Security in Visual Studio Templates and Policy
When using Visual Studio Templates and Policy wizards, there are security considerations of which you need to be aware. This topic describes some of the security issues when using these wizards.
Installing and Running Visual Studio Templates and Policy Wizards
Visual Studio Templates and Policy wizards are wizards, and as such, they run code under full trust when launched. Additionally, if a Visual Studio Templates and Policy wizard is distributed via an .msi file, code will also be run under full trust when the wizard is installed.
Installing and running untrusted wizards can put your system at risk for a variety of malicious attacks, including but not limited to:
Alteration of the registry.
Deletion of files.
Installation of unwanted or malicious components or programs.
Alteration of security policies.
Installing and running untrusted Visual Studio Templates and Policy wizards poses a grave security risk to your system and data. You should never install a Visual Studio Templates and Policy wizard from an untrusted source.
Policy files can also contain property constraints and other settings that can prove to be malicious or nuisances. While untrusted policy files do not pose the same grave risk for your system as untrusted wizards, the use of an untrusted policy file can still pose risks to your system, including but not limited to:
Nuisance policy constraints that overload the Task List and obscure genuine policy reminders.
Malicious property constraints that alter UI color schemes or set properties to inappropriate values.
After policy is applied to a project or a solution folder, any property values changed inappropriately by the policy file must be changed again by hand.
Untrusted policy files pose a risk for nuisance or malicious attacks on your project. You should never apply an untrusted policy file to your project. You can determine if a policy file is safe before applying it by opening it in a text editor and examining the file for malicious content.
Security When Distributing Policy Files
Policy files can contain information about a particular system or network that could be used to exploit other security flaws. Examples of the kind of information that might exist in policy files includes but is not limited to:
Database connection strings.
Before distributing a policy file to a public source, you should remove any database strings, path names, and other sensitive information.