################################################################################
DOCUMENT         : MS_Dot_Net_Framework
VERSION          : 002.007.009
CHECKSUM         : 0d5fad5ec7fe91b604d732fbc0ad832537261bfb2bb576562a5b8ed8b8c2a3e6
MANUAL QUESTIONS : 3

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 3
TITLE            : CAT II, V-225225, SV-225225r961038, SRG-APP-000175
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:501
RULE             : Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
QUESTION_TEXT    : The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. 

This requirement is Not Applicable (NA) for .NET Framework greater than 4.x.

(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)

Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.

The location of the caspol utility is dependent upon the system architecture of the system running .Net.

For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
 
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.

Example:

cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319

To check code groups for the machine, run the following command:

caspol.exe -m -lg

Sample Results:
Microsoft (R) .NET Framework CasPol 4.0.30319.1
Copyright (c) Microsoft Corporation.  All rights reserved.

Policy change prompt is ON

Level = Machine

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust (LevelFinal)
      1.1.1.  StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
      1.1.2.  StrongName - 00000000000000000400000000000000: FullTrust
   1.2.  Zone - Intranet: LocalIntranet
      1.2.1.  All code: Same site Web
      1.2.2.  All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3.  Zone - Internet: Internet
      1.3.1.  All code: Same site Web
   1.4.  Zone - Untrusted: Nothing
   1.5.  (First Match) Zone - Trusted: Internet
      1.5.1.  All code: Same site Web
   1.6.  Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success

Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust.

If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.

References:
SV-7446
V-7063
CCI-000185
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 3
TITLE            : CAT II, V-225227, SV-225227r960936, SRG-APP-000120
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:901
RULE             : CAS and policy configuration files must be backed up.
QUESTION_TEXT    : The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x.

The requirement is Not Applicable (NA) for .NET Framework greater than 4.x.

(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)

Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding.

Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding.

Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.

References:
SV-7452
V-7069
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 3
TITLE            : CAT II, V-225236, SV-225236r1069477, SRG-APP-000431
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.dotnet:testaction:2701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.dotnet:question:2701
RULE             : Software utilizing .Net 4.0 must be identified and relevant access controls configured.
QUESTION_TEXT    : This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB).

Ask the system administrator to provide documentation that identifies:

- Each .Net 4.0 application run on the system.
- The .Net runtime host that invokes the application. 
- The security measures employed to control application access to system resources or user access to application.

For additional insight run: tasklist /fi "modules eq mscoree.dll"

If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding.

If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding.

If the runtime hosts have not been identified, this is a finding.

If the security protections have not been identified, this is a finding.


References:
SV-41030
V-30986
CCI-002530
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

