E8 Guide | User Application Hardening

User applications such as web browsers and PDF readers are common attack targets. Hardening these applications reduces the risk of exploitation by disabling or blocking features that are rarely required for business but often abused by attackers, such as Java, Flash, and certain browser content. The ACSC recommends disabling unnecessary features, removing outdated applications, and enforcing secure settings that cannot be bypassed by users. Devicie supports this strategy by providing pre-configured hardening policies for supported browsers and applications, deployed through Intune.

What's Covered

Devicie supports the following controls related to user application hardening:

Disabling or removing Internet Explorer 11.
Blocking Java from running in supported browsers.
Preventing browsers from processing web advertisements.
Locking browser security settings so they cannot be changed by users.
Applying policies to Microsoft Edge and Google Chrome (where deployed).

What’s Not Covered

The following areas are outside Devicie’s scope and remain the responsibility of the customer:

Hardening or policy enforcement for unsupported browsers (e.g. Firefox).
Detection or removal of unsupported plugins or extensions installed manually.
Applying controls to unmanaged personal devices (BYOD).
Full web content filtering — Devicie configures browser restrictions but does not operate as a filtering service.

Potential Impact and Callouts

When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.

Disabling Internet Explorer may affect legacy applications that rely on it.
Blocking Java may disrupt applications that require it for legitimate purposes.
Some browser restrictions may cause compatibility issues with certain websites.
Coordination with other security baselines is recommended to prevent policy conflicts.

Devicie Delivered Controls

ML1	ML2	ML3
Internet Explorer 11 is disabled or removed.	Command line process creation events are centrally logged.	.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Web browser security settings cannot be changed by users.	Microsoft Office is blocked from creating child processes.	PowerShell is configured to use Constrained Language Mode.
Web browsers do not process Java from the internet.	Microsoft Office is blocked from creating executable content.	Windows PowerShell 2.0 is disabled or removed.
Web browsers do not process web advertisements from the internet.	Microsoft Office is blocked from injecting code into other processes.
	Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
	Office productivity suite security settings cannot be changed by users.
	Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
	PDF software is blocked from creating child processes.
	PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
	PDF software security settings cannot be changed by users.
	PowerShell module logging, script block logging and transcription events are centrally logged.
	Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.

Customer Responsibility

ML1	ML2	ML3
All ML1 controls are inside of Devicie controls.	All ML2 controls are inside of Devicie controls.	All ML3 controls are inside of Devicie controls.

💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.