STIGQter: STIG Summary: Microsoft DotNet Framework 4.0 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Digital signatures assigned to strongly named assemblies must be verified.

DISA Rule

SV-225223r615940_rule

Vulnerability Number

V-225223

Group Title

SRG-APP-000175

Rule Version

APPNET0031

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key.

All assemblies must require strong name verification in a production environment.

Strong name assemblies that do not require verification in a development or test environment must have documented approvals from the IAO.

Check Contents

Use regedit to review the Windows registry key
HKLM\Software\Microsoft\StrongName\Verification.
There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding.

If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified.

If any assemblies are listed as omitting strong name verification in a production environment, this is a finding.

If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.

Vulnerability Number

V-225223

Documentable

False

Rule Version

APPNET0031

Severity Override Guidance

Use regedit to review the Windows registry key
HKLM\Software\Microsoft\StrongName\Verification.
There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding.

If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified.

If any assemblies are listed as omitting strong name verification in a production environment, this is a finding.

If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.

Check Content Reference

M

Target Key

4213

Comments