Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction.
"The purpose of this document is to inform administrators responsible for systems and
network security about the configurable security features available in the .NET Framework.
To place some of the configuration options in context, a brief introduction to the .NET
Framework security model and its components is provided. For further information about
security in the .NET Framework, many resources are available; for example, see [Microsoft,
MSDN], [Microsoft, .NET Framework], [LaMacchia, et al., 2002], or [Watkins and Lange,
The security features of the .NET Framework are highly extensible and configurable. While
this document describes some of the default settings, it cannot address all possible
circumstances or scenarios administrators may experience. This guide is intended to assist
the administrator in exercising discriminating judgment in the configuration of the .NET
Framework in response to variations in organizational security policies and operational
This guide does not address Microsoft Windows operating system security issues that are not
specifically related to the .NET Framework."