Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Use regedit to review the Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding. If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified. If any assemblies are listed as omitting strong name verification in a production environment, this is a finding. If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.
Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. All assemblies must require strong name verification in a production environment. Strong name assemblies that do not require verification in a development or test environment must have documented approvals from the IAO.
If the system or application being reviewed is SIPR based, this finding is NA. This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.
This fix must be performed for each user on the system. Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key to 0x23C00.
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. This requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups for the machine, run the following command: caspol.exe -m -lg Sample Results: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Copyright (c) Microsoft Corporation. All rights reserved. Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust. If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.
Trust must be established when utilizing Publishers Membership Condition. All publisher's certificates must have documented approvals from the ISSO.
If the application is a COTS product, this requirement is Not Applicable (NA). The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups, run the following command: caspol.exe -all -lg Sample response: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Security is ON Execution checking is ON Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. Ask the Systems Programmer how the private keys are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. If the private key used to sign the assembly is not adequately protected, this is a finding.
Ask the Systems Programmer how the private keys used to sign the assembly are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. The private key(s) used to sign the assembly must be protected. Utilize centralized key management or strict file permissions along with strong pass phrases and/or other well-established industry practices for managing and controlling access to private keys.
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.
All CAS policy and policy configuration files must be included in the system backup. All CAS policy and policy configuration files must be backed up prior to migration, deployment, and reconfiguration. CAS policy configuration files must be included in disaster recovery plan documentation.
If .NET remoting with HTTP channel is not used, this check is Not Applicable. Review the machine.config file and the [application name].exe.config file. For 32-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config For 64-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config. Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required. Sample machine/application config file: <application name=“remoteserver”> <service> <activated type=“sample.my.object, myobjects”/> </service> <channels> <channel ref=“http server” port=“80”/> </channels> </application> <serverProviders> <provider ref="wsdl" /> <formatter ref="soap" typeFilterLevel="Low" /> <formatter ref="binary" typeFilterLevel="Low" /> </serverProviders> Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file. HTTP channel example: <channel ref=“http server” port=“80”/> The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. The above example shows the well-known TLS port of 443 is not being used. If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding.
If .NET remoting with HTTP channel is not used, this fix is Not Applicable. Ensure encryption and message integrity are used for HTTP remoting channels. The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. HTTP channels are protected via TLS (HTTPS). <channels> <channel ref=“http server” port=“443”/> </channels> Change the channel ref parameter to utilize a TLS port and leverage TLS on the remote IIS server.
Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders while 32 bit systems do not have a Framework64 folder. Within each of the aforementioned folders are the individual folder names that contain the corresponding versions of the .NET Framework: v4.0.30319 v3.5 v3.0 v2.0.50727 v1.1.4322 v1.0.3705 Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click version tab to determine the version installed. If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory. More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785 Verify extended support is available for the installed versions of .Net Framework. Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link. http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform. If any versions of the .Net Framework are installed and support is no longer available, this is a finding.
Remove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework.
Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> By default, the .NET "enforceFIPSPolicy" element is set to "true". If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding. If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding.
Examine the .NET CLR configuration files to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> Delete the "enforceFIPSPolicy" runtime element, change the setting to "true" or there must be documented IAO approvals for the FIPS setting.
If there is documented ISSO risk acceptance for development systems, this is not a finding. For 32 bit production systems: Use regedit to examine the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” key. On 64-bit production systems: Use regedit to examine both the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework” keys. If the "AllowStrongNameBypass" value does not exist, or if the “DWORD” value is set to “1”, this is a finding. Documentation must include a complete list of installed .Net applications, application versions, and acknowledgement that ISSO trusts each installed application. If application versions installed on the system do not match approval documentation, this is a finding.
For 32 bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AllowStrongNameBypass" to a “DWORD” value of “0”. On 64-bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ AllowStrongNameBypass” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ AllowStrongNameBypass” to a “DWORD” value of “0”. Or, obtain documented ISSO risk acceptance for each .Net application installed on the system. Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of ISSO trust of each installed application.
