StigData/Processed/Windows-All-DotNet4-1.6.xml

<DISASTIG id="MS_Dot_Net_Framework" version="1.6" created="12/10/2018">
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-7055" severity="medium" conversionstatus="pass" title="APPNET0031 No Strong Name Verification" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Use regedit to review the Windows registry key
HKLM\Software\Microsoft\StrongName\Verification.
There should be no assemblies or hash values listed under this registry key.

If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified.

If any assemblies are listed as omitting strong name verification in a production environment, this is a finding.

If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.</RawString>
    </Rule>
    <Rule id="V-7069" severity="medium" conversionstatus="pass" title="APPNET0055 CAS and Policy Config File Backups" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding.

Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding.

Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.</RawString>
    </Rule>
    <Rule id="V-30935" severity="medium" conversionstatus="pass" title="APPNET0063 Validation of Strong Names" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If there is documented ISSO risk acceptance for development systems, this is not a finding.
For 32 bit production systems:
Use regedit to examine the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” key.
On 64-bit production systems:
Use regedit to examine both the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework” keys.
If the "AllowStrongNameBypass" registry key does not exist, or if the “DWORD” value is set to “1”, this is a finding.

Documentation must include a complete list of installed .Net applications, application versions, and acknowledgement that ISSO trusts each installed application.

If application versions installed on the system do not match approval documentation, this is a finding.

</RawString>
    </Rule>
    <Rule id="V-30986" severity="medium" conversionstatus="pass" title="APPNET0070 Software protections and controls" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Ask the system administrator to provide documentation that identifies:

- Each .Net 4.0 application they run on the system.
- The .Net runtime host that invokes the application.
- The security measures employed to control application access to system resources or user access to application.

If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding.

If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding.

If the runtime hosts have not been identified, this is a finding.

If the security protections have not been identified, this is a finding.

</RawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-7061" severity="medium" conversionstatus="pass" title="APPNET0046 Test Root certificates" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the system or application being reviewed is SIPR based, this finding is NA.

This check must be performed for each user on the system.

Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State".

If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-7063" severity="medium" conversionstatus="pass" title="APPNET0048 Publisher Membership Condition" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.

The location of the caspol utility is dependent upon the system architecture of the system running .Net.

For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
 
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Example:

cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319

To check code groups for the machine, run the following command.

caspol.exe -m -lg

Sample Results:
Microsoft (R) .NET Framework CasPol 4.0.30319.1
Copyright (c) Microsoft Corporation. All rights reserved.

Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
   1.1. Zone - MyComputer: FullTrust (LevelFinal)
      1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
      1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
   1.2. Zone - Intranet: LocalIntranet
      1.2.1. All code: Same site Web
      1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3. Zone - Internet: Internet
      1.3.1. All code: Same site Web
   1.4. Zone - Untrusted: Nothing
   1.5. (First Match) Zone - Trusted: Internet
      1.5.1. All code: Same site Web
   1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success

Section 1.6 above indicates the presence of a publishers key that meets the Publishers Membership Condition and is also given full trust.

If the Publisher Membership Condition is used on a non-default Code Group and the use of that publisher's certificate is not documented and approved by the IAO, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-7067" severity="medium" conversionstatus="pass" title="APPNET0052 Strong Name Membership Condition" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the application is a COTS product, the requirement is Not Applicable (NA).

Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.

The location of the caspol utility is dependent upon the system architecture of the system running .Net.

For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
 
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Example:

cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319

To check code groups, run the following command:

caspol.exe -all -lg

Sample response:
Microsoft (R) .NET Framework CasPol 4.0.30319.1

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
   1.1. Zone - MyComputer: FullTrust (LevelFinal)
      1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
      1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
   1.2. Zone - Intranet: LocalIntranet
      1.2.1. All code: Same site Web
      1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3. Zone - Internet: Internet
      1.3.1. All code: Same site Web
   1.4. Zone - Untrusted: Nothing
   1.5. (First Match) Zone - Trusted: Internet
      1.5.1. All code: Same site Web
   1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success

An assembly will satisfy the StrongName Membership Condition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy.

The presence of the encryption key values in the StrongName field indicates the use of StrongName Membership Condition.

If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies.

Ask the Systems Programmer how the private keys are protected.

Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository.

Adequate protection methods include, but are not limited to:

 - utilizing centralized key management;
 - using strict file permissions to limit access; and
 - tying strong pass phrases to the key.

If the private key used to sign the assembly is not adequately protected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-7070" severity="medium" conversionstatus="pass" title="APPNET0060 Remoting Services Auth and Encryption HTTP Channel." dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check the machine.config and the [application executable name].exe.config configuration files for the typefilterlevel="Full" configuration parameter.

The machine.config file is contained in the folder
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 or
%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

&lt;application name=“remoteserver”&gt;
  &lt;service&gt;
    &lt;activated type=“sample.my.object, myobjects”/&gt;
  &lt;/service&gt;
  &lt;channels&gt;
    &lt;channel ref=“http server” port=“80”/&gt;
  &lt;/channels&gt;
&lt;/application&gt;

&lt;serverProviders&gt;
  &lt;provider ref="wsdl" /&gt;
  &lt;formatter ref="soap" typeFilterLevel="Full" /&gt;
  &lt;formatter ref="binary" typeFilterLevel="Full" /&gt;
&lt;/serverProviders&gt;

Microsoft provides 3 "channels" that are used for remoting connectivity. They are the HTTP, TCP and IPC channels. The channel that is used is specified via the &lt;channels&gt; element in the config file.

HTTP channel example:
&lt;channel ref=“http server” port=“80”/&gt;

The HTTP Channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using SSL.

The above example shows the well known SSL port of 443 is not being used.

If encryption and message integrity are not used for the HTTP remoting channel when the ServerProvider element typefilterlevel=”Full”, this is a finding.

</RawString>
    </Rule>
    <Rule id="V-18395" severity="medium" conversionstatus="pass" title="APPNET0061 Unsupported .Net Framework Versions" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET.

The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders while 32 bit systems do not have a Framework64 folder.

Within each of the aforementioned folders are the individual folder names that contain the corresponding versions of the .NET Framework:

v4.0.30319
v3.5
v3.0
v2.0.50727
v1.1.4322
v1.0.3705

Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click version tab to determine the version installed. If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory.

More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785

Verify extended support is available for the installed versions of .Net Framework.

Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link.
http://support.microsoft.com/lifecycle/search/?sort=PN&amp;alpha=.NET+Framework

Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform.
 
If any versions of the .Net Framework are installed and support is no longer available, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-30926" severity="medium" conversionstatus="pass" title="APPNET0062 Administering FIPS Policy" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>
Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element.

Example:
&lt;configuration&gt;
  &lt;runtime&gt;
                &lt;enforceFIPSPolicy enabled="true|false" /&gt;
  &lt;/runtime&gt;
&lt;/configuration&gt;

By default, the .NET "enforceFIPSPolicy" element is set to "true".

If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding.

If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding.

</RawString>
    </Rule>
    <Rule id="V-30937" severity="low" conversionstatus="pass" title="APPNET0064 Legacy Security Policy" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open Windows explorer and search for all *.exe.config files. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

Search each file for NetFx40_LegacySecurityPolicy enabled="true".

If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-30968" severity="medium" conversionstatus="pass" title="APPNET0065 Load From Remote Sources" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open Windows explorer and search for *.exe.config.

Search each config file found for the "loadFromRemoteSources" element.

If the loadFromRemoteSources element is enabled
("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-30972" severity="low" conversionstatus="pass" title="APPNET0066 .Net Default Proxy Settings" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open Windows explorer and search for all "*.exe.config" and "machine.config" files.

Search each file for the "defaultProxy" element.

&lt;defaultProxy
  enabled="true|false"
  useDefaultCredentials="true|false"
  &lt;bypasslist&gt; … &lt;/bypasslist&gt;
  &lt;proxy&gt; … &lt;/proxy&gt;
  &lt;module&gt; … &lt;/module&gt;
/&gt;

If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the IAO, this is a finding.

If the "defaultProxy" element is empty then the framework is using default browser settings, this is not a finding.

</RawString>
    </Rule>
    <Rule id="V-31026" severity="medium" conversionstatus="pass" title="APPNET0067 .NET Event Tracing for Windows." dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open Windows explorer and search for all .NET config files including application config files (*.exe.config)

NOTE:
Beginning with Windows Vista and Windows Server 2008, ETW Tracing is enabled by default and the "etwEnable" setting is not required in order for Event Tracing to be enabled. An etwEnable setting of "true" IS required in earlier versions of Windows as ETW is disabled by default.

Examine the configuration settings for
&lt;etwEnable enabled="false" /&gt;.

If the "etwEnable" element is set to "true", this is not a finding.

If the "etwEnable" element is set to "false" and documented approvals by the IAO are not provided, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-32025" severity="medium" conversionstatus="pass" title="APPNET0071 Remoting Services auth and encryption TCP channel" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>
Check the machine.config and the [application executable name].exe.config configuration files for the typefilterlevel="Full" configuration parameter.

The machine.config file is contained in the folder
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 or
%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the config file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

&lt;application name=“remoteserver”&gt;
  &lt;service&gt;
    &lt;activated type=“sample.my.object, myobjects”/&gt;
  &lt;/service&gt;
  &lt;channels&gt;
    &lt;channel ref=“tcp server” port=“6134”/&gt;
  &lt;/channels&gt;
&lt;/application&gt;

&lt;serverProviders&gt;
  &lt;provider ref="wsdl" /&gt;
  &lt;formatter ref="soap" typeFilterLevel="Full" /&gt;
  &lt;formatter ref="binary" typeFilterLevel="Full" /&gt;
&lt;/serverProviders&gt;

Microsoft provides 3 "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the &lt;channels&gt; element in the config file.

TCP channel example:
&lt;channel ref=“tcp” port=“6134” secure="true"/&gt;

The TCP Channel supports encryption and message integrity when the 'secure' flag is set to true as shown in the above example.

If encryption and message integrity are not used for the TCP remoting channel when the ServerProvider element typefilterlevel=”Full”, this is a finding.

</RawString>
    </Rule>
    <Rule id="V-81495" severity="medium" conversionstatus="pass" title="APPNET0075 Disable TLS RC4 cipher in .Net" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Use regedit to review the following Windows registry keys:

For 32-bit applications on 32-bit systems and 64-bit applications on x64-based systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

For 32-bit applications on x64-based systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

If the “SchUseStrongCrypto” registry key does not exist, or is not a REG_DWORD value set to “1”, this is a finding.

</RawString>
    </Rule>
  </ManualRule>
</DISASTIG>