| V-30935 | Medium | .NET must be configured to validate strong names on full-trust assemblies. | The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in... |
| V-7061 | Medium | Windows systems must be configured to prevent application use of Test Root certificates. | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7069 | Medium | CAS and policy configuration files must be backed up. | A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding... |
| V-30926 | Medium | The .NET CLR must be configured to use FIPS approved encryption modules. | FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different aspects of .Net behavior. The .NET config files are described below.
... |
| V-30986 | Medium | Software utilizing .Net 4.0 must be identified and relevant access controls configured. | With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applications. This task is now relegated to the operating system layer and the... |
| V-18395 | Medium | .Net Framework versions installed on the system must be supported. | Unsupported software introduces risks and violates DoD policy. Applications utilizing unsupported versions of .NET introduce substantial risk to the host, network, and the enclave by virtue of... |
| V-7063 | Medium | Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO. | A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher’s Authenticode X.509v3 digital certificate that can be verified by the Windows operating... |
| V-32025 | Medium | Remoting Services TCP channels must utilize authentication and encryption. | .NET remoting provides the capability to build widely distributed applications. The application components may reside all on one computer or they may be spread out across the enclave. .NET client... |
| V-31307 | Medium | Software publishing state table must be configured to only trust items in the users trust database. | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-31212 | Medium | Windows must be configured to invalidate PKCS #7 version 1 signed objects | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7062 | Medium | Windows must check for expired application certificates | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7070 | Medium | Remoting Services HTTP channels must utilize authentication and encryption. | .NET remoting provides the capability to build widely distributed applications. The application components may reside all on one computer or they may be spread out across the enclave. .NET client... |
| V-31026 | Medium | Event tracing for Windows (ETW) for Common Language Runtime events must be enabled. | Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode... |
| V-7066 | Medium | Windows must be configured to check the time stamp servers certificate for revocation. | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7067 | Medium | Encryption keys used for the .NET Strong Name Membership Condition must be protected. | The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture... |
| V-30968 | Medium | Trust must be established prior to enabling the loading of remote code in .Net 4. | In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location, that assembly would run partially trusted with a permissions grant... |
| V-7065 | Medium | Windows must be configured to block application execution if certificate server status is unavailable. | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7064 | Medium | Windows must be configured to check for revoked application certificates. | Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software... |
| V-7055 | Medium | Digital signatures assigned to strongly named assemblies must be verified. | A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. Strong names serve to... |
| V-30937 | Low | .Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance. | CAS policy is .NET runtime version-specific. In .NET Framework version 4, CAS policy is disabled by default however; it can be re-enabled by using the NetFx40_LegacySecurityPolicy setting on a... |
| V-30972 | Low | .NET default proxy settings must be reviewed and approved. | The .Net framework can be configured to utilize a different proxy or altogether bypass the default proxy settings in the client's browser. This may lead to the framework using a proxy that is not... |
