ISM-1657 – Technical Resolution Guidance

What is ISM-1657?

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
This control ensures that Application Control is effect in the file types that are applied.

Background

Application Control is a security measure that limits the types of files—like programs, scripts, and installers—that can run on a system to an approved list. This helps prevent unauthorized or harmful software from running on the organization’s systems.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveThe organization's Application Control Configuration blocks all relevant tests from running.
IneffectiveOne or more relevant tests can be executed.
Not ApplicableThe Operating System does not support application control.

Testing Parameters

Verifying this control confirms that the intended file execution restrictions are effectively enforced.
The tests confirm that certain file types can’t run in folders that are usually not approved, showing that a whitelist-based Application Control is in place.
The folders included in the tests are:

  • %userprofile%\*
  • %temp%\*
  • %tmp%\*
  • %windir%\Temp\*
The following file types should not be allowed to execute in these folders within the user’s context:
  • Executables (.exe, .com)
  • Software libraries (.dll, .ocx)
  • Scripts (.ps1, .bat, .cmd, .vbs, .js)
  • Installers (.msi, .msp, .mst)
  • Compiled HTML (.chm)
  • HTML applications (.hta)
  • Control panel applets (.cpl)
Application Control Method

Remediation Steps

SecurE8 will extract each executable type and attempt to run it, using the exit code to determine if the executable was successfully executed. These tests can also be performed manually if needed.

Validation Process

If the test file cannot be copied to the test location or it does not return an error code of zero, the test is considered effective.

Risk Consideration

Restricting the execution of files to an approved set of executables, software libraries, scripts, installers, and other applications helps strengthen an organization's security by reducing the risk of unauthorized or malicious software. This control enhances protection against threats such as malware, zero-day exploits, and phishing attacks, while supporting regulatory compliance and simplifying incident response.