Part 4 of our comprehensive Essential Eight cybersecurity series for Australian businesses.
What is User Application Hardening?
User Application Hardening involves configuring everyday applications to be more resistant to attack. These are the applications your staff use daily—web browsers, PDF readers, office suites, and email clients.
While patching addresses known vulnerabilities and macros address a specific attack vector, hardening goes further by disabling unnecessary features that attackers commonly exploit.
Key Areas for Application Hardening
Web Browser Hardening
Web browsers are the primary gateway to the internet—and a favourite target for attackers.
- ▸Block or disable Flash (now end-of-life)
- ▸Disable Java plugins and unnecessary extensions
- ▸Enable click-to-play for plugins
- ▸Block ads and known malicious sites
- ▸Enforce HTTPS where possible
- ▸Disable password saving in browsers
PDF Reader Hardening
PDF readers, especially Adobe Acrobat, have historically been rich targets.
- ▸Disable JavaScript execution in PDFs
- ▸Enable Protected View/sandbox mode
- ▸Block embedded objects and multimedia
- ▸Disable automatic attachment opening
- ▸Keep reader software updated (see Patch Applications)
Microsoft Office Hardening
Beyond macro settings (covered in Part 3), Office applications have additional hardening options.
- ▸Enable Protected View for files from the internet
- ▸Block OLE object insertion
- ▸Disable DDE (Dynamic Data Exchange)
- ▸Restrict ActiveX controls
- ▸Enable Application Guard for Office (if available)
Maturity Levels
Maturity Level One
- ▸Block web advertisements
- ▸Block Java from the internet
- ▸Disable Flash (or uninstall completely)
- ▸Disable unneeded browser features
Maturity Level Two
- ▸Block web-based Java and Flash in PDF readers
- ▸Disable OLE in Microsoft Office
- ▸Browser extension allowlisting
Maturity Level Three
- ▸Comprehensive browser hardening via Group Policy
- ▸Application sandboxing and isolation
- ▸Continuous configuration compliance monitoring
Implementation Approach
- 1.Baseline current configurations across your environment
- 2.Develop hardening standards based on ACSC guidance
- 3.Test configurations in a pilot group
- 4.Deploy via Group Policy or MDM solutions
- 5.Monitor compliance and remediate drift
- 6.Document exceptions with risk acceptance
Balancing Security and Usability
Some hardening measures may impact functionality. Work with business units to:
- ▸Identify legitimate use cases for disabled features
- ▸Provide alternative solutions where possible
- ▸Implement exceptions with compensating controls
- ▸Review exceptions periodically
Next Steps
User Application Hardening reduces your attack surface, but you also need to limit what attackers can do if they get in. Our next article covers Restrict Administrative Privileges—the principle of least privilege.
Want help hardening your applications? Cloudscape IT can assess your current configurations and implement Essential Eight-aligned hardening. Contact us today.
---
This article is part of our Essential Eight cybersecurity series.
