STIGQter STIGQter: STIG Summary: Microsoft DotNet Framework 4.0 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

.Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.

DISA Rule

SV-225232r615940_rule

Vulnerability Number

V-225232

Group Title

SRG-APP-000516

Rule Version

APPNET0064

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Apply the .NET Framework Security Checklist for .Net versions 1 through 3.5 when utilizing the NetFx40_LegacySecurityPolicy setting.

Check Contents

Open Windows explorer and search for all *.exe.config files. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

To find relevant files, you can run the FINDSTR command from an elevated (admin) command prompt:
FINDSTR /i /s "NetFx40_LegacySecurityPolicy" c:\*.exe.config
This command will search all ."exe.config" files on the c: drive partition for the "LegacySecurityPolicy" setting. Repeat the command for each drive partition on the system.


If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.

Vulnerability Number

V-225232

Documentable

False

Rule Version

APPNET0064

Severity Override Guidance

Open Windows explorer and search for all *.exe.config files. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

To find relevant files, you can run the FINDSTR command from an elevated (admin) command prompt:
FINDSTR /i /s "NetFx40_LegacySecurityPolicy" c:\*.exe.config
This command will search all ."exe.config" files on the c: drive partition for the "LegacySecurityPolicy" setting. Repeat the command for each drive partition on the system.


If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.

Check Content Reference

M

Target Key

4213

Comments