The production website must configure the Global .NET Trust Level.

From IIS 8.5 Site Security Technical Implementation Guide

Part of SRG-APP-000141-WSR-000086

Associated with: CCI-000381

SV-91501r2_rule The production website must configure the Global .NET Trust Level.

Vulnerability discussion

A web server may host too many applications. Each application will need certain system resources and privileged operations to operate correctly. An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system. The web server must be configured to contain and control the applications and protect the system resources and privileged operations from those not needed by the application for operation.Limiting the application will confine the potential harm a compromised application could cause to a system.

Check content

Note: If the server being reviewed is a non-production website, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the ".NET Trust Level" icon. If the ".NET Trust Level" is not set to Full or less, this is a finding.

Fix text

Note: If the server being reviewed is a non-production website, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the ".NET Trust Level" icon. Set the ".NET Trust Level" to Full or less and click “Apply”. Select "Apply" from the "Actions" pane.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer