the code group. See the tables later in this section for information on the mship and flags arguments.

-chgpset psfile pset_name

or

-cp psfile pset_name

Changes a named permission set. The psfile argument supplies the new definition for the permission set; it is a serialized permission set file in XML format. The pset_name argument specifies the name of the permission set you want to change.

-customall path

or

-ca path

Indicates that all options following this one apply to the machine, enterprise, and the specified custom user policies. You must specify the location of the custom user's security configuration file with the path argument.

-cu[stomuser] path

Allows the administration of a custom user policy that does not belong to the user on whose behalf Caspol.exe is currently running. You must specify the location of the custom user's security configuration file with the path argument.

-enterprise

or

-en

Indicates that all options following this one apply to the enterprise level policy. Users who are not enterprise administrators do not have sufficient rights to modify the enterprise policy, although they can view it. In nonenterprise scenarios, this policy, by default, does not interfere with machine and user policy.

-e[xecution] {on | off}

Turns on or off the mechanism that checks for the permission to run before code starts to execute.

-f[orce]

Suppresses the tool's self-destruct test and changes the policy as specified by the user. Normally, Caspol.exe checks whether any policy changes would prevent Caspol.exe itself from running properly; if so, Caspol.exe does not save the policy change and prints an error message. To force Caspol.exe to change policy even if this prevents Caspol.exe itself from running, use the –force option.

-h[elp]

Displays command syntax and options for Caspol.exe.

-l[ist]

Lists the code group hierarchy and the permission sets for the specified machine, user, enterprise, or all policy levels. Caspol.exe displays the code group's label first, followed by the name, if it is not null.

-listdescription

or

-ld

Lists all code group descriptions for the specified policy level.

-listfulltrust

or

-lf

Lists the contents of the full trust assembly list for the specified policy level.

-listgroups

or

-lg

Displays the code groups of the specified policy level or all policy levels. Caspol.exe displays the code group's label first, followed by the name, if it is not null.

-listpset or -lp

Displays the permission sets for the specified policy level or all policy levels.

-m[achine]

Indicates that all options following this one apply to the machine level policy. Users who are not administrators do not have sufficient rights to modify the machine policy, although they can view it. For administrators, -machine is the default.

-polchgprompt {on | off}

or

-pp {on | off}

Enables or disables the prompt that is displayed whenever Caspol.exe is run using an option that would cause policy changes.

-quiet

or

-q

Temporarily disables the prompt that is normally displayed for an option that causes policy changes. The global change prompt setting does not change. Use the option only on a single command basis to avoid disabling the prompt for all Caspol.exe commands.

-r[ecover]

Recovers policy from a backup file. Whenever a policy change is made, Caspol.exe stores the old policy in a backup file.

-remfulltrust assembly_file

or

-rf assembly_file

Removes an assembly from the full trust list of a policy level. This operation should be performed if a permission set that contains a custom permission is no longer used by policy. However, you should remove an assembly that implements a custom permission from the full trust list only if the assembly does not implement any other custom permissions that are still being used. When you remove an assembly from the list, you should also remove any other assemblies that it depends on.

-remgroup {label |name}

or

-rg {label | name}

Removes the code group specified by either its label or name. If the specified code group has child code groups, Caspol.exe also removes all the child code groups.

-rempset pset_name

or

-rp pset_name

Removes the specified permission set from policy. The pset_name argument indicates which permission set to remove. Caspol.exe removes the permission set only if it is not associated with any code group. The default (built-in) permission sets cannot be removed.

-reset

or

-rs

Returns policy to its default state and persists it to disk. This is useful whenever a changed policy seems to be beyond repair and you want to start over with the installation defaults. Resetting can also be convenient when you want to use the default policy as a starting point for modifications to specific security configuration files. For more information, see Manually Editing the Security Configuration Files.

-resetlockdown

or

-rsld

Returns policy to a more restrictive version of the default state and persists it to disk; creates a backup of the previous machine policy and persists it to a file called security.config.bac. The locked down policy is similar to the default policy, except that the policy grants no permission to code from the Local Intranet, Trusted Sites, and Internet zones and the corresponding code groups have no child code groups.

