Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation
This article will cover Maturity 1 Control 1: Application Control
What is Application Control?
Application control seeks to prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (eg Windows Script Host, PowerShell, and HTA) and installers.
Jargon aside, you are seeking to prevent nasty things from running on your computer. By having exclusive control over what can run on a machine, you can prevent things like viruses and malware from being able to do damage.
Implementing application control is not for the faint-hearted, and does come with additional management overhead to consider. Because each app must be approved & tested before it can be used, there is a lot of work for support teams to stay on top of user demands for new software.
How to implement Application Control
You can achieve application control through a mix of process and software. The process side of it is straightforward;
- Have a list of approved software that can be installed
- Restrict users from installing anything outside of an approved list
- Block scripts from running
While not listed here, removing users from having administrator privileges is a given. This is covered in another Essential Eight control, so we’ll talk about that in a later episode.
There are a couple of options for managing approval (or whitelisting) programs and apps for installation, but these are mainly Windows-centric. Since we’re a Microsoft shop, let’s have a look at those:
If you’re still using Active Directory, AppLocker is a fairly solid way of restricting what apps are available for people to install. The solution involves creating an approved software repository and rules based on what applications can be run on a Windows device.
You can get very granular with what people can and can’t run on their machines, however, it comes at the expense of administrative overhead. Every time an application needs updating an admin user must update the application in AppLocker.
We generally only recommend AppLocker if you have very specific security requirements AND a dedicated sysadmin team that is willing to spend countless hours updating the rules & application packages. Next!
Windows Defender Application Control
Windows Defender Application Control is our recommended solution as it has direct ties to Office 365 via Intune. This means there are no longer any dependencies on servers or internal resources.
This feature is a little more flexible and allows for policies to be created based on folder locations. That means that updating apps are a little easier, though the trade-off is less control over the application itself. Primary this suits Windows 10 1706 and above.
The steps to implement as directed from Microsoft:
When first implementing Windows Defender Application Control we recommend running in Audit-Only, to begin with, in order to build up a log of applications that can then be identified for approval. Once you’re satisfied with what has been logged, you can switch on Enforcement Mode.
How to block scripts
Scripts are a common way for malicious actors to infect their target. The user may click a link or attachment in a dodgy email, and that contains the script file hidden inside. Once clicked, the script then downloads the virus payload from an internet source or starts making changed to the operating system to take control of it:
Thankfully, there is a quick (and somewhat dirty) way of disabling scripts on a Windows operating system. In case you break something, make sure you take a backup of the System State before making any changes:
- Press the Windows Key + R at the same time
- Type Regedit in the Run box
- You should now have the registry editor open
- Navigate to the following registry key by pasting this path in the top bar of the registry editor:
ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Script HostSettings
- Now, right-click the Settings key and select New > DWORD (32-bit) Value
- Call name the value Enabled and set the value data to “0”
That covers application control and the very first level in the Essential Eight framework. Be sure to check out the next step in our Essential Eight series; Maturity 1 Control 2 – Patch Applications.
And of course, if any of the above sounds a little like it’s in the “too hard basket”, we include this as part of our Elite Managed IT Service. Feel free to drop us a line if you’d like to hear more!