Essential Eight · Control 4
4.User Application Hardening
Last reviewed:
Harden browsers and other internet-facing applications to reduce attack surface.
Why this mattersBrowsers are the primary attack surface for most Australian organisations. Internet Explorer 11 must be disabled or removed at all maturity levels (Nov 2023 update).
Maturity-level breakdown
Maturity Level 1
Web browsers do not process Java from the internet. Web browsers do not process web advertisements from the internet. Internet Explorer 11 is disabled or removed. Web browser security settings cannot be changed by users.
Maturity Level 2
ASD and vendor hardening guidance for Microsoft Office, web browsers, and PDF software is implemented — where guidance conflicts, the more stringent applies. PowerShell module logging, script block logging, and transcription events are enabled.
Maturity Level 3
Command line process creation events are centrally logged. .NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed. Windows PowerShell 2.0 is disabled or removed. Windows Script Host is disabled.
Common gaps we see at ML2 assessments
- Internet Explorer 11 still present on legacy or rarely-imaged systems
- Only ASD hardening guidance applied, not vendor — or vice versa
- PowerShell script-block logging configured but not collected centrally