ASD's Blueprint for Secure Cloud

User Application Hardening

This page provides a template and guidance to assist organisations in documenting their approach to use application hardening, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Applicability

The User Application Hardening mitigation strategy is applicable to hardening of user applications on all <SYSTEM-NAME> workstations and servers.

Maturity Level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

User application hardening

Workstations

Internet Explorer 11

Internet Explorer is not installed on <SYSTEM-NAME> workstations.

Web browsers

The following web browsers are allowed to operate on <SYSTEM-NAME> workstations:

Microsoft EdgeRestriction Applied
Security settings cannot be changed by users:YES - RESTRICTED VIA WDAC
Does not process Java from the internet:YES - RESTRICTED VIA WDAC
Does not process web advertisements from the internet:Yes - RESTRICTED VIA WDAC USING BUILT IN EDGE FUNCTIONALITY, AND BLOCKED VIA <ORGANISATION-NAME> <GATEWAY-SYSTEM>
e.g. GOOGLE CHROMERestriction Applied
Security settings cannot be changed by users:<IMPLEMENTATION>
Does not process Java from the internet:<IMPLEMENTATION>
Does not process web advertisements from the internet:<IMPLEMENTATION>

Office productivity suites

<SYSTEM-NAME> uses Microsoft Office as its sole office productivity suite, with the following hardening applied:

Microsoft OfficeRestriction Applied
Security settings cannot be changed by users:YES - RESTRICTED VIA WDAC
Hardened using the following guides:<GUIDES USED>
Blocked from creating child processes:YES - RESTRICTED VIA WDAC
Blocked from creating executable content:YES - RESTRICTED VIA WDAC
Blocked from injecting code into other processes:YES - RESTRICTED VIA WDAC
Configured to prevent activation of Object Linking and Embedding packages:YES - RESTRICTED VIA WDAC

PDF software

The following PDF software is allowed to operate on <SYSTEM-NAME> workstations:

e.g. ADOBE ACROBATRestriction Applied
Security settings cannot be changed by users:YES - RESTRICTED VIA WDAC
Hardened using the following guides:<GUIDES USED>
Blocked from creating child processes:YES - RESTRICTED VIA WDAC

Other software

SoftwareRestriction Applied
.NET Framework 3.5 (includes .NET 2.0 and 3.0:)<ENABLED>/<DISABLED>/<REMOVED>
Windows PowerShell 2.0:<ENABLED>/<DISABLED>/<REMOVED>
PowerShell:<CONFIGURED TO USE CONFINED LANGUAGE MODE
Servers

Internet Explorer 11

Internet Explorer is not installed on <SYSTEM-NAME> servers.

Web browsers

The following web browsers are allowed to operate on <SYSTEM-NAME> servers:

Microsoft EdgeRestriction Applied
Security settings cannot be changed by users:YES - RESTRICTED VIA WDAC
Does not process Java from the internet:YES - RESTRICTED VIA WDAC
Does not process web advertisements from the internet:Yes - RESTRICTED VIA WDAC USING BUILT IN EDGE FUNCTIONALITY, AND BLOCKED VIA <ORGANISATION-NAME> <GATEWAY-SYSTEM>
e.g. GOOGLE CHROMERestriction Applied
Security settings cannot be changed by users:<IMPLEMENTATION>
Does not process Java from the internet:<IMPLEMENTATION>
Does not process web advertisements from the internet:<IMPLEMENTATION>

Office productivity suites

Office productivity suites are not installed on <SYSTEM-NAME> servers.

PDF software

PDF software is not installed on <SYSTEM-NAME> servers.

Other software

SoftwareRestriction Applied
.NET Framework 3.5 (includes .NET 2.0 and 3.0:)<ENABLED>/<DISABLED>/<REMOVED>
Windows PowerShell 2.0:<ENABLED>/<DISABLED>/<REMOVED>
PowerShell:<CONFIGURED TO USE CONFINED LANGUAGE MODE

Logging

The collection of event logs for monitoring of <SYSTEM-NAME> is performed in accordance with <ORGANISATION-NAME>’s Event Logging Policy, and includes the aggregation of the following logs into Microsoft Log Analytics:

Application Event (Workstations)Forwarded to Log Analytics
Command line process creation:<YES>
PowerShell module logging:<YES>
Script block logging:<YES>
Transcription:<YES>
Application Event (<Internet-Facing Servers>)Forwarded to Log Analytics
Command line process creation:<YES>
PowerShell module logging:<YES>
Script block logging:<YES>
Transcription:<YES>
Application Event (<Non-Internet-Facing Servers>)Forwarded to Log Analytics
Command line process creation:<YES>
PowerShell module logging:<YES>
Script block logging:<YES>
Transcription:<YES>

Monitoring and response

<SYSTEM-NAME> utilises the Microsoft 365 Defender portal and <SIEM-PRODUCT> to assist in the identification of cyber security incidents.

This includes the processing, analysis, and response to the following event logs in a timely manner:

EventWorkstations<HYBRID SERVERS>
Command line process creation:<YES><YES>
PowerShell module logging:<YES><YES>
Script block logging:<YES><YES>
Transcription:<YES><YES>

<ORGANISATION-NAME> has established a Security Operations Centre (SOC) to analyse cyber security events in a timely manner, and a Cyber Security Incident Register, and Incident Response Plan to facilitate the response to detected cyber security events in a timely and appropriate manner. This plan includes reporting all incidents to the <ORGANISATION-NAME> CISO and to ASD in a timely manner.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra