ASP.NET trust levels demystified – level 300

The good news is that most of the web applications I write work just
fine in medium trust, so it’s very easy to run your ASP.NET app in
partial trust.  All it takes is a change to your web.config.
    <system.web>
        <trust level=”Full”/>
       . . ..
    </system.web>

ASP.NET runs at Full trust by default (trust levels didn’t exist in
v1.0).  Change the level attribute above to a different setting to
change the permissions of your ASP.NET code.  You can change your
trust level, and here’s the rundown of what each one means:

  • Full trust – your code can do anything that the account running it can do.
  • High trust – same as above except your code cannot call into unmanaged code. i.e. Win32 APIs, COM interop.
  • Medium trust – same as above except your code cannot see any part of the file system except its application directory.
  • Low trust – same as above except your code cannot make any out-of-process calls. i.e. calls to a database, network, etc.
  • Minimal trust – code is restricted from anything but the most trival processing (calculating algorithms).

The above lines are the most significant differences that would lead
you to choose a particular trust level.  Read more about trust leves and code-access security from MSDN.

This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

2 Responses to ASP.NET trust levels demystified – level 300

  1. Thank you very much. Your information above regarding trust solved a problem very quickly for me. The default trust on a hosted site was more restricted than I had expected. Modifying within the web.config was a quick solution. The problem was associated with an ole.db connection to an excel document.
    The 2nd associated problem was very strange. I was having a problem after the users clicked a button on a page (that would show/hid a div section). I dont quite understand why security would have been related to this solution. However… Thanks again.

  2. Joshua Flanagan says:

    I can see how this would be useful in a hosting scenario, where you want to be able to limit what applications can do on your server, without having to do full code reviews. You could set the trust level in machine.config with allowOverride=false.

Leave a Reply