The ACSC defines Application Control as “an approach in which only an explicitly defined set of trusted applications are allowed to execute on systems” and it is considered one of the most effective mitigation strategies to ensure the security of systems.
When implemented robustly, this mitigation strategy prevents the execution of malicious programs and installers including executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers. Application control stops anything that isn’t a known requirement of your organisation from running, unlike antivirus software that seeks only to block malicious programs.
When an organisation is determining how to implement and enforce Application Control, they should refer to the following methods that are considered by the ACSC as suitable if implemented correctly:
- Cryptographic hash rules
- publisher certificate rules (combining both publisher names and product names)
- path rules (ensuring file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents and individual files).
The ACSC does not consider the following approaches to be Application Control:
- providing a portal or other means of installation for approved applications
- using web or email content filters to prevent users from downloading applications from the internet
- checking the reputation of an application using a cloud-based service before it is executed
- using a next-generation firewall to identify whether network traffic is generated by an approved application.
Four steps to implement Application Control
When implementing Application Control, organisations should use the following high-level steps as defined by the ACSC:
- Identify the applications your organisation wishes to approve
- Develop application control rules to ensure only approved applications can execute
- Maintain application control rules using a change management program
- Validate application control rules on an annual or more frequent basis
Application Control is not a replacement for antivirus and other security software but should be used in parallel as part of a defence-in-depth strategy. Application Control provides no defence for malware inserted into a trusted path, like a poisoned update from an authorised vendor – whereas competent antivirus may provide some protection against that type of attack.
Maturity Level One
Organisations at Maturity Level One focus their efforts on preventing the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets on workstations within standard user profiles and temporary folders used by the operating system, web browsers and email clients.
Maturity Level Two
Maturity Level Two organisations expand their strategy to include internet-facing servers and look at all executions on an asset, rather than just those associated with user profile directories. At this level, logging of allowed and blocked executions on workstations and internet-facing servers is also required.
Maturity Level Three
Maturity Level Three sees organisations expand their strategy to include all workstations and servers. Organisations need to implement Microsoft’s recommended block rules and driver block rules, validate their application control ruleset on an annual or more frequent basis, and centrally log and protect their allowed and blocked executions whilst monitoring for signs of compromise and taking action if cyber security events are detected.