Details

The ‘bypassTrustedAppStrongNames’ setting specifies whether the bypass feature that avoids validating strong names for full-trust assemblies is enabled. By default the bypass feature is enabled in .Net 4, therefore strong names are not validated for correctness when the assembly/program is loaded. Not validating strong names provides a faster application load time but at the expense of performing certificate validation.

Full trust assemblies are .Net applications launched from the local host. Strong names are digital signatures tied to .Net applications/assemblies. .Net 4 considers applications installed locally to be fully trusted by default and grants these applications full permissions to access host resources.

The bypass feature applies to any assembly signed with a strong name and having the following characteristics:

Fully trusted without the StrongName evidence (for example, has MyComputer zone evidence).

Loaded into a fully trusted AppDomain.

Loaded from a location under the ApplicationBase property of that AppDomain.

Not delay-signed.

Not validating the certificates used to sign strong name assemblies will provide a faster application load time, but falsely assumes that signatures used to sign the application are to be implicitly trusted. Not validating strong name certificates introduces an integrity risk to the system.

Solution

For 32 bit production systems:
Set ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkAllowStrongNameBypass’ to a ‘DWORD’ value of ‘0’.
On 64-bit production systems:
Set ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework AllowStrongNameBypass’ and ‘HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFramework AllowStrongNameBypass’ to a ‘DWORD’ value of ‘0’.
Or, obtain documented ISSO risk acceptance for each .Net application installed on the system.

Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of ISSO trust of each installed application.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.

References

• 800-53|IA-5(2)(a)
• CAT|II
• CCI|CCI-000185
• Rule-ID|SV-225231r615940_rule
• STIG-ID|APPNET0063
• STIG-Legacy|SV-40977
• STIG-Legacy|V-30935
• Vuln-ID|V-225231

Source

• Tenable.com/audits