Skip to main content

This section of the ISM provides guidance on application hardening.

Application selection

When selecting applications it is important that organisations preference vendors that have demonstrated a commitment to secure coding practices and have a strong track record of maintaining the security of their applications. This will assist not only with hardening applications but also increase the likelihood that vendors will release timely patches to remediate any security vulnerabilities in their applications.

Security Control: 0938; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Applications are chosen from vendors that have made a commitment to secure development and maintenance practices.

Application versions

Newer versions of applications often introduce improvements in security functionality over older versions. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover. Using older versions of applications, especially key business applications such as office productivity suites (e.g. Microsoft Office), Portable Document Format (PDF) viewers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (e.g. Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET Framework), exposes organisations to exploitation techniques that have since been mitigated in newer versions of applications.

Security Control: 1467; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs.

Security Control: 1483; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs.

Hardening application configurations

By default, many applications enable functionality that is not required by users while security functionality may be disabled or set at a lower security level. This is especially risky for key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms that are likely to be targeted by an adversary. To assist in minimising this security risk, the ACSC produces guidance to assist in securely configuring key business applications. Further, to assist in securely configuring their applications, vendors may provide their own security guides.

Security Control: 1412; Revision: 2; Updated: Feb-19; Applicability: O, P, S, TS
ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers.

Security Control: 1484; Revision: 1; Updated: Jan-19; Applicability: O, P, S, TS
Web browsers are configured to block or disable support for Flash content.

Security Control: 1485; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Web browsers are configured to block web advertisements.

Security Control: 1486; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Web browsers are configured to block Java from the internet.

Security Control: 1541; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS
Microsoft Office is configured to disable support for Flash content.

Security Control: 1542; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.

Security Control: 1470; Revision: 3; Updated: Mar-19; Applicability: O, P, S, TS
Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled.

Security Control: 1235; Revision: 2; Updated: Apr-19; Applicability: O, P, S, TS
The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons.

Security Control: 1601; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
If supported, Microsoft’s Attack Surface Reduction rules are implemented.

Security Control: 1585; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Standard users are prevented from bypassing, disabling or modifying security functionality of applications.

Microsoft Office macros

Microsoft Office files can contain embedded code (known as a macro) written in the Visual Basic for Applications programming language. A macro can contain a series of commands that can be coded or recorded, and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their productivity. However, an adversary can also create macros to perform a variety of malicious activities, such as assisting to compromise workstations in order to exfiltrate or deny access to sensitive or classified information. To reduce this security risk, organisations should disable or secure their use of Microsoft Office macros.

Security Control: 1487; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros.

Security Control: 1488; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Microsoft Office macros in documents originating from the internet are blocked.

Security Control: 1489; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Microsoft Office macro security settings cannot be changed by users.

Further information

Further information on patching applications can be found in the system patching section of the Guidelines for System Management.

Further information on securely configuring Microsoft Office can be found in the following ACSC publications:

Further information on configuring Microsoft Office macro settings can be found in the ACSC’s Microsoft Office Macro Security publication at https://www.cyber.gov.au/acsc/view-all-content/publications/microsoft-office-macro-security.

Further information on configuring Microsoft Office to block macros in documents originating from the internet can be found at https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.