Skip to content
Control Stack logo Control Stack
ISM-1655 ASD Information Security Manual (ISM)

Ensure .NET Framework 3.5 is Disabled or Removed

.NET Framework 3.5 should be turned off or uninstalled for security reasons.

Preventative ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceApplication securityHardening

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML3

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Hardening Operating System Configurations
Official control statement
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.

Source: ASD Information Security Manual (ISM)

Plain language

.NET Framework 3.5 might seem like just some software that helps run certain programs on your computer, but it's not supported for the newest security updates. This means it can leave your computer open to hackers, who could steal your data, mess up your system, or compromise your business operations if they're able to exploit these security holes.

Why it matters

Leaving .NET Framework 3.5 enabled risks exploitation of unpatched vulnerabilities, leading to potential data breaches and business disruptions.

Operational notes

Verify via Windows Features/PowerShell that .NET Framework 3.5 is disabled/removed on all hosts during quarterly reviews.

Implementation tips

  • The IT team should identify all computers and servers running .NET Framework 3.5 by using inventory management software to scan for installed software versions. Make sure to report the findings in a clear and detailed list.
  • The IT team should evaluate which applications still rely on .NET Framework 3.5 and work with application owners to upgrade these to newer versions or alternative software that don’t require .NET Framework 3.5. Document these discussions and update plans in a project management tool.
  • System owners should coordinate with the IT team to schedule a convenient time to disable or remove .NET Framework 3.5 on each machine identified. This is done through the control panel and may involve using scripts for batch processing.
  • The IT team should ensure they have a backup of all necessary data and system settings before making any changes by using automated backup tools. This ensures there's a way to restore systems if anything goes wrong during the removal process.
  • Managers should inform all staff about potential disruptions during removal and who to contact for support if they experience issues post-removal. Use emails and internal communication platforms to send out these notifications.

Audit / evidence tips

  • Ask: the latest software inventory report: Request to see the list of installed software versions on all organisational devices, focusing on entries for .NET Framework 3.5. Look if .NET Framework 3.5 is listed and whether it has been removed or disabled

    Good: Documented list shows .NET Framework 3.5 is no longer active on any devices

  • Ask: project plans or change requests: Request the document that outlines how applications depending on .NET Framework 3.5 are being updated

    Good: The plan is detailed, with all dependencies reviewed and updated actions in progress or completed

  • Ask: system backup records: Request to see the logs that confirm backups before changes were made

    Good: Logs indicate all systems were backed up completely before any removal operations began

  • Ask: communication records: Request emails or memos sent to staff about system changes

    Good: Communication clearly outlines what changes are happening, why they’re necessary, and support contact information

  • Ask: to see any remediation steps documented post-removal: Request records of any issues encountered after the removal and how they were resolved

    Good: Issues are documented with clear follow-up actions taken swiftly to resolve them

Cross-framework mappings

How ISM-1655 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.19 ISM-1655 requires that .NET Framework 3.5 is not present/enabled, reducing the chance of insecure legacy components being installed and used

E8

Control Notes Details
Partially meets (1)
E8-PA-ML3.3 ISM-1655 requires disabling or removing a specific legacy component: .NET Framework 3.5 (including 2.0 and 3.0)
Partially overlaps (1)
E8-AH-ML3.2 E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 to reduce attack surface and weaken common living-off-the-...
Related (1)
E8-AH-ML3.1 E8-AH-ML3.1 requires that .NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed to reduce exposure to legacy components

Mapping detail

Mapping

Direction

Controls