UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Digital signatures assigned to strongly named assemblies must be verified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-225223 APPNET0031 SV-225223r954872_rule Medium
Description
A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. Strong names serve to identify the author of the code. If digital signatures used to sign strong name assemblies are not verified, any self signed code can be impersonated. This can lead to a loss of system integrity.
STIG Date
Microsoft DotNet Framework 4.0 Security Technical Implementation Guide 2024-02-25

Details

Check Text ( C-26922r467984_chk )
Use regedit to review the Windows registry key
HKLM\Software\Microsoft\StrongName\Verification.
There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding.

If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified.

If any assemblies are listed as omitting strong name verification in a production environment, this is a finding.

If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.
Fix Text (F-26910r467985_fix)
Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key.

All assemblies must require strong name verification in a production environment.

Strong name assemblies that do not require verification in a development or test environment must have documented approvals from the IAO.