APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.

Information

A .Net assembly will satisfy the Publisher Membership Condition if it is signed with a software publisher's Authenticode X.509v3 digital certificate that can be verified by the Windows operating system as having a chain of trust that leads to a trusted root certificate stored in the user's certificate store. The Publisher Membership Condition can be used to identify an organization, developer, vendor, or other entity as the ultimate source of the assembly, even if the code itself was obtained from a third party, such as a mirror site. Access to system resources, such as file systems or printers, may then be granted to the assembly based on the trust relationship with the identified entity.

Certificates used to sign assemblies so the Publisher Member Condition may be applied must originate from a trusted source. Using a certificate that is not from a trusted source could potentially violate system integrity and confidentiality.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Trust must be established when utilizing Publishers Membership Condition. All publishers' certificates must have documented approvals from the IAO.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a), CAT|II, CCI|CCI-000185, Rule-ID|SV-225225r615940_rule, STIG-ID|APPNET0048, STIG-Legacy|SV-7446, STIG-Legacy|V-7063, Vuln-ID|V-225225

Plugin: Windows

Control ID: 33f928dafd206d0962c7b1d0525b2a1ed6c7016934303ee834a76316d52cabf2