Lock down your own .NET Library Assemblies

Because information about this is actually hard to find (there are loads of samples around about how to demand several rights, but hardly any about locking down your own frameworks & assemblies):

I recommend for most cases to start from no rights at all (except execution and some identity permissions) and then whitelist whatever you need.

[assembly: PermissionSet(SecurityAction.RequestOptional, Name="Execution")]

Note that you have to use RequestOptional, not RequestMinimum (that wouldn't have any effect! see here), because the effective permissions are calculated as follows

Effective = (RequestMinimum union RequestOptional) - RequestRefuse

where by default RequestOptional is FullTrust, Hence you'll always get FullTrust if you only use RequestMinimum.

Note also that we rely here upon what the user/administrator specified in the "Execution" Permission Set - by default it's just the SecurityPermission's Execute Permission and nothing else.

After that just request any additional permissions you may need (RequestOptional) or you need in any case to make sense (RequestMinimum), as usual. For example use a FileIOPermission if you need to read some file, or a SocketPermission for network access, with the appropriate SecurityAttribute and parameters:

[assembly: FileIOPermission(SecurityAction.RequestMinimum, ...)]
[assembly: System.Net.SocketPermission(SecurityAction.RequestOptional, ...)]
...

Earlier I simply used to add "[assembly: SecurityPermission(SecurityAction.RequestRefuse)]" to any of my framework assemblies and thought that's it, but that was rubbish and didn't even have any effect. Don't do it. (Unless I'm very mistaken, please correct me if I am!)