Microsoft DotNet Framework 4.0 Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V2R1

Published: 2020-12-11

Updated At: 2021-02-04 18:22:50

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-225223r615940_rule APPNET0031 CCI-000185 MEDIUM Digital signatures assigned to strongly named assemblies must be verified. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. Strong names serve to identify the author of the code. If digital signatures used to
    SV-225224r615940_rule APPNET0046 CCI-000185 MEDIUM The Trust Providers Software Publishing State must be set to 0x23C00. Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a structure to identify software publishers and ensure that software applications have not been
    SV-225225r615940_rule APPNET0048 CCI-000185 MEDIUM Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO. A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted
    SV-225226r615940_rule APPNET0052 CCI-000186 MEDIUM Encryption keys used for the .NET Strong Name Membership Condition must be protected. The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digi
    SV-225227r615940_rule APPNET0055 CCI-000164 MEDIUM CAS and policy configuration files must be backed up. A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy
    SV-225228r615940_rule APPNET0060 CCI-001184 MEDIUM Remoting Services HTTP channels must utilize authentication and encryption. Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than using .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. .NET remoting provides the capability to build wi
    SV-225229r615940_rule APPNET0061 CCI-000366 MEDIUM .Net Framework versions installed on the system must be supported. Unsupported software introduces risks and violates DoD policy. Applications utilizing unsupported versions of .NET introduce substantial risk to the host, network, and the enclave by virtue of the fact they leverage an architecture that is no longer upda
    SV-225230r615940_rule APPNET0062 CCI-002450 MEDIUM The .NET CLR must be configured to use FIPS approved encryption modules. FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different aspects of .Net behavior. The .NET config files are described below. Machine Configuration Files: The machine configuration file,
    SV-225231r615940_rule APPNET0063 CCI-000185 MEDIUM .NET must be configured to validate strong names on full-trust assemblies. The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for corre
    SV-225232r615940_rule APPNET0064 CCI-000366 LOW .Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance. CAS policy is .NET runtime version-specific. In .NET Framework version 4, CAS policy is disabled by default however; it can be re-enabled by using the NetFx40_LegacySecurityPolicy setting on a per application basis. Caspol.exe is provided by Microsoft to
    SV-225233r615940_rule APPNET0065 CCI-002530 MEDIUM Trust must be established prior to enabling the loading of remote code in .Net 4. In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location, that assembly would run partially trusted with a permissions grant set that depended on the zone in which it was loaded. For exa
    SV-225234r615940_rule APPNET0066 CCI-000366 LOW .NET default proxy settings must be reviewed and approved. The .Net framework can be configured to utilize a different proxy or altogether bypass the default proxy settings in the client's browser. This may lead to the framework using a proxy that is not approved for use. If the proxy is malicious, this could l
    SV-225235r615940_rule APPNET0067 CCI-000130 MEDIUM Event tracing for Windows (ETW) for Common Language Runtime events must be enabled. Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode verification. Beginning with Windows Vista, ETW is enabled by defaul
    SV-225236r615940_rule APPNET0070 CCI-002530 MEDIUM Software utilizing .Net 4.0 must be identified and relevant access controls configured. With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applications. This task is now relegated to the operating system layer and the security protections built-in to .Net application "runtime h
    SV-225237r615940_rule APPNET0071 CCI-001184 MEDIUM Remoting Services TCP channels must utilize authentication and encryption. Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. .NET remoting provides the capability to build widely d
    SV-225238r615940_rule APPNET0075 CCI-001762 MEDIUM Disable TLS RC4 cipher in .Net Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Applications that target .Net version 4.x running on multiple Windows versions could be vulnerable to these types of a