Open Windows explorer and search for all *.exe.config files. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). To find relevant files, you can run the FINDSTR command from an elevated (admin) command prompt: FINDSTR /i /s "NetFx40_LegacySecurityPolicy" c:\*.exe.config This command will search all ."exe.config" files on the c: drive partition for the "LegacySecurityPolicy" setting. Repeat the command for each drive partition on the system. If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.
Apply the .NET Framework Security Checklist for .Net versions 1 through 3.5 when utilizing the NetFx40_LegacySecurityPolicy setting.
Open Windows explorer and search for *.exe.config. Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.
.Net application code loaded from a remote source must be run in a controlled environment. A controlled environment consists of a sandbox, such as running in an Internet Explorer host environment or employing OS based software access controls, such as AppLocker or Software Security Policies, when application design permits. Obtain documented IAO approvals for all remotely loaded code.
Open Windows explorer and search for all "*.exe.config" and "machine.config" files. Search each file for the "defaultProxy" element. <defaultProxy enabled="true|false" useDefaultCredentials="true|false" <bypasslist> … </bypasslist> <proxy> … </proxy> <module> … </module> /> If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the IAO, this is a finding. If the "defaultProxy" element is empty or if "useSystemDefault =True” then the framework is using default browser settings, this is not a finding.
Open Windows explorer and search for all "*.exe.config" and "machine.config" files. Search each file for the "defaultProxy" element. Clear the values contained in the "defaultProxy" element, and the "bypasslist", "module", and "proxy" child elements. The IAO must provide documented approvals of any non-default proxy servers.
Open Windows explorer and search for all .NET config files including application config files (*.exe.config) NOTE: Beginning with Windows Vista and Windows Server 2008, ETW Tracing is enabled by default and the "etwEnable" setting is not required in order for Event Tracing to be enabled. An etwEnable setting of "true" IS required in earlier versions of Windows as ETW is disabled by default. Examine the configuration settings for <etwEnable enabled="false" />. If the "etwEnable" element is set to "true", this is not a finding. If the "etwEnable" element is set to "false" and documented approvals by the IAO are not provided, this is a finding.
Open Windows explorer and search for all .NET config files including application config files (*.exe.config). Examine the configuration settings for <etwEnable enabled="false" />. Enable ETW Tracing by setting the etwEnable flag to "true" or obtain documented IAO approvals.
This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). Ask the system administrator to provide documentation that identifies: - Each .Net 4.0 application they run on the system. - The .Net runtime host that invokes the application. - The security measures employed to control application access to system resources or user access to application. If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding. If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding. If the runtime hosts have not been identified, this is a finding. If the security protections have not been identified, this is a finding.
Document the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB). Document the corresponding runtime hosts that are used to invoke the applications. Document the applications security control requirements (restricting application access to resources or user access to the application).
If .NET remoting with TCP channel is not used, this check is Not Applicable. Check the machine.config and the [application executable name].exe.config configuration files. For 32-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config For 64-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config. Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the config file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required. Sample machine/application config file: <application name=“remoteserver”> <service> <activated type=“sample.my.object, myobjects”/> </service> <channels> <channel ref=“tcp server” port=“6134”/> </channels> </application> <serverProviders> <provider ref="wsdl" /> <formatter ref="soap" typeFilterLevel="Full" /> <formatter ref="binary" typeFilterLevel="Full" /> </serverProviders> Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file. TCP channel example: <channel ref=“tcp” port=“6134” secure="true"/> The TCP channel provides encryption and message integrity when the "secure" flag is set to "true" as shown in the above example. If the "secure" flag is not set to "true" for the TCP channel, this is a finding.
If .NET remoting with TCP channel is not used, this fix is Not Applicable. Ensure encryption and message integrity are used for TCP remoting channels. TCP remoting connections are protected via the secure=true configuration parameter. <channels> <channel ref="tcp" secure="true" /> </channels> Include the secure="true" flag in the channel ref parameter of the machine.config and [application name].exe.config file if the [application name].exe.config file exists on the system.
Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ If the “SchUseStrongCrypto” value name does not exist, or is not a REG_DWORD type set to “1”, this is a finding.
Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto Set SchUseStrongCrypto to a REG_DWORD value of “1”.