diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fe2992c0..65f4d74be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,9 @@ ## [Unreleased] -* Update Powerstig to parse\apply U_MS_SQL_Server_2016_Instance_V2R11_Manual_STIG [#1321](https://github.com/microsoft/PowerStig/issues/1321) -* Update Powerstig to parse\apply U_CAN_Ubuntu_18-04_LTS_V2R13_STIG [#1319](https://github.com/microsoft/PowerStig/issues/1319) +* Update PowerSTIG to Parse/Apply Microsoft .NET 4 V2R2 [#1325](https://github.com/microsoft/PowerStig/issues/1325) +* Update Powerstig to Parse/Apply U_MS_SQL_Server_2016_Instance_V2R11_Manual_STIG [#1321](https://github.com/microsoft/PowerStig/issues/1321) +* Update Powerstig to Parse/Apply U_CAN_Ubuntu_18-04_LTS_V2R13_STIG [#1319](https://github.com/microsoft/PowerStig/issues/1319) * Fix for Invalid value for V-221588 in default Chrome organizational settings [#1329](https://github.com/microsoft/PowerStig/issues/1329) * Update PowerSTIG to Parse/Apply U_RHEL_7_V3R14_STIG [#1315](https://github.com/microsoft/PowerStig/issues/1315) diff --git a/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R3_Manual-xccdf.log similarity index 100% rename from source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R1_Manual-xccdf.log rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R3_Manual-xccdf.log diff --git a/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R1_Manual-xccdf.xml b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R3_Manual-xccdf.xml similarity index 85% rename from source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R1_Manual-xccdf.xml rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R3_Manual-xccdf.xml index 7e0694e08..bbd88eca9 100644 --- a/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R1_Manual-xccdf.xml +++ b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V2R3_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMicrosoft DotNet Framework 4.0 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 22 Jan 20213.2.1.416661.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000175<GroupDescription></GroupDescription>APPNET0031Digital signatures assigned to strongly named assemblies must be verified.<VulnDiscussion>A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. Strong names serve to identify the author of the code. If digital signatures used to sign strong name assemblies are not verified, any self signed code can be impersonated. This can lead to a loss of system integrity. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7438V-7055CCI-000185Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. +acceptedMicrosoft DotNet Framework 4.0 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000175<GroupDescription></GroupDescription>APPNET0031Digital signatures assigned to strongly named assemblies must be verified.<VulnDiscussion>A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. Strong names serve to identify the author of the code. If digital signatures used to sign strong name assemblies are not verified, any self signed code can be impersonated. This can lead to a loss of system integrity. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7438V-7055CCI-000185Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. All assemblies must require strong name verification in a production environment. @@ -11,7 +11,7 @@ If there are assemblies or hash values listed in this key, each value represents If any assemblies are listed as omitting strong name verification in a production environment, this is a finding. -If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.SRG-APP-000175<GroupDescription></GroupDescription>APPNET0046The Trust Providers Software Publishing State must be set to 0x23C00.<VulnDiscussion>Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a structure to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. +If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.SRG-APP-000175<GroupDescription></GroupDescription>APPNET0046The Trust Providers Software Publishing State must be set to 0x23C00.<VulnDiscussion>Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a structure to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. The manner in which the Authenticode technology validates a certificate and determines what is considered a valid certificate can be modified to meet the mission of the Microsoft Windows system. Each facade of certificate validation is controlled through the bits that makeup the hexadecimal value for the Authenticode setting. An improper setting will allow non-valid certificates to be accepted and can put the integrity of the system into jeopardy. @@ -35,21 +35,27 @@ This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding. -SRG-APP-000175<GroupDescription></GroupDescription>APPNET0048Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.<VulnDiscussion>A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted root certificate stored in the user’s certificate store. The Publisher Membership Condition can be used to identify an organization, developer, vendor, or other entity as the ultimate source of the assembly, even if the code itself was obtained from a third party, such as a mirror site. Access to system resources, such as file systems or printers, may then be granted to the assembly based on the trust relationship with the identified entity. +SRG-APP-000175<GroupDescription></GroupDescription>APPNET0048Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.<VulnDiscussion>A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted root certificate stored in the user’s certificate store. The Publisher Membership Condition can be used to identify an organization, developer, vendor, or other entity as the ultimate source of the assembly, even if the code itself was obtained from a third party, such as a mirror site. Access to system resources, such as file systems or printers, may then be granted to the assembly based on the trust relationship with the identified entity. -Certificates used to sign assemblies so the Publisher Member Condition may be applied must originate from a trusted source. Using a certificate that is not from a trusted source could potentially violate system integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7446V-7063CCI-000185Trust must be established when utilizing Publishers Membership Condition. All publishers' certificates must have documented approvals from the IAO.Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. +Certificates used to sign assemblies so the Publisher Member Condition may be applied must originate from a trusted source. Using a certificate that is not from a trusted source could potentially violate system integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7446V-7063CCI-000185Trust must be established when utilizing Publishers Membership Condition. All publisher's certificates must have documented approvals from the ISSO.The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. -The location of the caspol utility is dependent upon the system architecture of the system running .Net. +This requirement is Not Applicable (NA) for .NET Framework greater than 4.x. + +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) + +Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. + +The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. -For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. +For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 -To check code groups for the machine, run the following command. +To check code groups for the machine, run the following command: caspol.exe -m -lg @@ -78,28 +84,32 @@ Code Groups: 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success -Section 1.6 above indicates the presence of a publishers key that meets the Publishers Membership Condition and is also given full trust. +Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust. -If the Publisher Membership Condition is used on a non-default Code Group and the use of that publisher's certificate is not documented and approved by the IAO, this is a finding. -SRG-APP-000176<GroupDescription></GroupDescription>APPNET0052Encryption keys used for the .NET Strong Name Membership Condition must be protected.<VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digital signature. If assemblies do not have a strong name assigned, the assembly cannot be unique and the author of the code cannot be uniquely identified. In order to create the strong name, the developer must use a cryptographic key pair to sign the assembly. If the developer does not protect the key, the key can be stolen and used to sign any application, including malware applications. This could adversely affect application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7450V-7067CCI-000186Ask the Systems Programmer how the private keys used to sign the assembly are protected. +If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.SRG-APP-000176<GroupDescription></GroupDescription>APPNET0052Encryption keys used for the .NET Strong Name Membership Condition must be protected.<VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digital signature. If assemblies do not have a strong name assigned, the assembly cannot be unique and the author of the code cannot be uniquely identified. In order to create the strong name, the developer must use a cryptographic key pair to sign the assembly. If the developer does not protect the key, the key can be stolen and used to sign any application, including malware applications. This could adversely affect application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7450V-7067CCI-000186Ask the Systems Programmer how the private keys used to sign the assembly are protected. -Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. +Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: +- utilizing centralized key management; +- using strict file permissions to limit access; and +- tying strong pass phrases to the key. + +The private key(s) used to sign the assembly must be protected. Utilize centralized key management or strict file permissions along with strong pass phrases and/or other well-established industry practices for managing and controlling access to private keys.If the application is a COTS product, this requirement is Not Applicable (NA). + +The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. - - utilizing centralized key management; - - using strict file permissions to limit access; and - - tying strong pass phrases to the key. +The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. -The private key(s) used to sign the assembly must be protected. Utilize centralized key management or strict file permissions along with strong pass phrases and/or other well established industry practices for managing and controlling access to private keys.If the application is a COTS product, the requirement is Not Applicable (NA). +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) -Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. +Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. -The location of the caspol utility is dependent upon the system architecture of the system running .Net. +The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. -For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. +For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: @@ -135,9 +145,9 @@ Code Groups: 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success -An assembly will satisfy the StrongName Membership Condition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. +An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. -The presence of the encryption key values in the StrongName field indicates the use of StrongName Membership Condition. +The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. @@ -146,20 +156,25 @@ Ask the Systems Programmer how the private keys are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: +- utilizing centralized key management; +- using strict file permissions to limit access; and +- tying strong pass phrases to the key. - - utilizing centralized key management; - - using strict file permissions to limit access; and - - tying strong pass phrases to the key. - -If the private key used to sign the assembly is not adequately protected, this is a finding.SRG-APP-000120<GroupDescription></GroupDescription>APPNET0055CAS and policy configuration files must be backed up.<VulnDiscussion>A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy configuration files and the frequency in which backups occur is required. If these files are not identified and the information is not documented, there is the potential that critical application configuration files may not be included in disaster recovery events which could lead to an availability risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7452V-7069CCI-000164All CAS policy and policy configuration files must be included in the system backup. +If the private key used to sign the assembly is not adequately protected, this is a finding.SRG-APP-000120<GroupDescription></GroupDescription>APPNET0055CAS and policy configuration files must be backed up.