Essential Eight user application hardening
Adversaries often target workstations using malicious websites, emails, or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk. Due to its effectiveness, User App Hardening is one of the Essential 8 from the ACSC's Strategies to Mitigate Cyber Security Incidents.
Adversaries frequently attempt to exploit vulnerabilities found in older, unsupported versions of applications. Newer versions of Microsoft products offer significant improvements in security features, functionality, and provide increased stability. It's often the lack of improved security features that allows an adversary to easily compromise older versions of applications. To reduce this risk, the latest supported version of Microsoft products should be used.
Resources and references
For ease of reference, Intune requires the following policies are deployed for the associated control:
- OfficeMacroHardening-PreventActivationofOLE.ps1
- This PowerShell script is used to meet the following controls:
- UserApplicationHardening-RemoveFeatures.ps1
- This PowerShell script is used to meet the following controls:
- Internet Explorer is disabled or removed.
- .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
- Windows PowerShell 2.0 is disabled or removed.
- This PowerShell script is used to meet the following controls:
- ACSC Microsoft Edge Hardening Guidelines
- This Intune Device Configuration profile is used to meet the following
controls:
- Web browsers don't process web advertisements from the internet.
- ACSC or vendor hardening guidance for web browsers is implemented.
- This Intune Device Configuration profile is used to meet the following
controls:
- ACSC Windows Hardening Guidelines – Attack Surface Reduction Rules
- This Intune Endpoint Security Attack Surface Reduction rule profile is used to meet the following controls:
- Microsoft Office is blocked from creating child processes.
- Microsoft Office is blocked from creating executable content.
- Microsoft Office is blocked from injecting code into other processes.
- This Intune Endpoint Security Attack Surface Reduction rule profile is used to meet the following controls:
Web Browsers don't Process Java from the internet
Java isn't installed by default on Windows 10 or Windows 11.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1486 | Java isn't installed by default on Windows 10 or Windows 11. |
Web browsers don't process web advertisements from the internet
All available configuration options for disabling advertisements in Microsoft Edge are configured when deploying the Microsoft Edge Security Baseline and ACSC hardening for Microsoft Edge.
More blocking can be achieved using third party extensions for Microsoft Edge, network filtering at the gateway or use of a Protected DNS service. However, implementing these items is outside the scope of this document.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1485 | The policy 'Ads setting for sites with intrusive ads' has been configured to Enable. |
Internet Explorer 11 is disabled or removed
Internet Explorer 11 isn't present on Windows 11.
On the 15 June 2022, Microsoft retired Internet Explorer 11. For an organization that still requires Internet Explorer for legacy compatibility, Internet Explorer mode (IE mode) in Microsoft Edge provides a seamless, single browser experience. Users can access legacy applications from within Microsoft Edge without having to switch back to Internet Explorer 11.
After the admin has configured IE mode, organizations can disable Internet Explorer 11 as a standalone browser. The Internet Explorer 11 icons in the Start Menu and on the Task Bar are removed. Users are redirected to Microsoft Edge when attempting to launch shortcuts or file associations that use Internet Explorer 11 or when directly invoking the iexplore.exe binary.
To configure Internet Explorer to open directly within Microsoft Edge for specific websites, configure IE mode policies. For more information, see Configure IE mode Policies.
Implementation details for disabling Internet Explorer 11
To use Intune to disable Internet Explorer 11 as a standalone browser for Windows 10 devices:
- Create a new Settings Catalog policy.
- Browse by category, and search for: Disable Internet Explorer 11 as a standalone browser (User).
- Go to *Administrative Templates\Windows Components\Internet Explorer and select the setting: Disable Internet Explorer 11 as a standalone browser (User).
- Enable the setting Disable Internet Explorer 11 as a standalone browser (User).
- Deploy the policy to a set of devices or users.
In addition, to completely remove Internet Explorer 11:
- Add the UserApplicationHardening-RemoveFeatures.ps1as a PowerShell script with the following options:
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: No
- Assign the script to a deployment group.
Note
This script also disables .NET Framework 3.5 (includes .NET 2.0 and 3.0) and Windows PowerShell 2.0.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1666 | The policy 'Configure the Enterprise Mode Site List' is configured with a list of organization specific websites. Internet Explorer 11 has been removed by either the policy 'Disable Internet Explorer 11 as a standalone browser' configured as Enable, or removed by use of a script. |
Microsoft Office is blocked from creating child processes
Blocking Microsoft Office from creating child processes can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
Microsoft has made available an Intune implementation of the ACSC Windows Hardening Guidance on GitHub.TheASR rule to block Microsoft Office from creating child processes is contained within this guidance.
Implementation details for blocking creation of child processes
To implement blocking creation of child processes:
- Navigate to Graph Explorer and authenticate.
- Create a POST request, using the beta schema to the Attack Surface Reduction policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance.
- Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it in the request body.
- (Optional) modify the name value if necessary.
This ASR Endpoint Security policy contains the specific ASR rule: Block all Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A).
Note
By importing this ASR Rule profile, Microsoft Office is blocked from creating executable content (3B576869-A4EC-4529-8536-B80A7769E899) and injecting code into other process (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84).
Note
This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1667 | The ASR rule 'Block all Office applications from creating child processes' has been enabled. |
Microsoft Office is blocked from creating executable content
Blocking Microsoft Office from creating child processes (3B576869-A4EC-4529-8536-B80A7769E899) can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1668 | The ASR rule 'Block Office applications from creating executable content' has been enabled. |
Microsoft Office is blocked from injecting code into other processes
Blocking Microsoft Office from creating child processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84) can be accomplished via an Attack Surface Reduction (ASR) Endpoint Security policy, deployed via Intune.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1669 | The ASR rule 'Block Office applications from injecting code into other processes' has been enabled. |
Microsoft Office is configured to prevent activation of OLE packages
Deploy the OfficeMacroHardening-PreventActivationofOLE.ps1PowerShell script to import the registry keys that block the activation of OLE packages in Excel, PowerPoint, and Word.
Implementation Details to prevent activation of OLE packages
To implement prevention of activation of OLE packages:
- Add OfficeMacroHardening-PreventActivationofOLE.ps1as a PowerShell script with the following options:
- Run this script using the logged on credentials: Yes
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: No
- Assign the script to a deployment group.
Note
This PowerShell script is specifically for Office 2016 and later. A script to prevent the activation of OLE for Office 2013 is provided here: OfficeMacroHardening-PreventActivationofOLE-Office2013.ps1.
The script is unsigned. If you have required script signing, review the following documentation to sign the script so that it can be executed on your Windows devices: Methods of signing scripts and change the Enforce script signature check to: Yes
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1542 | Activation of OLE packages has been prevented via a script. |
PDF software is blocked from creating child processes
Microsoft Edge is configured as the default PDF viewer on Windows 10 and Windows 11. PDF viewing can be further hardened with the policies included for ACSC or vendor hardening guidance for web browsers.
Alternatively, if your organization is using Adobe Reader as the default PDF software, configure the appropriate Attack Surface Reduction rule to block Adobe Reader from creating child processes, using the following steps:
- In Intune, navigate to Endpoint Security > Attack Surface Reduction.
- Create (or modify) a new Attack Surface Reduction Endpoint Security Policy.
- Set Block Adobe Reader from creating child processes to Enable.
- Assign the Attack Surface Reduction Rule policy to a group.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1670 | The ASR rule 'Block Adobe Reader from creating child processes' has been enabled. |
Hardening guidance for web browsers, Microsoft Office and PDF software
Web browser and PDF software with Microsoft Edge
Microsoft Edge is installed by default on Windows 10 and Windows 11 and is the recommended web browser. Microsoft Edge is both the default browser and PDF viewer unless otherwise configured.
Microsoft and ACSC have provided guidance and specific policies to harden Microsoft Edge. Both sets of guidance should be deployed concurrently.
Implementation details using Microsoft Edge Security Baseline
To implement the security baseline:
- Navigate to Endpoint Security > Security Baselines > Microsoft Edge Baseline.
- Create a new Microsoft Edge Baseline by selecting Create Profile.
- Review the configuration, and assign the Security Baseline to a group.
Implementation details for Microsoft Edge hardening guidance
To implement hardening guidance:
- Save the ACSC Microsoft Edge Hardening Guidelines policy to your local device.
- Navigate to the Microsoft Intune console.
- Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
- Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1.
- Select Save
Note
Microsoft has also released Intune policies that were put together to help organizations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidelines. The ACSC recommended hardening policies for Microsoft Edge are also contained within these policies.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1412, 1860 | - Deploy the Microsoft Edge Security Baseline - Deploy the ACSC Microsoft Edge Hardening Guidance. |
Microsoft Office: Microsoft Apps for Enterprise
Microsoft Apps for Enterprise hardened with the recommended settings for hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 from the ACSC, as a part of the Essential 8 Configure Microsoft Office macro settings pillar.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1859 | Deploy the ACSC Office hardening guidelines. |
Web browser, Microsoft Office and PDF software security settings can't be changed by users
When policies provided in this document are deployed via Intune, the settings that the policies contain are enforced and can't be changed by standard users.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1585 | When policies provided in this document are deployed via Intune, the settings that the policies contain are enforced and can't be changed by standard users. |
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed
Deploying the UserApplicationHardening-RemoveFeatures.ps1 PowerShell script turns off the .NET Framework 3.5 (includes .NET 2.0 and 3.0) feature, if installed.
| ISM control Mar 2024 | Mitigation |
|---|---|
| ISM-1655 | .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. |
Windows PowerShell 2.0 is Disabled or Removed
Deploying the UserApplicationHardening-RemoveFeatures.ps1 PowerShell script turns off the Windows PowerShell 2.0 feature, if installed.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1612 | Windows PowerShell 2.0 is disabled or removed using the supplied script. |
PowerShell is configured to use Constrained Language Mode
Constrained Language Mode is enabled as a part of the Essential Eight Application Control mitigation strategy document.
Blocked PowerShell script executions are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected
Microsoft Defender for Endpoint (MDE) can be used to obtain and retain logs from endpoints that can be used for detection of cyber security events.
Script execution can be audited natively in Microsoft Defender for Endpoint Advanced Hunting. Microsoft Defender for Endpoint Advanced Hunting capability logs multiple Application Control events, including event ID 8029, which reports on blocked scripts or scripts enforced to run on Constrained Language Mode.
Alternatively, Event Forwarding of WDAC events can be used to monitor them in a third-party monitoring solution.
References:
Understanding Application Control event IDs (Windows) - Windows security | Query Application Control events with Advanced Hunting (Windows) - Windows security
Intune can be used to seamlessly onboard devices into MDE.
Command line process creation events are centrally logged
As with blocked PowerShell script executions, command line process creation events that are precursors for indications of compromise are collected when a device is enrolled into Defender for Endpoint. Events can be viewed in the Defender for Endpoint portal, on the device page under Timeline.
Implementation details for onboarding endpoints into Microsoft Defender for Endpoint
To implement onboarding endpoints into MDE:
- Create a new Windows Configuration Profile with a type of Template > Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).
- Set Expedite telemetry reporting frequency to Enable.
- Assign the policy to a deployment group.
Once devices are onboarded to MDE, PowerShell executions are captured for review and action can be taken if necessary. For more information, see Take response actions on a device in Microsoft Defender for Endpoint.
| ISM control Mar 2024 | Mitigation |
|---|---|
| 1664, 1665, 1405 | Application Control event IDs are captured by Defender for Endpoint when devices are enrolled into Defender for Endpoint. |
| 1899 | Command line process creation events that are precursors for indications of compromise are captured by Defender for Endpoint when devices are enrolled into Defender for Endpoint. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for