This documentation is archived and is not being maintained.

Enterprise Policy Administration

Important noteImportant

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

The enterprise policy level contains policy for every computer and user on the network and can be administered by domain or machine administrators. See the section on Deploying Security Policy for information on deployment strategies.

Because the runtime evaluates enterprise policy first, you can apply the LevelFinal attribute to a code group on this level to exclude the lower levels from making policy changes. Without the LevelFinal attribute, lower policy levels can remove permissions from the final grant set, potentially causing application instability. However, even if you do not apply the LevelFinal attribute, lower levels are not able to increase the final grant set because all policy levels are intersected during policy resolution.

You might consider administering policy on this level when every person in your enterprise uses an application and you want to make sure that it always receives sufficient permission to run.