User Application Hardening
Hi everyone, and welcome to this week’s episode of eight weeks of the essential eight. This week we’re going to explore the essential eight strategy User Application Hardening, and how you can achieve maturity level one.
The ACSC defines this strategy as:
Essential 8 Mitigation Strategy 5: User application hardening to configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g., OLE), web browsers and PDF viewers.
What is user application hardening?
When applications are installed, many of us are guilty of clicking NEXT until we get to the ‘install’ button.
By default, many apps enable functions that aren’t necessary for users while also permitting lowered security level settings. By simply allowing the application to follow the default installation guide, we may be opening opportunities for cyber attackers to infiltrate our systems through unneeded features or lower security levels.
This is especially true for applications like web browsers, email clients, PDF software, or Microsoft Office apps because these can be vectors for malware and are more likely to be targeted by adversaries. User application hardening isn’t nearly as intimidating as some of the other strategies, so it’s easy to overlook it. It’s a bit like dusting your fans or cleaning your blinds – you know it will get done, someday, when you find the time. But while we can live with dust or cobwebs, we can’t allow applications with inadequate security settings to remain on our networks.
So, think of user application hardening as a bit like a spring clean of all your applications. By going through your apps, uninstalling features that are unimportant, and setting unique passwords and usernames instead of default details, you make it significantly harder for adversaries to take advantage of your systems.
User Application Hardening Tips
TIP 1:
The best place to start is by obtaining a list of the applications you have installed on your system and remove the apps that provide little or no value. The applications that remain on your network after the cull should be configured according to user hardening recommendations. Most vendors will have hardening guides for their software and applications, so take the time to review industry best practices for the applications on your network and configure them accordingly.
TIP 2:
Additionally, ensure you remove features on applications that you do not need, and save installed files in non-default program folders to trick cyber attackers, who often seek out these default installation locations. You can also run vulnerability scans using tools (like Nexpose, SAINT or Nessus) to locate vulnerable files and applications.
TIP 3:
Finally, use a web browser plugin or web filtering gateway to block online ads, as cyber attackers often create malicious ads (called ‘malvertising’) to compromise websites and systems.
Implementing Application Control: Maturity Level One
Now, for those of you who are keen to align with Maturity level one, let’s delve a little more into the specific requirements.
Web browsers do not process Java from the internet
While Java once enabled a host of features and effects on websites that weren’t possible in older HTML specifications, these days most features that Java brought to the table can be performed within HTML 5, meaning Java is no longer needed for advanced features on website. This is because Java can be a vector for malware, especially if you are using older versions that have vulnerabilities that malicious sites can use to exploit and infect your system.
Many apps still rely on Java, but you don’t need to block it everywhere; you just need to block it from untrusted or uncontrolled sources like the internet and your web browsers.
Web browsers do not process web advertisements from the internet.
Web pop-ups and advertisements aren’t just annoying; they can also be a conduit for malware and nefarious entities, which is often referred to as ‘malvertising’. Malvertising is the use of online malicious advertisements that spread malware and compromise system through the injection of unwanted or malicious code into ads.
You should ensure your organisation employs a means to block web advertising as much as possible. This can be done via Active Directory or Group Policy Objects and can be supported by content filters on web browsers and applications.
Web browser security settings cannot be changed by users.
There’s no point in implementing web browser security controls if your users can just disable them at-will. Thus, the modification of security controls should be limited to as few administrators as possible, and the ability to disable or modify browser security settings should be restricted on your standard user accounts and workstations.
Now like app control, you can use mobile device or desktop management solutions to apply user application hardening on devices. Such solutions include:
- Microsoft: Microsoft Intune
- Apple: JAMF
- SOPHOS endpoint management
And that’s it for this episode everyone! As usual, if you have any questions please feel free to email me, and I’ll see you next week