-resolvegroup assembly_file

or

-rsg assembly_file

Shows the code groups that a specific assembly (assembly_file) belongs to. By default, this option displays the machine, user, and enterprise policy levels to which the assembly belongs. To view only one policy level, use this option with either the -machine, -user, or -enterprise option.

-resolveperm assembly_file

or

-rsp assembly_file

Displays all permissions that the specified (or default) level of security policy would grant the assembly if the assembly were allowed to run. The assembly_file argument specifies the assembly. If you specify the -all option, Caspol.exe calculates the permissions for the assembly based on user, machine, and enterprise policy; otherwise, default behavior rules apply.

-s[ecurity] {on | off}

Turns code access security on or off. Specifying the -s off option does not disable role-based security.

-u[ser]

Indicates that all options following this one apply to the user level policy for the user on whose behalf Caspol.exe is running. For nonadministrative users, -user is the default.

-?

Displays command syntax and options for Caspol.exe.

Argument

Description

-allcode

Specifies all code. For more information about this membership condition, see the AllMembershipCondition Class.

-appdir

Specifies the application directory. If you specify –appdir as the membership condition, the URL evidence of code is compared with the application directory evidence of that code. If both evidence values are the same, this membership condition is satisfied. For more information about this membership condition, see the ApplicationDirectoryMembershipCondition Class.

-custom xmlfile

Adds a custom membership condition. The mandatory xmlfile argument specifies the .xml file that contains XML serialization of the custom membership condition.

-hash hashAlg {-hex hashValue | -file assembly_file }

Specifies code that has the given assembly hash. To use a hash as a code group membership condition, you must specify either the hash value or the assembly file. For more information about this membership condition, see the HashMembershipCondition Class.

-pub { -cert cert_file_name |

-file signed_file_name | -hex hex_string }

Specifies code that has the given software publisher, as denoted by a certificate file, a signature on a file, or the hexadecimal representation of an X509 certificate. For more information about this membership condition, see the PublisherMembershipCondition Class.

-site website

Specifies code that has the given site of origin. For example:

-site www.proseware.com

For more information about this membership condition, see the SiteMembershipCondition Class.

-strong -file file_name {name | -noname} {version | -noversion}

Specifies code that has a specific strong name, as designated by the file name, the assembly name as a string, and the assembly version in the format major.minor.build.revision. For example:

-strong -file myAssembly.exe myAssembly 1.2.3.4

For more information about this membership condition, see the StrongNameMembershipCondition Class.

-url URL

Specifies code that originates from the given URL. The URL must include a protocol, such as http:// or ftp://. Additionally, a wildcard character (*) can be used to specify multiple assemblies from a particular URL.

For more information about this membership condition, see the UrlMembershipCondition Class.

-zone zonename

Specifies code with the given zone of origin. The zonename argument can be one of the following values: MyComputer, Intranet, Trusted, Internet, or Untrusted. For more information about this membership condition, see the ZoneMembershipCondition Class.

Argument

Description

-description " description "

If used with the –addgroup option, specifies the description for a code group to add. If used with the –chggroup option, specifies the description for a code group to edit. The description argument must be enclosed in double quotes.

-exclusive {on|off}

When set to on, indicates that only the permission set associated with the code group you are adding or modifying is considered when some code fits the membership condition of the code group. When this option is set to off, Caspol.exe considers the permission sets of all matching code groups in the policy level.

-levelfinal {on|off}

When set to on, indicates that no policy level below the level in which the added or modified code group occurs is considered. This option is typically used at the machine policy level. For example, if you set this flag for a code group at the machine level and some code matches this code group's membership condition, Caspol.exe does not calculate or apply the user level policy for this code.

-name " name "

If used with the –addgroup option, specifies the scripting name for a code group to add. If used with the -chggroup option, specifies the scripting name for a code group to edit. The name argument must be enclosed in double quotes. The name argument cannot begin with a number, and can only contain A-Z, 0-9, and the underscore character. Code groups can be referred to by this name instead of by their numeric label. The name is also highly useful for scripting purposes.