The Microsoft .NET Framework 4.0 Security Technical Implementation Guide (STIG) provides guidance for secure configuration and usage of Microsoft's .NET Framework version 4.0. The STIG provides security guidance for .NET deployments in workstations or servers and focuses on the secure configuration of the .NET Common Language Runtime (CLR). This overview document gives technology-specific background and information on conducting a security review for .NET Framework Version 4.0. Previous versions of .NET are not addressed specifically, although some of the information may significantly overlap with previous versions.
This section provides background information on the Microsoft .NET 4.0 Framework and discusses general security considerations involved with using this technology. This overview document is not intended as a comprehensive source of information on .NET. Microsoft and other authors have produced documentation available for reference. Additionally, this STIG is not intended as a tutorial or training tool for inexperienced SAs. Since .NET is part of an application development and runtime architecture, knowledge of how .NET applications function, the Windows OS and application development techniques and programming issues is a prerequisite to understanding how to use the .NET STIG requirements.
This document is a requirement for all DoD-administered systems and all systems connected to DoD networks. These requirements are designed to assist System Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and Systems Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.
- Specialized Security-Limited Functionality (SSLF)
Microsoft's .NET Framework version 4.0
FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers via email at: firstname.lastname@example.org
Version 1, Release 2 - 24 January 2014 (XCCDF only)
Version 1, Release 1 - 5 April 2013 (Benchmark)
Version 1, Release 1 - 10 August 2012
Version 1, Release 3 Benchmark - 30 October 2015
Changed status from "Under Review" to "Final" - 29 December 2015
4/27/2016 - version 1 release 3
moved to FINAL - 6/7/2016
Updated URL to reflect change to the DISA website - http --> https
Updated to V1, R4 - 1/26/18
Updated to FINAL - 2/27/2018
updated to Ver 1, Rel 5 - 7/24/18
Updated to FINAL - 8/24/18
Updated to Version 1, Release 6 - 10/25/18
Updated to FINAL - 11/26/18
NIST checklist record last modified on 11/26/2018