STIGQter: STIG Summary: Microsoft DotNet Framework 4.0 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Software utilizing .Net 4.0 must be identified and relevant access controls configured.

DISA Rule

SV-225236r615940_rule

Vulnerability Number

V-225236

Group Title

SRG-APP-000431

Rule Version

APPNET0070

Severity

CAT II

CCI(s)

• CCI-002530 - The information system maintains a separate execution domain for each executing process.

Weight

10

Fix Recommendation

Document the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB).

Document the corresponding runtime hosts that are used to invoke the applications.

Document the applications security control requirements (restricting application access to resources or user access to the application).

Check Contents

This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

Ask the system administrator to provide documentation that identifies:

- Each .Net 4.0 application they run on the system.
- The .Net runtime host that invokes the application.
- The security measures employed to control application access to system resources or user access to application.

If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding.

If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding.

If the runtime hosts have not been identified, this is a finding.

If the security protections have not been identified, this is a finding.

Vulnerability Number

V-225236

Documentable

False

Rule Version

APPNET0070

Severity Override Guidance

This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

Ask the system administrator to provide documentation that identifies:

- Each .Net 4.0 application they run on the system.
- The .Net runtime host that invokes the application.
- The security measures employed to control application access to system resources or user access to application.

If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding.

If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding.

If the runtime hosts have not been identified, this is a finding.

If the security protections have not been identified, this is a finding.

Check Content Reference

M

Target Key

4213

Comments