What is User Application Hardening?

User application hardening is a critical component of an organisation’s cybersecurity strategy, focusing on securing applications by reducing vulnerabilities and limiting potential attack vectors. This process involves configuring applications to operate with the least privilege necessary, disabling unnecessary features, and implementing security controls to prevent exploitation. By hardening user applications, organisations can significantly enhance their defense against cyber threats.

Assessment Guidlines

ISM Control Essential Eight Requirment Assessment Guidlines
ISM-1654 Internet Explorer 11 is disabled or removed.

Within the RSoP report, look for the ‘Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Disable Internet Explorer 11 as a standalone browser’ setting. It should be enabled.

Alternatively, request a screenshot of the ‘Windows Features’ that are installed. This can be accessed via (Settings – Apps & features – Programs and Features – Turn Windows features on or off). Check whether Internet Explorer 11 is installed by looking for a tick or black square. Note, if Internet Explorer 11 has already been removed it may not appear in the list of Windows Features.

Note, as standard users will still be able to launch Internet Explorer 11, even in Microsoft Windows 11, an application control block rule should be set for ‘iexplore.exe’.

ISM-1486 Web browsers do not process Java from the internet.

A list of web browsers installed on the system can be derived from the list of all installed applications. For each web browser installed on the system, visit a specific web page that contains Java, such as the Is Java installed? website.

Additionally, review any plug-ins or extensions that are installed for each web browser present on the system. This can be used to check whether any web browsers have Java plug-ins or extensions installed, and if so, whether they are disabled.

If the system owner requires Java content to be accessed on their intranet, compensating controls should be assessed to determine whether, for example, internet-based Java content is blocked via a web content filter.

ISM-1485 Web browsers do not process web advertisements from the internet.

Check whether web browsers have either an ad blocker add-in or extension installed. Alternatively, check whether a web content filter or proxy is blocking web advertisements. A simple check is to request a user to browse to a website that is known to display ads (to observe if any ads are displayed) or to browse to the Can You Block It? website and provide a screenshot of the results.

Note, built-in settings within web browsers to block pop-ups do not meet the intent of this control.

ISM-1585 Web browser security settings cannot be changed by users. Check the security settings for each web browser installed on the system. Identify if settings are greyed out (Mozilla Firefox), have an icon with a hover over message that says ‘This setting is managed by your organisation’ (Microsoft Edge) or ‘This setting is managed by your administrator’ (Google Chrome). This indicates that settings have been configured via group policy settings and cannot be changed by users. In addition, identify whether Java Control Panel settings can be changed by the user.

Benefits of User Application Hardening

User application hardening significantly bolsters an organisation’s security posture by reducing vulnerabilities and limiting potential attack vectors. By restricting applications to the minimum functionality required, disabling unnecessary features, and applying robust security controls, organisations can prevent exploitation of application vulnerabilities. This proactive approach minimises the attack surface, making it harder for malicious actors to gain access. Furthermore, application hardening supports compliance with regulatory standards, as many security frameworks mandate such measures to protect sensitive data. By prioritising user application hardening, organisations not only enhance their defences but also ensure operational resilience and trustworthiness.

Challenges and Issues in User Application Hardening

While user application hardening is a critical security measure, its implementation is not without challenges. One major issue is the potential impact on usability. Disabling certain features or restricting functionalities might hinder user productivity, leading to dissatisfaction or workarounds that undermine security. Another challenge lies in maintaining the hardened state, as new vulnerabilities emerge regularly, requiring continuous updates and monitoring. The complexity of diverse application environments, particularly in organisations with numerous or custom-built software, further complicates the process. These issues necessitate a balanced approach that ensures robust security without compromising operational efficiency.

Best Practices for Effective User Application Hardening

Implementing best practices is key to overcoming the challenges of user application hardening. Organisations should start by conducting a risk-based assessment to prioritise applications based on their criticality and exposure. Standardised configurations should be applied wherever possible to ensure consistent security measures. Leveraging automation tools can streamline the hardening process, reduce human error, and simplify ongoing maintenance. Regular training for users and administrators is essential to promote adherence to security practices and minimise resistance to changes. Finally, establishing a strong patch management process ensures vulnerabilities are promptly addressed, maintaining the integrity and effectiveness of hardened applications.

Conclusion

By diligently applying these practices, organisations can effectively harden their user applications, thereby enhancing their overall cybersecurity posture and resilience against threats.