Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Adversaries often target workstations using malicious websites, emails, or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk. Due to its effectiveness, User App Hardening is one of the Essential 8 from the ACSC's Strategies to Mitigate Cyber Security Incidents.
Adversaries frequently attempt to exploit vulnerabilities found in older, unsupported versions of applications. Newer versions of Microsoft products offer significant improvements in security features, functionality, and provide increased stability. It's often the lack of improved security features that allows an adversary to easily compromise older versions of applications. To reduce this risk, the latest supported version of Microsoft products should be used.
For ease of reference, Intune requires the following policies are deployed for the associated control:
Java isn't installed by default on Windows 10 or Windows 11.
ISM control Sep 2024 | Mitigation |
---|---|
1486 | Java isn't installed by default on Windows 10 or Windows 11. |
All available configuration options for disabling advertisements in Microsoft Edge are configured when deploying the Microsoft Edge Security Baseline and ACSC hardening for Microsoft Edge.
More blocking can be achieved using third party extensions for Microsoft Edge, network filtering at the gateway or use of a Protected DNS service. However, implementing these items is outside the scope of this document.
ISM control Sep 2024 | Mitigation |
---|---|
1485 | The policy 'Ads setting for sites with intrusive ads' has been configured to Enable. |
Internet Explorer 11 isn't present on Windows 11.
On the 15 June 2022, Microsoft retired Internet Explorer 11. For an organization that still requires Internet Explorer for legacy compatibility, Internet Explorer mode (IE mode) in Microsoft Edge provides a seamless, single browser experience. Users can access legacy applications from within Microsoft Edge without having to switch back to Internet Explorer 11.
After the admin has configured IE mode, organizations can disable Internet Explorer 11 as a standalone browser. The Internet Explorer 11 icons in the Start Menu and on the Task Bar are removed. Users are redirected to Microsoft Edge when attempting to launch shortcuts or file associations that use Internet Explorer 11 or when directly invoking the iexplore.exe binary.
To configure Internet Explorer to open directly within Microsoft Edge for specific websites, configure IE mode policies. For more information, see Configure IE mode Policies.
To use Intune to disable Internet Explorer 11 as a standalone browser for Windows 10 devices:
In addition, to completely remove Internet Explorer 11:
Note
This script also disables .NET Framework 3.5 (includes .NET 2.0 and 3.0) and Windows PowerShell 2.0.
ISM control Sep 2024 | Mitigation |
---|---|
1666 | The policy 'Configure the Enterprise Mode Site List' is configured with a list of organization specific websites. Internet Explorer 11 has been removed by either the policy 'Disable Internet Explorer 11 as a standalone browser' configured as Enable, or removed by use of a script. |
Blocking Microsoft Office from creating child processes can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
Microsoft has made available an Intune implementation of the ACSC Windows Hardening Guidance on GitHub.TheASR rule to block Microsoft Office from creating child processes is contained within this guidance.
To implement blocking creation of child processes:
This ASR Endpoint Security policy contains the specific ASR rule: Block all Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A).
Note
By importing this ASR Rule profile, Microsoft Office is blocked from creating executable content (3B576869-A4EC-4529-8536-B80A7769E899) and injecting code into other process (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84).
Note
This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
ISM control Sep 2024 | Mitigation |
---|---|
1667 | The ASR rule 'Block all Office applications from creating child processes' has been enabled. |
Blocking Microsoft Office from creating child processes (3B576869-A4EC-4529-8536-B80A7769E899) can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
ISM control Sep 2024 | Mitigation |
---|---|
1668 | The ASR rule 'Block Office applications from creating executable content' has been enabled. |
Blocking Microsoft Office from creating child processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84) can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
ISM control Sep 2024 | Mitigation |
---|---|
1669 | The ASR rule 'Block Office applications from injecting code into other processes' has been enabled. |
Deploy the OfficeMacroHardening-PreventActivationofOLE.ps1PowerShell script to import the registry keys that block the activation of OLE packages in Excel, PowerPoint, and Word.
To implement prevention of activation of OLE packages:
Note
This PowerShell script is specifically for Office 2016 and later. A script to prevent the activation of OLE for Office 2013 is provided here: OfficeMacroHardening-PreventActivationofOLE-Office2013.ps1.
The script is unsigned. If you have required script signing, review the following documentation to sign the script so that it can be executed on your Windows devices: Methods of signing scripts and change the Enforce script signature check to: Yes
ISM control Sep 2024 | Mitigation |
---|---|
1542 | Activation of OLE packages has been prevented via a script. |
Microsoft Edge is configured as the default PDF viewer on Windows 10 and Windows 11. PDF viewing can be further hardened with the policies included for ACSC or vendor hardening guidance for web browsers.
Alternatively, if your organization is using Adobe Reader as the default PDF software, configure the appropriate Attack Surface Reduction rule to block Adobe Reader from creating child processes, using the following steps:
ISM control Sep 2024 | Mitigation |
---|---|
1670 | The ASR rule 'Block Adobe Reader from creating child processes' has been enabled. |
Microsoft Edge is installed by default on Windows 10 and Windows 11 and is the recommended web browser. Microsoft Edge is both the default browser and PDF viewer unless otherwise configured.
Microsoft and ACSC have provided guidance and specific policies to harden Microsoft Edge. Both sets of guidance should be deployed concurrently.
To implement the security baseline:
To implement hardening guidance:
Note
Microsoft has also released Intune policies that were put together to help organizations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidelines. The ACSC recommended hardening policies for Microsoft Edge are also contained within these policies.
ISM control Sep 2024 | Mitigation |
---|---|
1412, 1860 | - Deploy the Microsoft Edge Security Baseline - Deploy the ACSC Microsoft Edge Hardening Guidance. |
Microsoft Apps for Enterprise hardened with the recommended settings for hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 from the ACSC, as a part of the Essential 8 Configure Microsoft Office macro settings pillar.
ISM control Sep 2024 | Mitigation |
---|---|
1859 | Deploy the ACSC Office hardening guidelines. |
When policies provided in this document are deployed via Intune, the settings that the policies contain are enforced and can't be changed by standard users.
ISM control Sep 2024 | Mitigation |
---|---|
1585 | When policies provided in this document are deployed via Intune, the settings that the policies contain are enforced and can't be changed by standard users. |
Deploying the UserApplicationHardening-RemoveFeatures.ps1 PowerShell script turns off the .NET Framework 3.5 (includes .NET 2.0 and 3.0) feature, if installed.
ISM control Sep 2024 | Mitigation |
---|---|
ISM-1655 | .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. |
Deploying the UserApplicationHardening-RemoveFeatures.ps1 PowerShell script turns off the Windows PowerShell 2.0 feature, if installed.
ISM control Sep 2024 | Mitigation |
---|---|
1612 | Windows PowerShell 2.0 is disabled or removed using the supplied script. |
Constrained Language Mode is enabled as a part of the Essential Eight Application Control mitigation strategy document.
Microsoft Defender for Endpoint (MDE) can be used to obtain and retain logs from endpoints that can be used for detection of cyber security events.
Script execution can be audited natively in Microsoft Defender for Endpoint Advanced Hunting. Microsoft Defender for Endpoint Advanced Hunting capability logs multiple Application Control events, including event ID 8029, which reports on blocked scripts or scripts enforced to run on Constrained Language Mode.
Alternatively, Event Forwarding of WDAC events can be used to monitor them in a third-party monitoring solution.
References:
Understanding Application Control event IDs (Windows) - Windows security | Query Application Control events with Advanced Hunting (Windows) - Windows security
Intune can be used to seamlessly onboard devices into MDE.
As with blocked PowerShell script executions, command line process creation events that are precursors for indications of compromise are collected when a device is enrolled into Defender for Endpoint. Events can be viewed in the Defender for Endpoint portal, on the device page under Timeline.
To implement onboarding endpoints into MDE:
Once devices are onboarded to MDE, PowerShell executions are captured for review and action can be taken if necessary. For more information, see Take response actions on a device in Microsoft Defender for Endpoint.
ISM control Sep 2024 | Mitigation |
---|---|
1664, 1665, 1405 | Application Control event IDs are captured by Defender for Endpoint when devices are enrolled into Defender for Endpoint. |
1899 | Command line process creation events that are precursors for indications of compromise are captured by Defender for Endpoint when devices are enrolled into Defender for Endpoint. |
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register now