Essential Eight · Control 1
1.Application Control
Last reviewed:
Prevent unauthorised software from executing on workstations and servers.
Why this mattersThe most effective single control against ransomware and malware — blocks execution of unapproved code regardless of how it arrives.
Maturity-level breakdown
Maturity Level 1
Application control implemented on workstations to prevent execution of unapproved executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets from within standard user profiles and temporary folders.
Maturity Level 2
Application control implemented on workstations and internet-facing servers. Application control rulesets reviewed and validated on at least an annual basis. Microsoft's recommended application blocklist implemented.
Maturity Level 3
Application control implemented on all servers as well as workstations. Application control rulesets validated via automated tooling. Windows Defender Application Control (WDAC) preferred over AppLocker where the operating system supports it.
Common gaps we see at ML2 assessments
- Not applied to servers (only workstations)
- Allow-list not reviewed after staff or vendor changes
- Legacy AppLocker rules with unsigned hashes