Check: APPNET0055
Microsoft DotNet Framework 4.0 STIG:
APPNET0055
(in versions v2 r4 through v2 r3)
Title
CAS and policy configuration files must be backed up. (Cat II impact)
Discussion
A successful disaster recovery plan requires that CAS policy and CAS policy configuration files are identified and included in systems disaster backup and recovery events. Documentation regarding the location of system and application specific CAS policy configuration files and the frequency in which backups occur is required. If these files are not identified and the information is not documented, there is the potential that critical application configuration files may not be included in disaster recovery events which could lead to an availability risk.
Check Content
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.
Fix Text
All CAS policy and policy configuration files must be included in the system backup. All CAS policy and policy configuration files must be backed up prior to migration, deployment, and reconfiguration. CAS policy configuration files must be included in disaster recovery plan documentation.
Additional Identifiers
Rule ID: SV-225227r954804_rule
Vulnerability ID: V-225227
Group Title: SRG-APP-000120
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000164 |
The information system protects audit information from unauthorized deletion. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |