|
Name |
.NET Framework Security Checklist Version 1, Release 2 |
|
Version |
Version 1, Release 2
|
|
Status |
Final |
| Creation
Date |
May, 2006 |
| Revision
Date |
Not Available |
| Product
Category |
Server |
| Vendor |
Microsoft Corporation |
| Product |
Microsoft .NET Framework |
| Product
Version |
Microsoft .NET Framework 1.0 and 1.1 |
| Product
Role |
Application Server |
|
Checklist
Summary |
The .NET Framework Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the .NET environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on Department of Defense (DOD) policy and the NSA guide, Guide to Microsoft .NET Framework Security. |
| Known
Issues |
Not available |
| Target
Audience |
IAVM alerts, bulletins, and advisories were instituted to provide positive control of vulnerability notification and corresponding corrective action within DOD. All DOD program managers and system administrators, and/or other personnel responsible for system networks shall comply with the IAVM process. |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
Not available |
| Rollback
Capability |
Not available |
| Testing
Information |
The .NET SRR is made of manual check procedures that use the Microsoft .NET Framework Configuration Tool, CASPOL.EXE, SETREG.EXE, and SN.EXE. With the exception of SN.EXE, these tools are provided and installed with the Microsoft .NET Framework or, in the case of SETREG.EXE are installed with the Windows server software. The procedures indicate exact title, selection, or option names with the use of italics. Instructions for use the tools are listed under the Reviewer Interfaces section. The checks reference the results of the tool commands from the Reviewer Interfaces section. |
| NIAP/CMVP
Status |
Not available |
| Regulatory
Compliance |
Not available |
Comments,
Warnings, Disclaimer, Miscellaneous
|
Security patches required that address .NET vulnerabilities are reviewed during an operating system security review and are not included in this checklist. |
| Disclaimer |
Not available |
| Product
Support |
FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. |
| Submitting
Organization/Authors |
Defense Information Systems Agency |
| Point
of Contact |
Not available |
| Sponsor |
Not available |
| Licensing |
Not available |
| Checklist
Homepage |
http://iase.disa.mil/stigs/ |
| Download
Package |
http://iase.disa.mil/stigs/checklist/dot-NET_Checklist_V1R2_20060428.doc |
| Integrity |
sha1(dot-NET_Checklist_V1R2_20060428.doc) = 5bb5673af2dc960e5c7dfcc471d3c366c7dc5046
sha256(dot-NET_Checklist_V1R2_20060428.doc) = f0a1e04c8fbb9480d3576f3cf5924a0d029b9f85113864
d7809d7c030f27f730
|
| Change
History |
2005-09-09; Version1, Release 0
2006-05; Version 1, Release 2
|
| Dependency/Requirement |
Guide to Microsoft .NET Framework Security, NSA SNAC, v1.4 |
| References |
Guide to Microsoft .NET Framework Security, NSA SNAC, v1.4 |
| NIST
Identifier |
1094 |
