################################################################################
DOCUMENT         : MS_Dot_Net_Framework
VERSION          : 2.2.5
CHECKSUM         : 4f8dd7fa637e511264624c42e0968d52594a1e168fc443d4823b4450cc1f8393
MANUAL QUESTIONS : 12

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 12
TITLE            : CAT II, V-225224, SV-225224r954872, SRG-APP-000175
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:21
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:21
RULE             : The Trust Providers Software Publishing State must be set to 0x23C00.
QUESTION_TEXT    : If the system or application being reviewed is SIPR based, this finding is NA.

This check must be performed for each user on the system. 

Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State".  

If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.


References:
SV-7444
V-7061
CCI-000185

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 12
TITLE            : CAT II, V-225225, SV-225225r954872, SRG-APP-000175
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:41
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:41
RULE             : Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
QUESTION_TEXT    : The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. 

This requirement is Not Applicable (NA) for .NET Framework greater than 4.x.

(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)

Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.

The location of the caspol utility is dependent upon the system architecture of the system running .Net.

For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
 
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Example:

cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319

To check code groups for the machine, run the following command:

caspol.exe -m -lg

Sample Results:
Microsoft (R) .NET Framework CasPol 4.0.30319.1
Copyright (c) Microsoft Corporation.  All rights reserved.

Policy change prompt is ON

Level = Machine

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust (LevelFinal)
      1.1.1.  StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
      1.1.2.  StrongName - 00000000000000000400000000000000: FullTrust
   1.2.  Zone - Intranet: LocalIntranet
      1.2.1.  All code: Same site Web
      1.2.2.  All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3.  Zone - Internet: Internet
      1.3.1.  All code: Same site Web
   1.4.  Zone - Untrusted: Nothing
   1.5.  (First Match) Zone - Trusted: Internet
      1.5.1.  All code: Same site Web
   1.6.  Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success

Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust.

If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.

References:
SV-7446
V-7063
CCI-000185

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 12
TITLE            : CAT II, V-225226, SV-225226r954874, SRG-APP-000176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:61
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:61
RULE             : Encryption keys used for the .NET Strong Name Membership Condition must be protected.
QUESTION_TEXT    : If the application is a COTS product, this requirement is Not Applicable (NA).

The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x.

The requirement is Not Applicable (NA) for .NET Framework greater than 4.x.

(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)

Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.

The location of the caspol utility is dependent upon the system architecture of the system running .Net.

For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
 
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Example:

cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319

To check code groups, run the following command:

caspol.exe -all -lg

Sample response:
Microsoft (R) .NET Framework CasPol 4.0.30319.1

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust (LevelFinal)
      1.1.1.  StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
      1.1.2.  StrongName - 00000000000000000400000000000000: FullTrust
   1.2.  Zone - Intranet: LocalIntranet
      1.2.1.  All code: Same site Web
      1.2.2.  All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3.  Zone - Internet: Internet
      1.3.1.  All code: Same site Web
   1.4.  Zone - Untrusted: Nothing
   1.5.  (First Match) Zone - Trusted: Internet
      1.5.1.  All code: Same site Web
   1.6.  Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success

An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy.

The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. 

If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. 

Ask the Systems Programmer how the private keys are protected. 

Private keys are simply values stored as strings of data.  Keys can be stored in files on the file system or in a centralized data repository. 

Adequate protection methods include, but are not limited to:
- utilizing centralized key management;
- using strict file permissions to limit access; and
- tying strong pass phrases to the key.

If the private key used to sign the assembly is not adequately protected, this is a finding.

References:
SV-7450
V-7067
CCI-000186

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 12
TITLE            : CAT II, V-225227, SV-225227r954804, SRG-APP-000120
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:81
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:81
RULE             : CAS and policy configuration files must be backed up.
QUESTION_TEXT    : The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x.

The requirement is Not Applicable (NA) for .NET Framework greater than 4.x.

(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)

Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding.

Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding.

Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.

References:
SV-7452
V-7069
CCI-000164

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 12
TITLE            : CAT II, V-225228, SV-225228r956033, SRG-APP-000219
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:101
RULE             : Remoting Services HTTP channels must utilize authentication and encryption.
QUESTION_TEXT    : If .NET remoting with HTTP channel is not used, this check is Not Applicable.

Review the machine.config file and the [application name].exe.config file.

For 32-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config 

For 64-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config.

Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled.  Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

<application name=“remoteserver”> 
  <service> 
    <activated type=“sample.my.object, myobjects”/> 
  </service> 
  <channels> 
    <channel ref=“http server” port=“80”/> 
  </channels> 
</application>

<serverProviders>
  <provider ref="wsdl" />
  <formatter ref="soap" typeFilterLevel="Low" /> 
  <formatter ref="binary" typeFilterLevel="Low" /> 
</serverProviders> 

Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file.  

HTTP channel example:
<channel ref=“http server” port=“80”/> 

The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS.

The above example shows the well-known TLS port of 443 is not being used. 

If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding.

References:
SV-7453
V-7070
CCI-001184

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 12
TITLE            : CAT II, V-225229, SV-225229r955845, SRG-APP-000516
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:121
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:121
RULE             : .Net Framework versions installed on the system must be supported.
QUESTION_TEXT    : Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET.

The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems.  The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders while 32 bit systems do not have a Framework64 folder.

Within each of the aforementioned folders are the individual folder names that contain the corresponding versions of the .NET Framework:

v4.0.30319
v3.5
v3.0
v2.0.50727
v1.1.4322
v1.0.3705

Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click version tab to determine the version installed.  If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory.

More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785

Verify extended support is available for the installed versions of .Net Framework.

Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link.
http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework

Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform.
 
If any versions of the .Net Framework are installed and support is no longer available, this is a finding.


References:
SV-55642
V-18395
CCI-000366

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 12
TITLE            : CAT II, V-225231, SV-225231r954872, SRG-APP-000175
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:161
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:161
RULE             : .NET must be configured to validate strong names on full-trust assemblies.
QUESTION_TEXT    : If there is documented ISSO risk acceptance for development systems, this is not a finding.
For 32 bit production systems: 
Use regedit to examine the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” key.  
On 64-bit production systems:
Use regedit to examine both the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework” keys.
If the "AllowStrongNameBypass" value does not exist, or if the “DWORD” value is set to “1”, this is a finding.

Documentation must include a complete list of installed .Net applications, application versions, and acknowledgement that ISSO trusts each installed application.

If application versions installed on the system do not match approval documentation, this is a finding.



References:
SV-40977
V-30935
CCI-000185

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 12
TITLE            : CAT II, V-225233, SV-225233r955677, SRG-APP-000431
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:201
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:201
RULE             : Trust must be established prior to enabling the loading of remote code in .Net 4.
QUESTION_TEXT    : Open Windows explorer and search for *.exe.config.

Search each config file found for the "loadFromRemoteSources" element.

If the loadFromRemoteSources element is enabled  
("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.


References:
SV-41010
V-30968
CCI-002530

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 12
TITLE            : CAT II, V-225236, SV-225236r955677, SRG-APP-000431
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:261
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:261
RULE             : Software utilizing .Net 4.0 must be identified and relevant access controls configured.
QUESTION_TEXT    : This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

Ask the system administrator to provide documentation that identifies:

- Each .Net 4.0 application they run on the system.
- The .Net runtime host that invokes the application. 
- The security measures employed to control application access to system resources or user access to application.

If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding.

If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding.

If the runtime hosts have not been identified, this is a finding.

If the security protections have not been identified, this is a finding.



References:
SV-41030
V-30986
CCI-002530

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 12
TITLE            : CAT II, V-225237, SV-225237r956035, SRG-APP-000219
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:281
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:281
RULE             : Remoting Services TCP channels must utilize authentication and encryption.
QUESTION_TEXT    : If .NET remoting with TCP channel is not used, this check is Not Applicable.

Check the machine.config and the [application executable name].exe.config configuration files. 

For 32-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config 

For 64-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config.

Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled.  Therefore, if the config file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required.

Sample machine/application config file:

<application name=“remoteserver”> 
  <service> 
    <activated type=“sample.my.object, myobjects”/> 
  </service> 
  <channels> 
    <channel ref=“tcp server” port=“6134”/> 
  </channels> 
</application>

<serverProviders>
  <provider ref="wsdl" />
  <formatter ref="soap" typeFilterLevel="Full" /> 
  <formatter ref="binary" typeFilterLevel="Full" /> 
</serverProviders> 

Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file.  

TCP channel example:
<channel ref=“tcp” port=“6134” secure="true"/> 

The TCP channel provides encryption and message integrity when the "secure" flag is set to "true" as shown in the above example.

If the "secure" flag is not set to "true" for the TCP channel, this is a finding.

References:
SV-42341
V-32025
CCI-001184

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 12
TITLE            : CAT III, V-225232, SV-225232r955845, SRG-APP-000516
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:181
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:181
RULE             : .Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance.
QUESTION_TEXT    : Open Windows explorer and search for all *.exe.config files.  This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

To find relevant files, you can run the FINDSTR command from an elevated (admin) command prompt: 
FINDSTR /i /s "NetFx40_LegacySecurityPolicy" c:\*.exe.config 
This command will search all ."exe.config" files on the c: drive partition for the "LegacySecurityPolicy" setting. Repeat the command for each drive partition on the system.


If the .NET application configuration file utilizes the legacy policy element and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.


References:
SV-40979
V-30937
CCI-000366

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 12
TITLE            : CAT III, V-225234, SV-225234r955845, SRG-APP-000516
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:221
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:221
RULE             : .NET default proxy settings must be reviewed and approved.
QUESTION_TEXT    : Open Windows explorer and search for all "*.exe.config" and "machine.config" files.

Search each file for the "defaultProxy" element.

<defaultProxy
  enabled="true|false"
  useDefaultCredentials="true|false"
  <bypasslist> … </bypasslist>
  <proxy> … </proxy>
  <module> … </module>
/>

If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the IAO, this is a finding.

 If the "defaultProxy" element is empty or if "useSystemDefault =True” then the framework is using default browser settings, this is not a finding.

References:
SV-41014
V-30972
CCI-000366

     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

