Detections
Analytics

APPNET0062 - The .NET CLR must be configured to use FIPS approved encryption modules.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

FIPS encryption is configured via .NET configuration files. There are numerous configuration files that affect different aspects of .Net behavior. The .NET config files are described below.

Machine Configuration Files:
The machine configuration file, Machine.config, contains settings that apply to an entire computer. This file is located in the %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config directory for 32 bit .NET 4 installations and %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config for 64 bit systems. Machine.config contains configuration settings for machine-wide assembly binding, built-in remoting channels, and ASP.NET.

Application Configuration Files:
Application configuration files contain settings specific to an application. If checking these files, a .NET review of a specific .NET application is most likely being conducted. These files contain configuration settings that the Common Language Runtime reads (such as assembly binding policy, remoting objects, and so on), and settings that the application can read.

The name and location of the application configuration file depends on the application's host, which can be one of the following:

Executable-hosted application configuration files.

The configuration file for an application hosted by the executable host is in the same directory as the application. The name of the configuration file is the name of the application with a .config extension. For example, an application called myApp.exe can be associated with a configuration file called myApp.exe.config.

Internet Explorer-hosted application configuration files.

If an application hosted in Internet Explorer has a configuration file, the location of this file is specified in a <link> tag with the following syntax.

<link rel='ConfigurationFileName' href='location'>

In this tag, 'location' represents a URL that point to the configuration file. This sets the application base. The configuration file must be located on the same web site as the application.

.NET 4.0 allows the CLR runtime to be configured to ignore FIPS encryption requirements. If the CLR is not configured to use FIPS encryption modules, insecure encryption modules might be employed which could introduce an application confidentiality or integrity issue.

Solution

Examine the .NET CLR configuration files to find the runtime element and then the 'enforceFIPSPolicy' element.

Example:
<configuration>
 <runtime>
 <enforceFIPSPolicy enabled='true|false' />
 </runtime>
</configuration>

Delete the 'enforceFIPSPolicy' runtime element, change the setting to 'true' or there must be documented IAO approvals for the FIPS setting.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R3_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002450, Rule-ID|SV-225230r879902_rule, STIG-ID|APPNET0062, STIG-Legacy|SV-40966, STIG-Legacy|V-30926, Vuln-ID|V-225230

Plugin: Windows

Control ID: f64a3a87f5a2ec70d69ab22c7c31d429fc414e8d7cfcaf0bab4eb5ca64c634e0