The production web-site must configure the Global .NET Trust Level.

From IIS 7.0 WEB SITE STIG

Part of WA000-WI6200

SV-46354r2_rule The production web-site must configure the Global .NET Trust Level.

Vulnerability discussion

An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system.

Check content

Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. Set the trust level for compatibility with these applications. 1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the .NET Trust Level icon. 4. If the .NET Trust level is not set to Medium or less, this is a finding.

Fix text

1. Open the IIS Manager. 2. Click the site name under review. 3. Double-click the .NET Trust Level icon. 4. Set the .NET Trust level to Medium or less and click apply.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer