The production website must configure the Global .NET Trust Level.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76805	IISW-SI-000218	SV-91501r1_rule		Medium

Description
A web server may host too many applications. Each application will need certain system resources and privileged operations to operate correctly. An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system. The web server must be configured to contain and control the applications and protect the system resources and privileged operations from those not needed by the application for operation. Limiting the application will confine the potential harm a compromised application could cause to a system.

Description

A web server may host too many applications. Each application will need certain system resources and privileged operations to operate correctly. An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system. The web server must be configured to contain and control the applications and protect the system resources and privileged operations from those not needed by the application for operation. Limiting the application will confine the potential harm a compromised application could cause to a system.

STIG	Date
IIS 8.5 Site Security Technical Implementation Guide	2018-01-03

Details

Check Text ( C-76461r1_chk )
Note: If the server being reviewed is a non-production website, this is Not Applicable. Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the ISSO, Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the ".NET Trust Level" icon. If the ".NET Trust Level" is not set to Medium or less, this is a finding.

Check Text ( C-76461r1_chk )

Note: If the server being reviewed is a non-production website, this is Not Applicable.

Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the ISSO,

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name under review.

Double-click the ".NET Trust Level" icon.

If the ".NET Trust Level" is not set to Medium or less, this is a finding.

Fix Text (F-83501r1_fix)
Note: If the server being reviewed is a non-production website, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the ".NET Trust Level" icon. Set the ".NET Trust Level" to Medium or less and click “Apply”. Select "Apply" from the "Actions" pane.