Microsoft DotNet Framework 4.0 STIG Version Comparison
Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
Comparison
There are 3 differences between versions v2 r5 (Jan. 30, 2025) (the "left" version) and v2 r7 (July 2, 2025) (the "right" version).
Check APPNET0061 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
.Net Framework versions installed on the system must be supported.
Check Content
Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders folders. while 32 bit systems do not have a Framework64 folder. Within each of the aforementioned folders are the individual folder names that contain the corresponding versions of the .NET Framework: v4.0.30319 v3.5 v3.0 v2.0.50727 v1.1.4322 v1.0.3705 Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click the version tab to determine the version installed. If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory. More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785 Verify extended support is available for the installed versions of .Net Framework. Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link. http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform. If platform. .NET Framework 3.5 cannot function without the .NET Framework 2.0 and the .NET Framework 3.0, because there is no common language runtime (CLR) in the .NET Framework 3.5 layer. Therefore, when the .NET Framework 3.5 product is installed, the .NET Framework 2.0 and the .NET Framework 3.0 SP products are also installed. Installation of .NET 2.0 and 3.0 SP products as part of .NET Framework 3.5 is Not a Finding. (https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3) If any versions of the .Net Framework are installed and support is no longer available, this is a finding.
Discussion
Unsupported software introduces risks and violates DoD DOD policy. Applications utilizing unsupported versions of .NET introduce substantial risk to the host, network, and the enclave because by virtue of the fact they leverage an architecture that is no longer updated by the vendor. This introduces potential application integrity, availability, or confidentiality issues.
Fix
Remove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework.