ASD's Blueprint for Secure Cloud

User Application Hardening

This page provides a template and guidance to assist organisations in documenting their approach to user application hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Due to the number of applicable controls in ASD’s Guidelines for System Hardening, guidance on system hardening has been split into its five sections for the purpose of this SSP.

User application selection and releases

Applicability

This section of the SSP is applicable to application selection for the below <SYSTEM-NAME> components:

  • Endpoints (Windows laptops and desktops)
  • Mobile Devices (iOS)
  • <ON-PREMISES SERVERS>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

All vendors of user applications used within <SYSTEM-NAME> have been assessed by <ORGANISATION-NAME> as demonstrating a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.

User applications used for <SYSTEM-NAME>, along with their releases and versions are listed in the <SYSTEM-NAME> Allowed Applications Register.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Allowed applications are deployed to endpoints and configured via Microsoft Intune, with application control implemented as per the information in the section below.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hardening user application configurations and macros (Windows endpoints)

Applicability

This section of the SSP is applicable to the hardening of user applications for the below <SYSTEM-NAME> components:

  • Endpoints (laptops and desktops)
  • Mobile Devices
  • <ON-PREMISES SERVERS>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

<ORGANISATION-NAME> has not implemented any specific organisational policies or processes related to hardening user application configurations within <SYSTEM-NAME> beyond ensuring implementation of the below technical controls as part of this SSP and reviewing the configurations on at least an annual basis (if not more frequently).

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for hardening of user applications and Microsoft Office macros within <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud and includes the following technical configurations:

User Application Configurations:Microsoft and built-in web browsers hardening
remove unnecessary functionality, such as Microsoft Access
restrict the use of add-ons to only those deployed via Intune
prevent the installation of Java
enable native Microsoft Edge advertisement blocking
disable Internet Explorer 11
configure Attack Surface Reduction rules
block Object Linking and Embedding (OLE)
Macros:only allow Microsoft macros that have been digitally signed by a trusted publisher to execute
disable all macros downloaded from the internet
enable antivirus scanning of Microsoft macros
prevent users from changing macro settings
configure Defender for Endpoint to centrally store EDR logs and send these to Log Analytics

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hardening user applications on servers

Applicability

<INSERT IMPLEMENTATION DETAILS AS APPROPRIATE>

Organisational policies and processes implemented

<INSERT IMPLEMENTATION DETAILS AS APPROPRIATE>

Technical controls implemented

<INSERT IMPLEMENTATION DETAILS AS APPROPRIATE>

Security & Governance

Design

External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra