STIGQter: STIG Summary: Microsoft DotNet Framework 4.0 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Remoting Services HTTP channels must utilize authentication and encryption.

DISA Rule

SV-225228r615940_rule

Vulnerability Number

V-225228

Group Title

SRG-APP-000219

Rule Version

APPNET0060

Severity

CAT II

CCI(s)

• CCI-001184 - The information system protects the authenticity of communications sessions.

Weight

10

Fix Recommendation

Ensure encryption and message integrity are used for HTTP remoting channels.

The HTTP Channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS.

HTTP channels are protected via TLS (HTTPS).
<channels>
<channel ref=“http server” port=“443”/>
</channels>

Change the channel ref parameter to utilize a TLS port and leverage TLS on the remote IIS server.

Check Contents

Review the machine.config file and the [application name].exe.config file.

For 32 bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config

For 64 bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config.

Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

<application name=“remoteserver”>
<service>
<activated type=“sample.my.object, myobjects”/>
</service>
<channels>
<channel ref=“http server” port=“80”/>
</channels>
</application>

<serverProviders>
<provider ref="wsdl" />
<formatter ref="soap" typeFilterLevel="Low" />
<formatter ref="binary" typeFilterLevel="Low" />
</serverProviders>

Microsoft provides 3 "channels" that are used for remoting connectivity. They are the HTTP, TCP and IPC channels. The channel that is used is specified via the <channels> element in the config file.

HTTP channel example:
<channel ref=“http server” port=“80”/>

The HTTP Channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS.

The above example shows the well known TLS port of 443 is not being used.

If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding.

Vulnerability Number

V-225228

Documentable

False

Rule Version

APPNET0060

Severity Override Guidance

Review the machine.config file and the [application name].exe.config file.

For 32 bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config

For 64 bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config.

Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

<application name=“remoteserver”>
<service>
<activated type=“sample.my.object, myobjects”/>
</service>
<channels>
<channel ref=“http server” port=“80”/>
</channels>
</application>

<serverProviders>
<provider ref="wsdl" />
<formatter ref="soap" typeFilterLevel="Low" />
<formatter ref="binary" typeFilterLevel="Low" />
</serverProviders>

Microsoft provides 3 "channels" that are used for remoting connectivity. They are the HTTP, TCP and IPC channels. The channel that is used is specified via the <channels> element in the config file.

HTTP channel example:
<channel ref=“http server” port=“80”/>

The HTTP Channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS.

The above example shows the well known TLS port of 443 is not being used.

If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding.

Check Content Reference

M

Target Key

4213

Comments