This article is the seventh in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
Applications arrive configured for broad compatibility and ease of use — not for security. Features that most users never need, and that attackers frequently exploit, are often enabled by default. User application hardening is the systematic process of removing that unnecessary attack surface: disabling features that serve no legitimate business purpose but represent meaningful risk.
What the Strategy Requires
The ACSC’s guidance on user application hardening focuses primarily on web browsers and the applications users interact with daily. The key requirements include:
Web browsers should be configured to block web advertisements and untrusted or unnecessary content. Support for Java and Flash — both historically significant malware delivery vectors — should be disabled or removed. Where users must access Java content for specific business purposes, it should be restricted to approved sites only.
Microsoft Office should be configured to prevent the execution of OLE objects — embedded content such as executable files embedded within documents. Office applications should also be configured to block child processes — preventing Office from launching other applications, a common technique used by malicious macros and phishing documents even when macro restrictions are in place.
PowerShell, where not required for a user’s role, should be constrained or restricted. Where it is required, execution should be logged. At higher maturity levels, only signed scripts from trusted publishers should be permitted to run.
Reducing the Attack Surface Without Reducing Productivity
A common objection to application hardening is that it will disrupt users. In practice, the features being disabled — Java browser plugins, Flash, OLE object execution, unrestricted PowerShell — are rarely used in normal business operations. Most users are unaware they exist.
The configurations recommended by the ACSC reflect careful analysis of how attackers actually use these features, not theoretical risk. Java browser exploits were a dominant malware delivery mechanism for over a decade. Malicious advertisements on legitimate websites — malvertising — have been used to deliver ransomware to users who visited entirely reputable sites. These are documented, active attack techniques, not hypothetical concerns.
Hardening these configurations is in most cases a one-time administrative task that produces a lasting reduction in attack surface with negligible operational impact.
The Relationship to Other Essential Eight Controls
User application hardening occupies a specific position in the layered defence the Essential Eight constructs. Patching closes known vulnerabilities in applications. Application control prevents unauthorised executables from running. Macro restriction addresses malicious code embedded in documents. User application hardening removes the features and capabilities that attackers use to bridge these controls — delivering payloads through browser features, embedding executable content in documents, or leveraging scripting environments to execute code without ever writing a detectable executable to disk.
Fileless malware — attacks that execute entirely in memory using legitimate system tools and scripting environments — has grown precisely because it bypasses signature-based detection. Hardening the scripting and application execution environment is one of the few structural defences against this class of attack.
Hardening Is Not a One-Time Exercise
Application updates frequently introduce new features or change default configurations. Hardening settings may be overwritten by software updates. An effective approach to user application hardening requires not only initial configuration but periodic verification — confirming that settings remain in place and that new application versions have not introduced new attack surface.
This verification is where cyber hygiene assessment tools and managed security services provide tangible value: treating configuration drift as an ongoing risk to be monitored, not a task to be completed once and forgotten.
This series concludes with Essential Eight #8: Regular Backups.
Further reading: ACSC Essential Eight, Luminol Cyber Hygiene Improvement
