Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
SRG-APP-000175
SRG-APP-000175
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000175
1 Rule
<GroupDescription></GroupDescription>
The Trust Providers Software Publishing State must be set to 0x23C00.
Medium Severity
<VulnDiscussion>Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a structure to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. The manner in which the Authenticode technology validates a certificate and determines what is considered a valid certificate can be modified to meet the mission of the Microsoft Windows system. Each facade of certificate validation is controlled through the bits that makeup the hexadecimal value for the Authenticode setting. An improper setting will allow non-valid certificates to be accepted and can put the integrity of the system into jeopardy. The hexadecimal value of 0x23C00 will implement the following certificate enforcement policy: - Trust the Test Root = FALSE - Use expiration date on certificates = TRUE - Check the revocation list = TRUE - Offline revocation server OK (Individual) = TRUE - Offline revocation server OK (Commercial) = TRUE - Java offline revocation server OK (Individual) = TRUE - Java offline revocation server OK (Commercial) = TRUE - Invalidate version 1 signed objects = FALSE - Check the revocation list on Time Stamp Signer = FALSE - Only trust items found in the Trust DB = FALSE</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>