APPNET0070 - Software utilizing .Net 4.0 must be identified and relevant access controls configured.

Information

With the advent of .Net 4.0, the .Net framework no longer directly configures or enforces security policy for .Net applications. This task is now relegated to the operating system layer and the security protections built-in to .Net application 'runtime hosts' that run on the O.S.

Examples of these .Net 'runtime hosts' include; Internet Explorer, Windows Shell, ASP.NET, Database Engines or any other 'runtime hosts' that utilize .Net and load the .Net CLR.

Security protections include utilizing runtime host security controls such as sandboxing to restrict or control application behavior as designed or required.

To compensate for these design changes, Windows provides native solutions such as Software Security Policies (SSP) and Application Locker (AL) which are technologies that can be implemented via Group Policy (GPO). SSP, AL and similar third party solutions serve to restrict execution of applications, scripts and libraries based upon cryptographic hash, security zones, path and certificate values that are associated with the application files. Additionally, application developers will utilize 'sandboxing' techniques within their code in order to isolate 3rd party code libraries from critical system resources.

In order to assign protections to .Net 4.0 applications, the applications must first be identified and the appropriate hosting security mechanisms configured to accomplish that task.

.Net STIG guidance cannot be applied if .Net applications are not identified and documented. The lack of an application inventory introduces confidentiality, availability and integrity vulnerabilities to the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Document the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB).

Document the corresponding runtime hosts that are used to invoke the applications.

Document the applications security control requirements (restricting application access to resources or user access to the application).

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39, CAT|II, CCI|CCI-002530, Rule-ID|SV-225236r615940_rule, STIG-ID|APPNET0070, STIG-Legacy|SV-41030, STIG-Legacy|V-30986, Vuln-ID|V-225236

Plugin: Windows

Control ID: 9f73f9b9ef5261faf9ec3f7727cab4cb0b60c5f8fe680c7da1851b26366e3bd3