More on medium trust: what permission are you missing?

Yesterday, I asked some questions about your usage of medium trust. Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so.

Now I have an additional question:

What missing permission is preventing you from running in medium trust?

Please answer in comments. And thanks again for the great feedback.


  • Binary Serialization / Reflection
    System.Diagnostics (Tracing)
    Custom Configuration (workarounds are available, tho)

  • Custom Configuration
    ASP.NET Charting (although 4.0 fixes this)
    Reflection Permission
    Web Permission

  • MySql.Data is not working in medium trust...

    i think it requires some web permission.

  • OleDbPermission

  • I agree about ReflectionPermission (with the RestrictedMemberAccess flag) and WebPermission. Those will be very useful.

  • We require full trust because we use the BinaryFormatter.

  • It might be easier to just ask what needs to be tightened in full trust to make it a reasonably secure default.

    The answer is --Not much.

    Full trust is reasonably secure already. Shops that REALLY care to tighten security will likely use a custom policy anyway.

    The big things full trust can do to make it more secure without breaking too much stuff is:

    Take away EventLog
    Restict IO to the virtual directory
    Take away registry access

    There just seems to be little point in pre-defining more than one "default" policy. Make a single default that is as secure as possible without breaking "normal" or "common" things web apps are likely to need.

    For anything else, just make it easier for admins and developers to create and manage custom policies and do away with the other pre-defined levels.

  • UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

  • At Kooboo, we have to ask user to add the reflection permission and ability to create and manipulate an appdomain.

    And due to a MS bug, we have to add "UnmanagedCode" flag to SecurityPermission.

    See trust level section at:

  • Encryption and Decryption are not allowed

  • Steve said:
    UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

    I'm using SSRS to generate a PDF and I don't need UnmanagedCode permission.

  • ReflectionPermission

    My commercial web controls have optional features that use reflection. It impacts about 1% of my customers.

Comments have been disabled for this content.