Ensure .NET Framework 3.5 is Disabled or Removed
.NET Framework 3.5 should be turned off or uninstalled for security reasons.
Plain language
.NET Framework 3.5 might seem like just some software that helps run certain programs on your computer, but it's not supported for the newest security updates. This means it can leave your computer open to hackers, who could steal your data, mess up your system, or compromise your business operations if they're able to exploit these security holes.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Why it matters
Leaving .NET Framework 3.5 enabled risks exploitation of unpatched vulnerabilities, leading to potential data breaches and business disruptions.
Operational notes
Verify via Windows Features/PowerShell that .NET Framework 3.5 is disabled/removed on all hosts during quarterly reviews.
Implementation tips
- The IT team should identify all computers and servers running .NET Framework 3.5 by using inventory management software to scan for installed software versions. Make sure to report the findings in a clear and detailed list.
- The IT team should evaluate which applications still rely on .NET Framework 3.5 and work with application owners to upgrade these to newer versions or alternative software that don’t require .NET Framework 3.5. Document these discussions and update plans in a project management tool.
- System owners should coordinate with the IT team to schedule a convenient time to disable or remove .NET Framework 3.5 on each machine identified. This is done through the control panel and may involve using scripts for batch processing.
- The IT team should ensure they have a backup of all necessary data and system settings before making any changes by using automated backup tools. This ensures there's a way to restore systems if anything goes wrong during the removal process.
- Managers should inform all staff about potential disruptions during removal and who to contact for support if they experience issues post-removal. Use emails and internal communication platforms to send out these notifications.
Audit / evidence tips
-
Askthe latest software inventory report: Request to see the list of installed software versions on all organisational devices, focusing on entries for .NET Framework 3.5. Look if .NET Framework 3.5 is listed and whether it has been removed or disabled
GoodDocumented list shows .NET Framework 3.5 is no longer active on any devices
-
Askproject plans or change requests: Request the document that outlines how applications depending on .NET Framework 3.5 are being updated
GoodThe plan is detailed, with all dependencies reviewed and updated actions in progress or completed
-
Asksystem backup records: Request to see the logs that confirm backups before changes were made
GoodLogs indicate all systems were backed up completely before any removal operations began
-
Askcommunication records: Request emails or memos sent to staff about system changes
GoodCommunication clearly outlines what changes are happening, why they’re necessary, and support contact information
-
Askto see any remediation steps documented post-removal: Request records of any issues encountered after the removal and how they were resolved
GoodIssues are documented with clear follow-up actions taken swiftly to resolve them
Cross-framework mappings
How ISM-1655 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.19 | ISM-1655 requires that .NET Framework 3.5 is not present/enabled, reducing the chance of insecure legacy components being installed and used | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-PA-ML3.3 | ISM-1655 requires disabling or removing a specific legacy component: .NET Framework 3.5 (including 2.0 and 3.0) | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML3.2 | E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 to reduce attack surface and weaken common living-off-the-... | |
| link Related (1) expand_less | ||
| E8-AH-ML3.1 | E8-AH-ML3.1 requires that .NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.