Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000175
<GroupDescription></GroupDescription>Group -
SRG-APP-000175
<GroupDescription></GroupDescription>Group -
Digital signatures assigned to strongly named assemblies must be verified.
<VulnDiscussion>A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—pl...Rule Medium Severity -
SRG-APP-000175
<GroupDescription></GroupDescription>Group -
The Trust Providers Software Publishing State must be set to 0x23C00.
<VulnDiscussion>Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code s...Rule Medium Severity -
Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
<VulnDiscussion>A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.50...Rule Medium Severity -
SRG-APP-000176
<GroupDescription></GroupDescription>Group -
Encryption keys used for the .NET Strong Name Membership Condition must be protected.
<VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of ...Rule Medium Severity -
SRG-APP-000120
<GroupDescription></GroupDescription>Group -
CAS and policy configuration files must be backed up.
<VulnDiscussion>A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included i...Rule Medium Severity -
SRG-APP-000219
<GroupDescription></GroupDescription>Group -
Remoting Services HTTP channels must utilize authentication and encryption.
<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than using .Net remoting. New development p...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
.Net Framework versions installed on the system must be supported.
<VulnDiscussion>Unsupported software introduces risks and violates DoD policy. Applications utilizing unsupported versions of .NET introduce...Rule Medium Severity -
SRG-APP-000635
<GroupDescription></GroupDescription>Group -
The .NET CLR must be configured to use FIPS approved encryption modules.
<VulnDiscussion>FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different asp...Rule Medium Severity -
SRG-APP-000175
<GroupDescription></GroupDescription>Group -
.NET must be configured to validate strong names on full-trust assemblies.
<VulnDiscussion>The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-t...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.
<VulnDiscussion>CAS policy is .NET runtime version-specific. In .NET Framework version 4, CAS policy is disabled by default however; it can ...Rule Low Severity -
SRG-APP-000431
<GroupDescription></GroupDescription>Group -
Trust must be established prior to enabling the loading of remote code in .Net 4.
<VulnDiscussion>In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
.NET default proxy settings must be reviewed and approved.
<VulnDiscussion>The .Net framework can be configured to utilize a different proxy or altogether bypass the default proxy settings in the clie...Rule Low Severity -
SRG-APP-000095
<GroupDescription></GroupDescription>Group -
Event tracing for Windows (ETW) for Common Language Runtime events must be enabled.
<VulnDiscussion>Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security ...Rule Medium Severity -
SRG-APP-000431
<GroupDescription></GroupDescription>Group -
Software utilizing .Net 4.0 must be identified and relevant access controls configured.
<VulnDiscussion>With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applicatio...Rule Medium Severity -
SRG-APP-000219
<GroupDescription></GroupDescription>Group -
Remoting Services TCP channels must utilize authentication and encryption.
<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than .Net remoting. New development project...Rule Medium Severity -
SRG-APP-000383
<GroupDescription></GroupDescription>Group -
Disable TLS RC4 cipher in .Net
<VulnDiscussion>Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypte...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.