<VulnDiscussion>A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy configuration files and the frequency in which backups occur is required. If these files are not identified and the information is not documented, there is the potential that critical application configuration files may not be included in disaster recovery events which could lead to an availability risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-7452V-7069CCI-000164All CAS policy and policy configuration files must be included in the system backup. All CAS policy and policy configuration files must be backed up prior to migration, deployment, and reconfiguration. -CAS policy configuration files must be included in disaster recovery plan documentation.Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. +CAS policy configuration files must be included in disaster recovery plan documentation.The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. + +The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. + +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) + +Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. -Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.SRG-APP-000219<GroupDescription></GroupDescription>APPNET0060Remoting Services HTTP channels must utilize authentication and encryption.<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than using .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. +Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.SRG-APP-000219<GroupDescription></GroupDescription>APPNET0060Remoting Services HTTP channels must utilize authentication and encryption.<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than using .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. .NET remoting provides the capability to build widely distributed applications. The application components may reside all on one computer or they may be spread out across the enclave. .NET client applications can make remoting calls to use objects in other processes on the same computer or on any other computer that is reachable over the network. .NET remoting can also be used to communicate with other application domains within the same process. Remoting is achieved via the exposure of endpoints that can be used to establish remote connectivity. @@ -214,7 +229,7 @@ The above example shows the well known TLS port of 443 is not being used. If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding. -SRG-APP-000516<GroupDescription></GroupDescription>APPNET0061.Net Framework versions installed on the system must be supported.<VulnDiscussion>Unsupported software introduces risks and violates DoD policy. Applications utilizing unsupported versions of .NET introduce substantial risk to the host, network, and the enclave by virtue of the fact they leverage an architecture that is no longer updated by the vendor. This introduces potential application integrity, availability, or confidentiality issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-55642V-18395CCI-000366Remove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework.Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. +SRG-APP-000516<GroupDescription></GroupDescription>APPNET0061.Net Framework versions installed on the system must be supported.<VulnDiscussion>Unsupported software introduces risks and violates DoD policy. Applications utilizing unsupported versions of .NET introduce substantial risk to the host, network, and the enclave by virtue of the fact they leverage an architecture that is no longer updated by the vendor. This introduces potential application integrity, availability, or confidentiality issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-55642V-18395CCI-000366Remove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework.Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders while 32 bit systems do not have a Framework64 folder. @@ -239,7 +254,7 @@ http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform. If any versions of the .Net Framework are installed and support is no longer available, this is a finding. -SRG-APP-000635<GroupDescription></GroupDescription>APPNET0062The .NET CLR must be configured to use FIPS approved encryption modules.<VulnDiscussion>FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different aspects of .Net behavior. The .NET config files are described below. +SRG-APP-000635<GroupDescription></GroupDescription>APPNET0062The .NET CLR must be configured to use FIPS approved encryption modules.<VulnDiscussion>FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different aspects of .Net behavior. The .NET config files are described below. Machine Configuration Files: The machine configuration file, Machine.config, contains settings that apply to an entire computer. This file is located in the %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config directory for 32 bit .NET 4 installations and %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config for 64 bit systems. Machine.config contains configuration settings for machine-wide assembly binding, built-in remoting channels, and ASP.NET. @@ -286,7 +301,7 @@ If the "enforceFIPSPolicy" element does not exist within the "runtime" element o If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding. -SRG-APP-000175<GroupDescription></GroupDescription>APPNET0063.NET must be configured to validate strong names on full-trust assemblies.<VulnDiscussion>The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation. +SRG-APP-000175<GroupDescription></GroupDescription>APPNET0063.NET must be configured to validate strong names on full-trust assemblies.<VulnDiscussion>The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation. Full trust assemblies are .Net applications launched from the local host. Strong names are digital signatures tied to .Net applications/assemblies. .Net 4 considers applications installed locally to be fully trusted by default and grants these applications full permissions to access host resources. @@ -318,7 +333,7 @@ Documentation must include a complete list of installed .Net applications, appli If application versions installed on the system do not match approval documentation, this is a finding. -SRG-APP-000516<GroupDescription></GroupDescription>APPNET0064.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.<VulnDiscussion>CAS policy is .NET runtime version-specific. In .NET Framework version 4, CAS policy is disabled by default however; it can be re-enabled by using the NetFx40_LegacySecurityPolicy setting on a per application basis. Caspol.exe is provided by Microsoft to set security policy on .Net applications prior to version 4.0. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). +SRG-APP-000516<GroupDescription></GroupDescription>APPNET0064.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.<VulnDiscussion>CAS policy is .NET runtime version-specific. In .NET Framework version 4, CAS policy is disabled by default however; it can be re-enabled by using the NetFx40_LegacySecurityPolicy setting on a per application basis. Caspol.exe is provided by Microsoft to set security policy on .Net applications prior to version 4.0. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). When invoking the NetFx40_LegacySecurityPolicy setting in .NET 4, earlier versions of the .NET Framework CAS policy will become active therefore previous .NET STIG guidance that applies to the reactivated versions must also be applied. @@ -330,7 +345,7 @@ This command will search all ."exe.config" files on the c: drive partition for t If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding. -SRG-APP-000431<GroupDescription></GroupDescription>APPNET0065Trust must be established prior to enabling the loading of remote code in .Net 4.<VulnDiscussion>In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location, that assembly would run partially trusted with a permissions grant set that depended on the zone in which it was loaded. For example, if an assembly was loaded from a web site, it was loaded into the Internet zone and granted the Internet permission set. In other words, it was executed in an Internet sandbox. +SRG-APP-000431<GroupDescription></GroupDescription>APPNET0065Trust must be established prior to enabling the loading of remote code in .Net 4.<VulnDiscussion>In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location, that assembly would run partially trusted with a permissions grant set that depended on the zone in which it was loaded. For example, if an assembly was loaded from a web site, it was loaded into the Internet zone and granted the Internet permission set. In other words, it was executed in an Internet sandbox. If the same program is run in the .NET Framework version 4, an exception is thrown which effectively states; either explicitly create a sandbox for the assembly or run it in full trust. @@ -356,13 +371,13 @@ Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding. -SRG-APP-000516<GroupDescription></GroupDescription>APPNET0066.NET default proxy settings must be reviewed and approved.<VulnDiscussion>The .Net framework can be configured to utilize a different proxy or altogether bypass the default proxy settings in the client's browser. This may lead to the framework using a proxy that is not approved for use. If the proxy is malicious, this could lead to a loss of application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-41014V-30972CCI-000366Open Windows explorer and search for all "*.exe.config" and "machine.config" files. +SRG-APP-000516<GroupDescription></GroupDescription>APPNET0066.NET default proxy settings must be reviewed and approved.<VulnDiscussion>The .Net framework can be configured to utilize a different proxy or altogether bypass the default proxy settings in the client's browser. This may lead to the framework using a proxy that is not approved for use. If the proxy is malicious, this could lead to a loss of application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-41014V-30972CCI-000366Open Windows explorer and search for all "*.exe.config" and "machine.config" files. Search each file for the "defaultProxy" element. Clear the values contained in the "defaultProxy" element, and the "bypasslist", "module", and "proxy" child elements. -The IAO must provide documented approvals of any non-default proxy servers.Open Windows explorer and search for all "*.exe.config" and "machine.config" files. +The IAO must provide documented approvals of any non-default proxy servers.Open Windows explorer and search for all "*.exe.config" and "machine.config" files. Search each file for the "defaultProxy" element. @@ -376,9 +391,7 @@ Search each file for the "defaultProxy" element. If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the IAO, this is a finding. -If the "defaultProxy" element is empty then the framework is using default browser settings, this is not a finding. - -SRG-APP-000095<GroupDescription></GroupDescription>APPNET0067Event tracing for Windows (ETW) for Common Language Runtime events must be enabled.<VulnDiscussion>Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode verification. + If the "defaultProxy" element is empty or if "useSystemDefault =True” then the framework is using default browser settings, this is not a finding.SRG-APP-000095<GroupDescription></GroupDescription>APPNET0067Event tracing for Windows (ETW) for Common Language Runtime events must be enabled.<VulnDiscussion>Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode verification. Beginning with Windows Vista, ETW is enabled by default however, the .Net CLR and .Net applications can be configured to not utilize Event Tracing. If ETW event tracing is disabled, critical events that occurred within the runtime will not be captured in event logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-41075V-31026CCI-000130Open Windows explorer and search for all .NET config files including application config files (*.exe.config). @@ -396,7 +409,7 @@ Examine the configuration settings for If the "etwEnable" element is set to "true", this is not a finding. If the "etwEnable" element is set to "false" and documented approvals by the IAO are not provided, this is a finding. -SRG-APP-000431<GroupDescription></GroupDescription>APPNET0070Software utilizing .Net 4.0 must be identified and relevant access controls configured.<VulnDiscussion>With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applications. This task is now relegated to the operating system layer and the security protections built-in to .Net application "runtime hosts" that run on the O.S. +SRG-APP-000431<GroupDescription></GroupDescription>APPNET0070Software utilizing .Net 4.0 must be identified and relevant access controls configured.