ISM-0843 – Technical Resolution Guidance

What is ISM-0843?

Application Control is implemented on workstations.

Background

Application Control serves as a security measure to limit the types of software that can run on a workstation, effectively preventing the installation or execution of malware or unauthorized programs.

For ease of Essential Eight implementation, SecurE8 integrates with many Application Control products.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls
  • Workstation devices

Evaluation Results

StatusDescription
EffectiveWDAC is enabled, or a third-party application control solution is detected.
IneffectiveWDAC is not enabled, or a third-party application control solution is not detected.

Testing Parameters

SecurE8 Auditor verifies that an organization has an active Application Control product in place. However, it does not conduct in-depth testing to validate the effectiveness of the control, as such testing is addressed by a separate control. SecurE8 Auditor focuses on confirming that the necessary products are implemented and operational to ensure some level of acceptable Application Control. The validation process is as follows:
1. For Workstation Devices
 a. For each product in the list below, Auditor checks to confirm if the service is active:
  i. For WDAC: Verify the presence of policy files.
  ii. For AppLocker: Ensure the registry key contains multiple subkeys.
  iii. For other products: Confirm that the related service is enabled and running.

2. An 'Effective' status is achieved when one of the above checks are true. SecurE8 Auditor currently integrates in to these products and verifies that one of the following are installed and active:

Products Service ShortName
Microsoft Windows Defender Application Control (WDAC)WinDefendIntegration in to Microsoft Application Control
Microsoft AppLockerApplDSvcIntegration in to Microsoft Application Control
IvantiAppSense Application Manager AgentIntegration in to Ivanti Application Control
BeyondTrust Privilege Management Cloud AdapterIC3AdapterIntegration in to BeyondTrust Application Control
Carbon BlackParityIntegration in to Carbon Black by VMWare Application Control
ThreatLockerThreatLockerServiceIntegration in to Threatlocker Application Control
Airlock DigitalAirlockClientIntegration in to Airlock Digital Application Control
Avecto DefendpointAvecto Defendpoint ServiceIntegration in to Acecto Application Control

Remediation Steps

If WDAC is enabled, Auditor will also verify the presence of active policies. Active policies can be identified by locating policy files, depending on the system's boot type:

Single Policy
  • Legacy Boot: \Windows\System32\CodeIntegrity\SiPolicy.p7b
  • UEFI Boot: \Microsoft\Boot\SiPolicy.p7b
Multiple Policies
  • Legacy Boot: \Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip
  • UEFI Boot: \Microsoft\Boot\CiPolicies\Active\{PolicyId GUID}.cip
Each AppLocker category must, at a minimum, have the Default controls configured.

Validation Process

Validation involves confirming Application Control services are running and correctly configured.

Risk Consideration

Without Application Control, the risk of security breaches, malware infections, and unauthorized software increases significantly. Proper implementation helps secure your IT environment by enforcing a restricted software usage policy.