V-225225
CAT IIDeveloper certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
- Ships Affected
- 2
- Total Findings
- 13
- Open
- 0
- Closed
- 0
Check Text
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x.
This requirement is Not Applicable (NA) for .NET Framework greater than 4.x.
(Note: The infrastructure is deprecated and is not receiving servicing or security fixes.)
Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions.
The location of the caspol utility is dependent upon the system architecture of the system running .Net.
For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319.
For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319.
Example:
cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319
To check code groups for the machine, run the following command:
caspol.exe -m -lg
Sample Results:
Microsoft (R) .NET Framework CasPol 4.0.30319.1
Copyright (c) Microsoft Corporation. All rights reserved.
Policy change prompt is ON
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust (LevelFinal)
1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web
1.4. Zone - Untrusted: Nothing
1.5. (First Match) Zone - Trusted: Internet
1.5.1. All code: Same site Web
1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust
Success
Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust.
If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.
Fix Text
Trust must be established when utilizing Publishers Membership Condition. All publisher's certificates must have documented approvals from the ISSO.
STIG Reference
- STIG
- Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
- Version
- 2
- Release
- 8
- Rule ID
- SV-225225r961038_rule
All Occurrences
This vulnerability appears on 2 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| LAB BASELINES | BASELINE | SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb | Unassigned | 2026-03-12T15:38:14.388995 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | MONT-SW-89134_DotNET4_V2R7_20251217-201000.ckl | Unassigned | 2026-03-04T15:25:41.864254 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | MONT-SW-89108_DotNET4_V2R7_20251217-202821.ckl | Unassigned | 2026-03-04T15:25:15.828600 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_DotNET4_V2R7_20251023-144010.ckl | Unassigned | 2026-01-14T12:57:42.156893 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_DotNET4_V2R7_20251023-143746.ckl | Unassigned | 2026-01-14T12:57:39.853926 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_DotNET4_V2R7_20251023-143930.ckl | Unassigned | 2026-01-14T12:57:38.504147 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_DotNET4_V2R7_20251023-171946.ckl | Unassigned | 2026-01-14T12:57:36.663331 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_DotNET4_V2R7_20251023-143731.ckl | Unassigned | 2026-01-14T12:57:34.683670 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_DotNET4_V2R7_20251023-152339.ckl | Unassigned | 2026-01-14T12:57:32.355929 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_DotNET4_V2R7_20251023-143732.ckl | Unassigned | 2026-01-14T12:57:30.918773 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_DotNET4_V2R7_20251023-143711.ckl | Unassigned | 2026-01-14T12:57:29.485524 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_DotNET4_V2R7_20251023-141005.ckl | Unassigned | 2026-01-14T12:57:27.786540 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_DotNET4_V2R7_20251023-142306.ckl | Unassigned | 2026-01-14T12:57:25.530570 | View in Context |