Almost all users that utilise a computer will use a web browser, office suite and PDF viewer. Most of these applications have insecure default settings, primarily intended for use by consumers. User Application Hardening is the process of disabling the unnecessary or high-risk functions in these common programs to make exploitation less likely, while still allowing them to be used by an organisation.
This usually doesn’t impact on the utility of these applications for end users and can even enhance it. For example, blocking web advertisements makes the internet easier to use. But it also prevents attackers using a malicious advertisement to infect your corporate network - keeping everyone happy.
REMEDIATION STRATEGIES
Maturity Level One
For internet explorer, organisations at Maturity Level One need to deploy a central configuration policy for Internet Explorer to disable the use of Oracle Java plugins, only process content from the enterprise sites list and divert all other traffic to Microsoft Edge.
For all other Web Browsers (Google Chrome, Mozilla Firefox, Microsoft Edge), ensure the only versions in use are those which do not support Java (2017+).
Organisations should deploy a web filtering solution to block traffic to advertising servers and certify that all settings relating to internet zones, including download warning settings, enabled plugins and web technologies, and authentication, is controlled by central policy and cannot be changed by end users.
Maturity Level Two
Maturity Level Two, organisations implement ACSC or vendor hardening guidance for deployed web browsers, Microsoft Office, and PDF software, and implement Windows Defender for Endpoint Attack Surface Reduction Rules (ASR) to block Microsoft Office from creating child processes, creating executable content, injecting code into other processors, and to block PDF software from creating child processes.
Central policy is established to disable the activation of OLE packages for Microsoft Office apps and Web browsers, Microsoft Office, and PDF Software security settings are configured by central policy and cannot be changed by end users.
Maturity Level Three
At Maturity Level Three, organisations deploy central policy to enforce the use of PowerShell constrained language mode, implement a Security and Information Event Management (SIEM) system to capture blocked PowerShell script executions and monitor these events as a potential indicator of a compromise, ensuring that event detections are escalated and actioned.
Organisations at Maturity Level Three also disable or remove Internet Explorer 11, .NET Framework 3.5 and Windows PowerShell 2.0 from all assets.