Understanding the Essential Eight: Application Whitelisting and User Application Hardening

If you’ve been keeping up with our Understanding the Essential Eight series, over the past two weeks we’ve covered what the Essential Eight is and how you can get started with patching best practices. This week, we’ll take you through application whitelisting and user application hardening—two important areas that are often overlooked.


What Are Application Whitelisting and User Application Hardening?

Application whitelisting (AWL) controls the software that is allowed to run on a computer. While many businesses use this to control things like employee access to various social media platforms or binging Netflix during working hours, it should also be highly considered for security reasons.

Access to applications like a personal Dropbox or file-sharing applications could open yourself up to data theft. By leveraging application whitelisting, you can restrict this access in the work environment and also use it to block an execution of unapproved and/or malicious programs. 

User application hardening (UAH) is used to allow only the required areas of a given application to run.  By limiting these applications to only do what they are supposed to do, you reduce the risk of abnormal tasks from being executed.

Specifically, the Essential Eight refers to application hardening to control browser plugins such as Flash, Java and Web-advertisement content. By restricting these potentially malicious programs from running, you greatly reduce the chances of attack as this behaviour can sidestep standard antivirus monitoring.

What Are the Advantages of Implementing These Standards?

The most obvious advantage is increased security—the basis of the Essential Eight as a whole.

For AWL, you are ensuring that your clients and their users are only using approved, whitelisted software that has been deemed safe, while also reducing the chances of a data breach and/or data theft. You can also prevent potentially devastating zero-day attacks by not having unapproved software installed on a device that you, the MSP, will potentially need to patch. Blacklisting applications would be extremely difficult to manage due to the copious amounts of applications out on the market today and even more being released every day. Whitelisting is simple: allow only what your clients need, and block everything else.

UAH is a very similar story. By disabling add-ons like Flash and Java, there are fewer applications you need to worry about patching. Why would you need to patch something that isn’t allowed to be used? Utilising the vulnerabilities in these types of add-ons is a hacker’s favourite route. They are simple but effective methods for spreading their nefarious agendas—hence why we covered application patching in our blog last month.

In particular, Flash is considered to be a dated technology and is already on its way out. Google and Firefox have already started phasing this out, and many web-developers are working with other tools. While this is great news and a step in the right direction, there are still millions of websites using it. So, for now, we still have to live with it.

Having good standards for these applications is just good business, and it shows your clients that you are providing a service that many other MSPs probably aren’t. In turn, this further solidifies your position as a ‘trusted advisor’ to your clients.

What Are the Disadvantages?

This may become yet another thing to add to your “to manage” list. You may have to add additionally overhead to implement good standards, review and whitelist your clients’ applications, and also deal with users requesting to install software that has not been added to the approved list.

While this may seem like a burden your business doesn’t need right now, once you have set up good policies, this typically manages itself. If you think about it, why does an accountant need access to their Facebook app on their work laptop? They can use their smartphone like a normal person.

So, as Long as Patching Is Done, I Don’t Need to Worry About This?

Technically, yes. While patching standards are extremely important—and one of the core offerings around any managed services agreement—realistically, how confident can you say that all your clients’ desktops, servers and applications are up-to-date 100 percent of the time?

By adding security layer upon layer upon layer, you are ensuring that you are further reducing the chances of an attack. To use another analogy, think of a sieve that you may use to sift flour. With one, the flour typically falls right through with a bit of filtering. But if you start layering multiple sieves on top of each other, you are making it harder and harder for the flour to fall through.

I am sure you can see a pattern forming here, and it will continue throughout this series. This layered approach is why it’s called the Essential Eight, not the Essential One.


Click here to read part four on Microsoft Office settings and administrative privileges.


Handpicked for you:

Watch Webinar: Relieving Patching Pains