.NET must be configured to validate strong names on full-trust assemblies.

From Microsoft Dot Net Framework 4.0 STIG

Part of APPNET0063 Validation of Strong Names

Associated with IA controls: DCSL-1

SV-40977r1_rule .NET must be configured to validate strong names on full-trust assemblies.

Vulnerability discussion

The "bypassTrustedAppStrongNames" setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation. Full trust assemblies are .Net applications launched from the local host. Strong names are digital signatures tied to .Net applications/assemblies. .Net 4 considers applications installed locally to be fully trusted by default and grants these applications full permissions to access host resources. The bypass feature applies to any assembly signed with a strong name and having the following characteristics: Fully trusted without the StrongName evidence (for example, has MyComputer zone evidence). Loaded into a fully trusted AppDomain. Loaded from a location under the ApplicationBase property of that AppDomain. Not delay-signed.Not validating the certificates used to sign strong name assemblies will provide a faster application load time, but falsely assumes that signatures used to sign the application are to be implicitly trusted. Not validating strong name certificates introduces an integrity risk to the system.

Check content

Use regedit to examine the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework key. If the "AllowStrongNameBypass" registry key does not exist on production systems, this is a finding. If the "AllowStrongNameBypass" registry key exists and the DWORD value is set to 1 (true) on production systems, this is a finding. If there is documented IAO approval for either setting on development systems, this is not a finding. Approval documentation must include a complete list of all installed .Net applications, application versions, and acknowledgement that IAO trusts each installed application. If application versions installed on the system do not match approval documentation, this is a finding.

Fix text

Change the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AllowStrongNameBypass" to a DWORD value of 0. Or, obtain documented IAO approval for each .Net application installed on the system. Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of IAO trust of each installed application.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer