.NET Framework 3.5, 3.0, 2.0 is disabled or removed
Ensure older versions of .NET Framework (3.5, 3.0, 2.0) are turned off or uninstalled.
Plain language
This control is about making sure that older versions of the .NET Framework, which is a kind of software that helps programs run on Windows computers, are either turned off or completely removed. These older versions can be unsafe because they might have security holes that hackers can exploit to break into or mess up your computer systems.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Why it matters
Without disabling or removing .NET Framework 3.5/3.0/2.0, systems remain exposed to legacy vulnerabilities that attackers can exploit.
Operational notes
Regularly audit endpoints to ensure .NET Framework 3.5/3.0/2.0 stays disabled/removed, and block re-enablement or reinstall via policy.
Implementation tips
- IT team should identify computers with .NET Framework 3.5 (which includes versions 2.0 and 3.0) installed by using inventory software to scan all company machines.
- System administrator should disable .NET Framework 3.5 on computers by going to Windows Features in Control Panel and unchecking .NET 3.5.
- IT team should remove .NET Framework 3.5 from systems where it is not required by uninstalling it through Control Panel or using a command line prompt for batch removal.
- Security officer should verify with software vendors whether existing applications require .NET Framework 3.5, and plan upgrades or replacements for dependent applications.
- IT team should document the removal process and update system management records to ensure inventory accuracy.
Audit / evidence tips
-
AskHas the organisation disabled or removed .NET Framework 3.5 from all systems?
-
GoodInventory reports confirm no installations of .NET Framework 3.5, or policy documents state it’s disabled on necessary systems
-
AskWhat is the process for ensuring .NET Framework 3.5 is not re-installed?
-
GoodConfiguration policies are in place that automatically block reinstallation of .NET Framework versions below 4.0
Cross-framework mappings
How E8-AH-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | E8-AH-ML3.1 requires a specific secure configuration outcome: disabling or removing legacy .NET Framework versions to reduce the attack s... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1246 | ISM-1246 requires server applications to be hardened using ASD and vendor hardening guidance with the most restrictive precedence | |
| ISM-1621 | E8-AH-ML3.1 requires organisations to disable or remove legacy .NET Framework versions (3.5/3.0/2.0) to reduce the attack surface from ou... | |
| link Related (4) expand_less | ||
| ISM-1409 | ISM-1409 requires operating systems to be hardened using ASD and vendor guidance, with the most restrictive requirements taking precedence | |
| ISM-1470 | ISM-1470 requires unneeded components, services and functionality across common user applications (e.g | |
| ISM-1655 | E8-AH-ML3.1 requires that .NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed | |
| ISM-1798 | ISM-1798 requires secure configuration guidance to be produced and made available to consumers | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.