Application Control and User Application Hardening With Tenable
The Essential Eight strategies Application Control and User Application Hardening are closely related and some of the mapped ISM Controls that can be confirmed are ISM-1654, ISM-1621, ISM-1655, ISM-1486, ISM-1544, ISM-1659. These ISM controls are related to ensuring application blocklists are implemented and services and applications like Internet Explorer 11, Powershell 2.0, and .NET Framework 3.5 are disabled or removed altogether. In certain maturity levels the use of Application Control Solutions like Microsoft’s AppLocker is required. Using Tenable Vulnerability Management to search for assets with blacklisted apps can be done using several methods. The first method can be using the CPE filter, and more specifically looking for assets with application CPE strings. For example, ASD recommends not using browsers that run Java, that means browsers like Internet Explorer or some older versions of Firefox.
Utilising the CPE filter, the user can use a string like “cpe:/a:microsoft:internet_explorer:*” to look for any asset that has been found to have Internet Explorer installed.
This query can be replicated by selecting Advanced in the Findings page and inputting the following query string “CPE is equal to cpe:/a:microsoft:internet_explorer*”
Another method of looking for blacklisted applications is using the Plugin Name Filter. Many applications have detection plugins which will fire when Nessus scans the target. To search using the plugin name, and using the same example as above, the user could use the following string to search for assets with Internet Explorer; “Plugin Name is equal to Internet Explorer”
The operator in the query using that string should be “is equal to”; this ensures the asterisks used in the string make the query use regex. An alternative query can be made by using the “contains” operator instead and just inputting “internet explorer."
Implementing similar queries is also possible using Tenable Security Center by utilising the same filters.
As previously mentioned, an application control solution is required in certain maturity levels and for those Tenable can assist in identifying if an asset has one installed. Tenable has some detection plugins which could help identify some third party application control solutions.
| Plugin ID | Plugin Name |
|---|---|
| 73149 | Windows AppLocker Installed |
| 151129 |
VMware Carbon Black App Control Installed (Windows) |
| 87923 |
McAfee Application Control / Change Control Installed |
| 135408 |
Trend Micro Deep Security Agent Installed (Linux) |
| 135409 |
Trend Micro Deep Security Agent Installed (Windows) |
Using Tenable Host Audit Scanning will be the alternative way to identify the presence of some of these solutions and in some cases some of their configurations. Tenable Host Audit Scanning supports the use of Microsoft Security Compliance Toolkit (MSCT) benchmarks.
Using MSCT benchmarks, an organisation is able to determine more specialised information about setups within the solutions like Microsoft’s AppLocker. For example, within the MSCT Windows Server 2022 DC v1.0.0 audit file, there are checks like "AppLocker - Block Microsoft Internet Explorer" and "AppLocker - Block Google Chrome." Using audit names like these can assist the organisation to verify certain configurations of AppLocker.
ISM control 0843 states that Application Control should be implemented on workstations, so using Host Audit Scanning can be used to verify this. ISM control 1490 states that all internet facing servers need to also have Application Control implemented and this can also be verified when run against a set of targets based on a tag or dynamic asset list consisting of the organisation’s internet facing assets. Refer to Tagging and Dynamic Asset Lists for tips on Tagging and Dynamic Asset Lists.