Calibre 1 Essential 8 Series: User Application Hardening
This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.
Previous Blogs in the Series
MultiFactor Authentication (MFA) Maturity 1
MultiFactor Authentication (MFA) Maturity 2
MultiFactor Authentication (MFA) Maturity 3
Patch Operating Systems
Restrict Administrative Privileges
You might be asking “How does one harden software?” Well in this instance, hardening means reducing attack surface and implementing a secure configuration that prevents manipulation or exploit of weaknesses in the software. “Why would vendors ship vulnerable software?” I hear you ask – well a lot of the time, the software ships with a recommendation that the security controls get implemented after – this is a factor of ease of setup and use, however in practice, once the software is working as desired, then the software undergoes no further changes. Let’s get started on the 8, and work through the requirements!
Web Browsers, especially you Internet Explorer!
Web browsers, in the modern age, these are the swiss army knife of computers, only exceeded by Excel as the greatest software ever dreamed, designed, and built. They’re capable of running Videos, Software Applications (Including excel), view PDFs and a plethora of other wonderful things. They are a gateway for the user – to gain access to the Internet, and as such one of the most heavily explored (and exploited) pieces of software, at time of writing, Google Chrome is up to version 98.0.4758.102 at the time of writing, indicating 97 major changes, as well as no doubt thousands of smaller ones. Wow!
At Level 1 browsers are configured to not process ‘Java’ from the internet, Block Advertisements, Internet Explorer doesn’t process content form the internet, and the security settings can’t be changed. For most modern browsers this is done by default but implementing this via Microsoft Endpoint Manager or Group Policy is a great failsafe – while you’re here, configure the security settings to not be changed by users – also consider using your application whitelisting software, like Airlock Digital can be used to block java as well. At Maturity 3 – Blocking Internet Explorer in the same whitelisting software is added in.
Web Advertisements are a little more difficult – but not exceedingly so, implementing a browser extension like uBlock Origin, or Adblock Pro will cover it from an endpoint level, but what about mobile devices etc, A secure configuration would be:
Endpoint -> Firewall -> Pihole -> Secure DNS (Quad9, Cisco Umbrella).
PiHole is a great network level ad blocker, that is named as such as it was designed to run on a Raspberry Pi. It updates regularly and removes a lot of advertising sources. Finally, the secure DNS platform is in place to block or remove a lot of those security risks and prevent your systems from being able to access those sites, lowering risk of infection.
Office, PDF’s, and Browsers (Oh my!)
The requirements for office and pdf software starting at Maturity 2 are around blocking child processes, creation of executable content, injecting code, and activation of OLE packages. A lot of this can be built on registry settings using Windows Defender or other Attack Surface Reduction (As part of your normal Antivirus). These can be implemented via Group Policy or Microsoft Endpoint Manager. The below screenshot is an extract from the ACSC Hardening guidance, in the references below.
PowerShell & .NET
The final piece of our puzzle is PowerShell and .NET framework.
At Maturity 2, blocked PowerShell script executions are logged. Using a tool like Sysmon, just ensure this is captured.
At Maturity 3, PowerShell 2.0, and .NET 3.5 and Lower is disabled or removed – Implement a block rule through a tool like Airlock Digital as removal can cause some problems.
Configure PowerShell via registry (Microsoft Endpoint Manager, and Group Policy) to use Constrained Language Mode.
Finally at Maturity 3, this will need to be ingested into a SIEM service – Calibre 1 are happy to assist in setting up and monitoring the SIEM service as part of the ongoing security offering. Tools like Azure Sentinel, FortiSIEM, Splunk and Elastic are all great examples of this.
|ACSC Office Hardening Guidance
|ACSC Web Hardening Guidance||https://www.cyber.gov.au/acsc/government/web-hardening-guidance|
|ACSC System Hardening Guidance||https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-system-hardening|