.NET must be configured to validate strong names on full-trust assemblies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30935	APPNET0063	SV-40977r1_rule	DCSL-1	Medium

Description
The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation. Full trust assemblies are .Net applications launched from the local host. Strong names are digital signatures tied to .Net applications/assemblies. .Net 4 considers applications installed locally to be fully trusted by default and grants these applications full permissions to access host resources. The bypass feature applies to any assembly signed with a strong name and having the following characteristics: Fully trusted without the StrongName evidence (for example, has MyComputer zone evidence). Loaded into a fully trusted AppDomain. Loaded from a location under the ApplicationBase property of that AppDomain. Not delay-signed. Not validating the certificates used to sign strong name assemblies will provide a faster application load time, but falsely assumes that signatures used to sign the application are to be implicitly trusted. Not validating strong name certificates introduces an integrity risk to the system.

Description

The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation. Full trust assemblies are .Net applications launched from the local host. Strong names are digital signatures tied to .Net applications/assemblies. .Net 4 considers applications installed locally to be fully trusted by default and grants these applications full permissions to access host resources. The bypass feature applies to any assembly signed with a strong name and having the following characteristics: Fully trusted without the StrongName evidence (for example, has MyComputer zone evidence). Loaded into a fully trusted AppDomain. Loaded from a location under the ApplicationBase property of that AppDomain. Not delay-signed. Not validating the certificates used to sign strong name assemblies will provide a faster application load time, but falsely assumes that signatures used to sign the application are to be implicitly trusted. Not validating strong name certificates introduces an integrity risk to the system.

STIG	Date
Microsoft Dot Net Framework 4.0 STIG	2017-06-14

Details

Check Text ( C-39596r12_chk )
Use regedit to examine the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework key. If the "AllowStrongNameBypass" registry key does not exist on production systems, this is a finding. If the "AllowStrongNameBypass" registry key exists and the DWORD value is set to 1 (true) on production systems, this is a finding. If there is documented IAO approval for either setting on development systems, this is not a finding. Approval documentation must include a complete list of all installed .Net applications, application versions, and acknowledgement that IAO trusts each installed application. If application versions installed on the system do not match approval documentation, this is a finding.

Check Text ( C-39596r12_chk )

Use regedit to examine the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework key.

If the "AllowStrongNameBypass" registry key does not exist on production systems, this is a finding.

If the "AllowStrongNameBypass" registry key exists and the DWORD value is set to 1 (true) on production systems, this is a finding.

If there is documented IAO approval for either setting on development systems, this is not a finding.

Approval documentation must include a complete list of all installed .Net applications, application versions, and acknowledgement that IAO trusts each installed application.

If application versions installed on the system do not match approval documentation, this is a finding.

Fix Text (F-34746r7_fix)
Change the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AllowStrongNameBypass" to a DWORD value of 0. Or, obtain documented IAO approval for each .Net application installed on the system. Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of IAO trust of each installed application.