ISM-0843 – Technical Resolution Guidance
What is ISM-0843?
Application Control is implemented on workstations.
Background
Application Control serves as a security measure to limit the types of software that can run on a workstation, effectively preventing the installation or execution of malware or unauthorized programs.
For ease of Essential Eight implementation, SecurE8 integrates with many Application Control products.
Applicability
This control is relevant to the following:
- Maturity Level 1, 2, and 3 Controls
- Workstation devices
Evaluation Results
Status | Description |
---|---|
Effective | WDAC is enabled, or a third-party application control solution is detected. |
Ineffective | WDAC is not enabled, or a third-party application control solution is not detected. |
Testing Parameters
SecurE8 Auditor verifies that an organization has an active Application Control product in place. However, it does not conduct in-depth testing to validate the effectiveness of the control, as such testing is addressed by a separate control. SecurE8 Auditor focuses on confirming that the necessary products are implemented and operational to ensure some level of acceptable Application Control.
The validation process is as follows:
1. For Workstation Devices
a. For each product in the list below, Auditor checks to confirm if the service is active:
i. For WDAC: Verify the presence of policy files.
ii. For AppLocker: Ensure the registry key contains multiple subkeys.
iii. For other products: Confirm that the related service is enabled and running.
2. An 'Effective' status is achieved when one of the above checks are true.
SecurE8 Auditor currently integrates in to these products and verifies that one of the following are installed and active:
Products | Service ShortName | |
---|---|---|
Microsoft Windows Defender Application Control (WDAC) | WinDefend | ![]() |
Microsoft AppLocker | ApplDSvc | ![]() |
Ivanti | AppSense Application Manager Agent | ![]() |
BeyondTrust Privilege Management Cloud Adapter | IC3Adapter | ![]() |
Carbon Black | Parity | ![]() |
ThreatLocker | ThreatLockerService | ![]() |
Airlock Digital | AirlockClient | ![]() |
Avecto Defendpoint | Avecto Defendpoint Service | ![]() |
Remediation Steps
If WDAC is enabled, Auditor will also verify the presence of active policies. Active policies can be identified by locating policy files, depending on the system's boot type:Single Policy
- Legacy Boot:
\Windows\System32\CodeIntegrity\SiPolicy.p7b - UEFI Boot:
\Microsoft\Boot\SiPolicy.p7b
- Legacy Boot:
\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip - UEFI Boot:
\Microsoft\Boot\CiPolicies\Active\{PolicyId GUID}.cip
Validation Process
Validation involves confirming Application Control services are running and correctly configured.
Risk Consideration
Without Application Control, the risk of security breaches, malware infections, and unauthorized software increases significantly. Proper implementation helps secure your IT environment by enforcing a restricted software usage policy.