How to create a Windows Installer package that uses the Code Access Security Policy tool in Visual Studio 2005

This article describes how to create a Microsoft Windows Installer package that uses the Code Access Security Policy tool in Microsoft Visual Studio 2005.

You can use the Code Access Security Policy tool to modify the security policy for the following policy levels:

• The Machine policy level
• The User policy level
• The Enterprise policy level

You can use the Microsoft .NET Framework 2.0 Configuration tool to create a Windows Installer package that modifies the security policy. To do this, follow these steps:

1. Click Start, click Run, type Control admintools in the Open box, and then click OK.
2. In Administrative Tools, double-click Microsoft .NET Framework 2.0 Configuration.
3. In the .NET Framework 2.0 Configuration dialog box, expand My Computer, click Runtime Security Policy, and then click Create Deployment Package.

When you follow these steps, the whole policy level is replaced.

To make a specific change to the security policy and to avoid overwriting other policies, follow these steps.

Step 1: Determine the existing policy settings

Before you make any changes, determine the existing policy settings. To do this, follow these steps:

1. Click Start, click Run, type Control admintools in the Open box, and then click OK.
2. In Administrative Tools, double-click Microsoft .NET Framework 2.0 Configuration.
3. In the .NET Framework 2.0 Configuration dialog box, expand My Computer, and then expand Runtime Security Policy.
4. Expand Machine, expand Code Groups, and then expand All_Code.
   
   Note If you did not add any other groups to this computer, the All_Code group contains the following default zones:
   • My_Computer_Zone
   • LocalInternet_Zone
   • Internet_Zone
   • Restricted_Zone
   • Trusted_Zone

Step 2: Use Visual Studio 2005 to create a base Windows Installer package

To create a base Windows Installer package, follow these steps:

1. Start Visual Studio 2005.
2. On the File menu, click New, and then click Project.
3. In the New Project dialog box, expand Other Project Types under Project Types, click Setup and Deployment, and then click Setup Project under Visual Studio installed templates.
4. In the Name box, type Caspol.msi.
5. In the Location box, type the location of the Caspol.msi file, and then click OK.
6. On the View menu, click Editor, and then click Launch Conditions.
7. On the Launch Conditions tab, right-click Search Target Machine under Requirements on Target Machine, and then click Add File Search.
8. For the name of the new node, type Caspol-search.
9. Right-click Caspol-search, and then click Properties Windows.
10. In the Caspol-search Launch Condition Properties dialog box, specify the following values:
    • In the Depth box, type 10.
    • In the FilesName box, type caspol.exe.
    • In the Folder box, click [WindowsFolder].
    • In the MinVersion box, type 2.0.
      
      Note This setting is required so that the destination computer does not use a version of the .NET Framework that is earlier than this setting.

Typically, you have a project in a solution to which you can add the base Windows Installer package that you created. If you do not have a project, you must sign the assembly. To do this, follow these steps:

1. Start Visual Studio 2005.
2. On the File menu, click Add, and then click New Project.
3. In the Add New Project dialog box, expand Visual C#, click Windows, and then click Windows Application under Visual Studio installed templates.
4. In the Name box, type a name.
5. In the Location box, type the location, and then click OK.
6. To sign the assembly by using a new key file, right-click WindowsApplication1 in Solution Explorer, and then click Properties.
7. On the WindowsApplication1 tab, click Signing.
8. Click to select the Sign the assembly check box.
9. To specify a new key file, click <New> in the Choose a strong name key file list.
   
   Note New key files are always created in the .pfx format.
10. In the Create Strong Name Key dialog box, type a name, type a password, and then click OK.
11. On the Debug menu, click Start Debugging.
12. Exit Visual Studio 2005.

Step 3: Use the Orca tool (Orca.exe) to add custom actions

Note This section assumes that the Orca tool is installed. For more information about the Orca tool, see the "References" section.

To use the Orca tool to add custom actions, follow these steps:

1. In Microsoft Windows Explorer, locate the Caspol.msi file, right-click the Caspol.msi file, and then click Edit with Orca.
2. In the Orca tool, click CustomAction under Tables, click the Tables menu, and then click Add Row.
3. In the Add Row dialog box, specify the following values:
   • In the Name column, click Action, and then type CASPOLTURNOFFMESSAGES in the Action box under Column.
   • In the Name column, click Type, and then type 3122 in the Type box under Column.
   • In the Name column, click Source, and then type FILEEXISTS1 in the Source box under Column.
   • In the Name column, click Target, and then type -pp off in the Target box under Column.
4. To close the Add Row dialog box, click OK.
5. In the Orca tool, click CustomAction under Tables, click the Tables menu, and then click Add Row.
6. In the Add Row dialog box, specify the following values:
   • In the Name column, click Action, and then type CASPOLPERFORMACTION in the Action box under Column.
   • In the Name column, click Type, and then type 3122 in the Type box under Column.
   • In the Name column, click Source, and then type FILEEXISTS1 in the Source box under Column.
   • In the Name column, click Target, and then type the following command in the Target box under Column:
     -addgroup 1 -strong -file "[TARGETDIR]MyNewCaspolTest.exe" MyReferenceAssemblyName -noversion Execution -name MyCaspolCodeGroupName -description "This Code group was added by the caspol command line from our test Windows Installer package."
   Note The prefixed [TARGETDIR] property and the .exe file name are enclosed by quotation marks. The prefixed [TARGETDIR] property and the .exe file name do not have a backslash (\). For more information about the options for the Code Access Security Policy tool, visit the following Microsoft Developer Network (MSDN) Web site:
   http://msdn2.microsoft.com/en-us/library/cb6t8dtz(VS.80).aspx (http://msdn2.microsoft.com/en-us/library/cb6t8dtz(VS.80).aspx)
7. To close the Add Row dialog box, click OK.
8. In the Orca tool, click CustomAction under Tables, click the Tables menu, and then click Add Row.
9. In the Add Row dialog box, specify the following values:
   • In the Name column, click Action, and then type CASPOLUNINSTALL in the Action box under Column.
   • In the Name column, click Type, and then type 3122 in the Type box under Column.
   • In the Name column, click Source, and then type FILEEXISTS1 in the Source box under Column.
   • In the Name column, click Target, and then type -remgroup MyCaspolCodeGroupName in the Target box under Column.
   Note The information in this step helps roll back the installation if this action is required.
10. To close the Add Row dialog box, click OK.
11. In the Orca tool, click InstallExecuteSequence under Tables, click the Tables menu, and then click Add Row.
12. In the Add Row dialog box, specify the following values:
    • In the Name column, click Action, and then type CASPOLTURNOFFMESSAGES in the Action box under Column.
    • In the Name column, click Condition, and then type NOT Installed in the Condition box under Column.
    • In the Name column, click Sequence, and then type 6500 in the Sequence box under Column.
13. To close the Add Row dialog box, click OK.
14. In the Orca tool, click InstallExecuteSequence under Tables, click the Tables menu, and then click Add Row.
15. In the Add Row dialog box, specify the following values:
    • In the Name column, click Action, and then type CASPOLPERFORMACTION in the Action box under Column.
    • In the Name column, click Condition, and then type NOT Installed in the Condition box under Column.
    • In the Name column, click Sequence, and then type 6510 in the Sequence box under Column.
16. To close the Add Row dialog box, click OK.
17. In the Orca tool, click InstallExecuteSequence under Tables, click the Tables menu, and then click Add Row.
18. In the Add Row dialog box, specify the following values:
    • In the Name column, click Action, and then type CASPOLUNINSTALL in the Action box under Column.
    • In the Name column, click Condition, and then type Installed in the Condition box under Column.
    • In the Name column, click Sequence, and then type 6520 in the Sequence box under Column.
    Note The information in this step helps roll back the installation if this action is required.
19. To close the Add Row dialog box, click OK.

Step 4: Use the Orca tool to confirm the settings that Visual Studio 2005 made

To confirm the settings that Visual Studio 2005 made, follow these steps:

1. In the Orca tool, click Signature under Tables.
   
   Note The FileName column displays CASPOL.EXE|caspol.exe, and the MinVersion column displays 2.0.
2. In the Orca tool, click DrLocator under Tables.
   
   Note The Path column displays [WindowsFolder].
3. On the File menu, click Save.
4. To exit the Orca tool, click Exit.

Step 5: Install the Caspol.msi file, and then confirm the settings that the Caspol.msi file modified

To install the Caspol.msi file and to confirm the settings, follow these steps:

1. To install the Caspol.msi file, click Start, click Run, type the following command in the Open box, and then click OK:
   "DriveLetter:\<path>\caspol.msi" ALLUSERS=2 /passive
   Note The command options are case sensitive. Use the ALLUSERS=2 option to install the file on an individual computer. The /passive option requires minimal user input.
2. To confirm the settings that the Caspol.msi file modified, follow these steps:
   1. Click Start, click Run, type Control admintools in the Open box, and then click OK.
   2. In Administrative Tools, double-click Microsoft .NET Framework 2.0 Configuration.
   3. In the .NET Framework 2.0 Configuration dialog box, expand My Computer, and then expand Runtime Security Policy.
   4. Expand Machine, expand Code Groups, and then expand All_Code.
   5. Right-click LocalIntranet_Zone, and then click Properties.
   6. In the LocalIntranet_Zone Properties dialog box, click the Permission Set tab. Notice that Nothing is displayed under Permission set.

To uninstall the Caspol.msi file, right-click Caspol.msi, and then click Uninstall. To confirm that the Caspol.msi file is uninstalled, follow these steps:

1. Click Start, click Run, type Control admintools in the Open box, and then click OK.
2. In Administrative Tools, double-click Microsoft .NET Framework 2.0 Configuration.
3. In the .NET Framework 2.0 Configuration dialog box, expand My Computer, and then expand Runtime Security Policy.
4. Expand Machine, expand Code Groups, and then expand All_Code.
5. Right-click LocalIntranet_Zone, and then click Properties.
6. In the LocalIntranet_Zone Properties dialog box, click the Permission Set tab. Notice that LocalIntranet is displayed under Permission set.

The Orca tool is part of the Microsoft Windows Server 2003 Service Pack 1 (SP1) Platform Software Development Kit (SDK). For more information about the Windows Server 2003 SP1 Platform SDK, visit the following Microsoft Web site: For more information about the Code Access Security Policy tool, visit the following MSDN Web site: