U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

.NET Framework Security Checklist Version 1, Release 3 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft .NET Framework 1.0 cpe:/a:microsoft:.net_framework:1.0 (View CVEs)
Microsoft .NET Framework 1.1 cpe:/a:microsoft:.net_framework:1.1 (View CVEs)
Microsoft .NET Framework 2.0 cpe:/a:microsoft:.net_framework:2.0 (View CVEs)
Microsoft .NET Framework 3.0 cpe:/a:microsoft:.net_framework:3.0 (View CVEs)
Microsoft .NET Framework 3.5 cpe:/a:microsoft:.net_framework:3.5 (View CVEs)

Checklist Highlights

Checklist Name:
.NET Framework Security Checklist
Checklist ID:
7
Version:
Version 1, Release 3
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
02/18/2009

Checklist Summary:

The .NET Framework Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the .NET environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on Department of Defense (DOD) policy and the NSA guide, Guide to Microsoft .NET Framework Security.

Checklist Role:

  • Application Server

Known Issues:

Not provided.

Target Audience:

IAVM alerts, bulletins, and advisories were instituted to provide positive control of vulnerability notification and corresponding corrective action within DOD. All DOD program managers and system administrators, andor other personnel responsible for system networks shall comply with the IAVM process.

Target Operational Environment:

  • Managed

Testing Information:

The .NET SRR is made of manual check procedures that use the Microsoft .NET Framework Configuration Tool, CASPOL.EXE, SETREG.EXE, and SN.EXE. With the exception of SN.EXE, these tools are provided and installed with the Microsoft .NET Framework or, in the case of SETREG.EXE are installed with the Windows server software. The procedures indicate exact title, selection, or option names with the use of italics. Instructions for use the tools are listed under the Reviewer Interfaces section. The checks reference the results of the tool commands from the Reviewer Interfaces section.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Security patches required that address .NET vulnerabilities are reviewed during an operating system security review and are not included in this checklist.

Disclaimer:

Not provided.

Product Support:

FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

2005-09-09 Version1, Release 0
2006-05 Version 1, Release 2
2007-09-21 Version 1, Release 2.1
2009-02-18 Version 1, Release 2.3
Added point of contact
Updated URL to reflect change to the DISA website - http --> https
Updated to v1,r3 - 3/21/18
updated to FINAL - 4/24/18
Removed non-working reference link  - 10/26/18
Updated URLs - 6/6/19

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 06/07/2019