ASD's Blueprint for Secure Cloud

Application Control

This page provides a template and guidance to assist organisations in documenting their approach to application control, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Applicability

The application control mitigation strategy is applicable to the management of applications on the following <SYSTEM-NAME> components:

  • Windows Endpoints
  • <HYBRID SERVERS>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Maturity level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Windows endpoints

Windows Defender Application Control (WDAC) is used to apply application control on <SYSTEM-NAME> workstations and is configured via Microsoft Intune to:

  • prevent users (other than local administrators) from installing or uninstalling applications
  • utilise a combination of hash, publisher certificate and path rules in enforcing defined application control policies
  • restrict the execution of the following filetypes to a <ORGANISATION-NAME> approved set:
  • executables
  • software libraries
  • scripts
  • installers
  • compiled html
  • HTML applications
  • control panel applets
  • drivers
  • implement Microsoft’s recommended application blocklist and Microsoft’s vulnerable driver blocklist.

A current list of <SYSTEM-NAME> allowed applications can be found in the <SYSTEM-NAME> Intune portal. As per <SYSTEM-NAME>’s System Administration Process, <ORGANISATION-NAME> will continually review the list of allowed applications within these filetypes for relevant groups of users, including a specific annual review.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Internet-facing servers

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Non-internet-facing servers

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Logging

The collection of event logs for monitoring of <SYSTEM-NAME> is performed in accordance with <ORGANISATION-NAME>’s Event Logging Policy, and includes the aggregation of the following logs into Microsoft Log Analytics:

Application Control Event (Workstations)Forwarded to Log Analytics
Allowed application execution:<YES>
Blocked application execution:<YES>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Application Control Event (<Internet-facing servers>)Forwarded to Log Analytics
Allowed application execution:<YES>
Blocked application execution:<YES>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Application Control Event (<Non-Internet-facing servers>)Forwarded to Log Analytics
Allowed application execution:<YES>
Blocked application execution:<YES>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Monitoring and response

<SYSTEM-NAME> utilises the Microsoft 365 Defender portal and <SIEM-PRODUCT> to assist in the identification of cyber security incidents.

This includes the processing, analysis, and response to the following event logs in a timely manner:

Application Control EventWorkstations<HYBRID SERVERS>
Allowed application execution:YES<IMPLEMENTATION>
Blocked application execution:YES<IMPLEMENTATION>

<ORGANISATION-NAME> has established a Security Operations Centre (SOC) to analyse cyber security events in a timely manner, a Cyber Security Incident Register and Incident Response Plan to facilitate the response to detected cyber security events in a timely and appropriate manner. This plan includes reporting all incidents to <ORGANISATION-NAME>’s Chief Information Security Officer (CISO) and to ASD in a timely manner.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra