If you want to execute .NET assembly’s from a network share (as an example) you need to increase permissions for this file. Per default you are only allowed to execute local .NET assemblies.
You uniquely identifying a .NET assembly by added a “Strong Name”. A “Strong Name” consists of the public key token, culture, version and PE file name. To sign a .Net assembly with a “Strong Name” you need the sn.exe utility from a MS SDK (for example the MSI SDK) and the caspol.exe utility from .NET v2.
Step-by-Step guide to sign a .NET assembly with an strong name:
1. Generate a new key pair:
> sn.exe -k keypair.snk
2. Extract the public key:
> sn.exe -p keypair.snk pkey.pub
3. disassembly a.NET assemby:
> ildasm.exe YourFile.exe /out:YourFile.il
4. re-assembly the.NET assembly and sign it with an “Strong name“:
> ilasm.exe YourFile.il /KEY: keypair.snk
5. check the file, is it signed now?:
> sn.exe -vf YourFile.exe
You may add now the public key of our strong name to the local machine. But first we need to know the public key (as hex value):
> sn.exe -tp pkey.pub
Now we add the strong name to our workstation:
> caspol.exe -machine -addgroup 1 -strong -hex 002400000... -noname -noversion FullTrust -n "GROUP-NAME" -description "DESCRIPTION"
The default “caspol.exe” directory is C:WindowsMicrosoft.NETFrameworkv2.0.50727. To verify the .NET permissions use those two commands:
> caspol.exe -ld (list description)
> caspol.exe -lg (list groups)
The advantage using strong names .NET assembly is, you are certain that the assembly is NOT modified and you might increase the permission for this assembly (may run directly from a share).
Another approach (but less secure) to increase .NET permissions is to add an URL as identifier:
> caspol.exe -machine -addgroup 1 -url \serversharepath* FullTrust -n "GROUP-NAME" -description "DESCRIPTION"
Group 1 (-addgroup 1) is the root code group.