ISM-1870 – Technical Resolution Guidance

What is ISM-1870?

Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.
This control ensures that Application Control is effect in the locations of where it applies.

Background

Application control for user profiles and temporary folders used by operating systems, web browsers, and email clients involves setting security measures to manage and restrict application execution in these areas.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveAll major tests are restricted from running in the user profiles and temporary folders.
IneffectiveAtleast one folder in the user profiles or temporary folders are unrestricted.

Testing Parameters

The test confirms that certain types of files cannot be run or executed in specific folders that are usually restricted by Application Control. This indicates that some form of whitelist control is active.
Folders tested include: User Profile Folders:

  • %userprofile%\*
  • %temp%\*
  • %tmp%\*
System Temporary Folder:
  • %windir%\Temp\*
Email (Microsoft Outlook):
  • Temporary file location stored in registry at:
    HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!Securetemp
Web Browser Cache Folders:
  • Microsoft Edge: %localappdata%\Microsoft\Edge\User Data\Default\Cache\Cache_Data
  • Google Chrome: C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cache
  • Mozilla Firefox: C:\Users\%username%\AppData\Local\Mozilla\Firefox\Profiles\xxxxxx.defaultcache
    (where "xxxxxx" is a random profile name)

The following file types should not be allowed to run in these folders when executed under the user's context:
  • Executables (.exe, .com)
  • Libraries (.dll, .ocx)
  • Scripts (.ps1, .bat, .cmd, .vbs, .js)
  • Installers (.msi, .msp, .mst)
  • Compiled HTML (.chm)
  • HTML applications (.hta)
  • Control panel applets (.cpl)

Remediation Steps

For each ineffective test, examine the relevant policy or adjust settings to ensure your application control software includes the necessary file types to prevent execution.
SecurE8 generates a polished Excel report that highlights the effectiveness of each folder in handling the specified executable types:

SecurE8 Essential Eight Application Control Report

Validation Process

To ensure effective Application Control, conduct a comprehensive validation that includes policy review, configuration checks, controlled environment testing, and regular monitoring of user profiles and temporary folders for unauthorized activities. Continuous improvement, integration with endpoint security, and user education further strengthen the application control process.

Risk Consideration

While Application Control is a valuable security measure, potential risks like overly restrictive policies, insider threats, and policy misconfigurations can impact its effectiveness and operational workflow. Regular risk assessments, policy reviews, continuous monitoring, and user education help mitigate these risks and strengthen overall security resilience.