<VulnDiscussion>With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applications. This task is now relegated to the operating system layer and the security protections built-in to .Net application "runtime hosts" that run on the O.S. Examples of these .Net "runtime hosts" include; Internet Explorer, Windows Shell, ASP.NET, Database Engines or any other "runtime hosts" that utilize .Net and load the .Net CLR. @@ -426,7 +439,7 @@ If the runtime hosts have not been identified, this is a finding. If the security protections have not been identified, this is a finding. -SRG-APP-000219<GroupDescription></GroupDescription>APPNET0071Remoting Services TCP channels must utilize authentication and encryption.<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. +SRG-APP-000219<GroupDescription></GroupDescription>APPNET0071Remoting Services TCP channels must utilize authentication and encryption.<VulnDiscussion>Note: Microsoft recommends using the Windows Communication Framework (WCF) rather than .Net remoting. New development projects should refrain from using .Net remoting capabilities whenever possible. .NET remoting provides the capability to build widely distributed applications. The application components may reside all on one computer or they may be spread out across the enclave. .NET client applications can make remoting calls to use objects in other processes on the same computer or on any other computer that is reachable over the network. .NET remoting can also be used to communicate with other application domains within the same process. Remoting is achieved via the exposure of endpoints that can be used to establish remote connectivity. @@ -478,7 +491,7 @@ The TCP Channel provides encryption and message integrity when the 'secure' flag If the secure flag is not set to "true" for the TCP channel, this is a finding. -SRG-APP-000383<GroupDescription></GroupDescription>APPNET0075Disable TLS RC4 cipher in .Net<VulnDiscussion>Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Applications that target .Net version 4.x running on multiple Windows versions could be vulnerable to these types of attacks. The registry settings in this requirement will prevent .Net applications that target the 4.x framework from selecting and utilizing the Schannel.dll RC4 cipher for TLS connections. Applications that use TLS when connecting to remote systems will perform a handshake and negotiate the TLS version and cipher that is to be used between the client and the server. This is standard protocol for all TLS connections. If the server and client are not configured to use the same TLS version and cipher, the TLS connection may fail. Applications should be tested with these registry settings prior to production implementation of the fix in order to avoid application outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-96209V-81495CCI-001762Use regedit to access the following registry key. +SRG-APP-000383<GroupDescription></GroupDescription>APPNET0075Disable TLS RC4 cipher in .Net<VulnDiscussion>Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Applications that target .Net version 4.x running on multiple Windows versions could be vulnerable to these types of attacks. The registry settings in this requirement will prevent .Net applications that target the 4.x framework from selecting and utilizing the Schannel.dll RC4 cipher for TLS connections. Applications that use TLS when connecting to remote systems will perform a handshake and negotiate the TLS version and cipher that is to be used between the client and the server. This is standard protocol for all TLS connections. If the server and client are not configured to use the same TLS version and cipher, the TLS connection may fail. Applications should be tested with these registry settings prior to production implementation of the fix in order to avoid application outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft DotNet Framework 4-0DISADPMS TargetMicrosoft DotNet Framework 4-04213SV-96209V-81495CCI-001762Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ @@ -490,7 +503,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto Set SchUseStrongCrypto to a REG_DWORD value of “1”. -Use regedit to review the following Windows registry keys: +Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ @@ -500,4 +513,4 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ If the “SchUseStrongCrypto” value name does not exist, or is not a REG_DWORD type set to “1”, this is a finding. - + \ No newline at end of file diff --git a/source/StigData/Processed/DotNetFramework-4-2.1.org.default.xml b/source/StigData/Processed/DotNetFramework-4-2.3.org.default.xml similarity index 84% rename from source/StigData/Processed/DotNetFramework-4-2.1.org.default.xml rename to source/StigData/Processed/DotNetFramework-4-2.3.org.default.xml index 12bbd754f..6517d514b 100644 --- a/source/StigData/Processed/DotNetFramework-4-2.1.org.default.xml +++ b/source/StigData/Processed/DotNetFramework-4-2.3.org.default.xml @@ -5,4 +5,4 @@ Each setting in this file is linked by STIG ID and the valid range is in an associated comment. --> - + diff --git a/source/StigData/Processed/DotNetFramework-4-2.1.xml b/source/StigData/Processed/DotNetFramework-4-2.3.xml similarity index 90% rename from source/StigData/Processed/DotNetFramework-4-2.1.xml rename to source/StigData/Processed/DotNetFramework-4-2.3.xml index da4cd1099..e05607971 100644 --- a/source/StigData/Processed/DotNetFramework-4-2.1.xml +++ b/source/StigData/Processed/DotNetFramework-4-2.3.xml @@ -1,13 +1,19 @@ - + - <VulnDiscussion>A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy configuration files and the frequency in which backups occur is required. If these files are not identified and the information is not documented, there is the potential that critical application configuration files may not be included in disaster recovery events which could lead to an availability risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy configuration files and the frequency in which backups occur is required. If these files are not identified and the information is not documented, there is the potential that critical application configuration files may not be included in disaster recovery events which could lead to an availability risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> False V-7069 False - Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. + The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. + +The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. + +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) + +Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. @@ -16,27 +22,33 @@ Ask the System Administrator for documentation that shows CAS Policy configurati - <VulnDiscussion>A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted root certificate stored in the user’s certificate store. The Publisher Membership Condition can be used to identify an organization, developer, vendor, or other entity as the ultimate source of the assembly, even if the code itself was obtained from a third party, such as a mirror site. Access to system resources, such as file systems or printers, may then be granted to the assembly based on the trust relationship with the identified entity. + <VulnDiscussion>A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted root certificate stored in the user’s certificate store. The Publisher Membership Condition can be used to identify an organization, developer, vendor, or other entity as the ultimate source of the assembly, even if the code itself was obtained from a third party, such as a mirror site. Access to system resources, such as file systems or printers, may then be granted to the assembly based on the trust relationship with the identified entity. -Certificates used to sign assemblies so the Publisher Member Condition may be applied must originate from a trusted source. Using a certificate that is not from a trusted source could potentially violate system integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Certificates used to sign assemblies so the Publisher Member Condition may be applied must originate from a trusted source. Using a certificate that is not from a trusted source could potentially violate system integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> False V-7063 False - Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. + The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. + +This requirement is Not Applicable (NA) for .NET Framework greater than 4.x. -The location of the caspol utility is dependent upon the system architecture of the system running .Net. +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) + +Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. + +The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. -For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. +For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 -To check code groups for the machine, run the following command. +To check code groups for the machine, run the following command: caspol.exe -m -lg @@ -65,27 +77,32 @@ Code Groups: 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success -Section 1.6 above indicates the presence of a publishers key that meets the Publishers Membership Condition and is also given full trust. +Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust. -If the Publisher Membership Condition is used on a non-default Code Group and the use of that publisher's certificate is not documented and approved by the IAO, this is a finding. - +If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding. - <VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digital signature. If assemblies do not have a strong name assigned, the assembly cannot be unique and the author of the code cannot be uniquely identified. In order to create the strong name, the developer must use a cryptographic key pair to sign the assembly. If the developer does not protect the key, the key can be stolen and used to sign any application, including malware applications. This could adversely affect application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digital signature. If assemblies do not have a strong name assigned, the assembly cannot be unique and the author of the code cannot be uniquely identified. In order to create the strong name, the developer must use a cryptographic key pair to sign the assembly. If the developer does not protect the key, the key can be stolen and used to sign any application, including malware applications. This could adversely affect application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> False V-7067 False - If the application is a COTS product, the requirement is Not Applicable (NA). + If the application is a COTS product, this requirement is Not Applicable (NA). -Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. +The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. -The location of the caspol utility is dependent upon the system architecture of the system running .Net. +The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. + +(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) + +Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. + +The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. -For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. +For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: @@ -121,9 +138,9 @@ Code Groups: 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success -An assembly will satisfy the StrongName Membership Condition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. +An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. -The presence of the encryption key values in the StrongName field indicates the use of StrongName Membership Condition. +The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. @@ -132,10 +149,9 @@ Ask the Systems Programmer how the private keys are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - - - utilizing centralized key management; - - using strict file permissions to limit access; and - - tying strong pass phrases to the key. +- utilizing centralized key management; +- using strict file permissions to limit access; and +- tying strong pass phrases to the key. If the private key used to sign the assembly is not adequately protected, this is a finding. @@ -348,9 +364,7 @@ Search each file for the "defaultProxy" element. If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the IAO, this is a finding. -If the "defaultProxy" element is empty then the framework is using default browser settings, this is not a finding. - - + If the "defaultProxy" element is empty or if "useSystemDefault =True” then the framework is using default browser settings, this is not a finding. <VulnDiscussion>Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode verification.