Installation and execution of unauthorized software are prevented
Unauthorized software introduced by employees or attackers is a primary vector for malware, data exfiltration, and persistence. Application control, which restricts what software can run on managed endpoints, provides a layer of defense that patches cannot: even if a vulnerability exists, an attacker cannot execute arbitrary code if only approved applications are permitted to run.
Implementation steps
- 1
Define an approved software list for managed endpoints
Maintain a list of software approved for installation on company-managed devices. The list should cover productivity software, developer tools, security tools, and any specialized applications needed for business roles. Employees should request additions through a defined process rather than installing ad hoc.
confluencenotion - 2
Deploy endpoint protection with application control capabilities
Configure your MDM or endpoint security platform to restrict application installation. At minimum, enforce that software must be signed by a trusted publisher and install from an approved source. For high-security environments, use allowlisting to permit only explicitly approved applications. Alert on installation attempts outside the approved list.
jamfmicrosoft-intunekandjicrowdstrike-falconcarbon-black - 3
Monitor for and investigate unauthorized software
Regularly scan managed devices for software not on the approved list. Review alerts on unauthorized installation attempts. Investigate anomalies: developer tools on finance team machines, remote access tools not provisioned by IT, or scripting runtimes on machines where they are not expected are all worth a second look.
microsoft-intunejamfcrowdstrike-falconcarbon-blackqualys
Evidence required
Approved software list or policy
A documented list of approved software for managed endpoints, with a process for requesting additions.
- · Approved software catalog published on the internal wiki
- · MDM managed app catalog showing approved applications
- · Acceptable use policy section on software installation
Application control configuration
Evidence that endpoint controls are configured to restrict unauthorized software installation or execution.
- · MDM policy configuration showing application allowlist or publisher restriction
- · Endpoint security platform policy showing application control rules
- · Alert log showing unauthorized software installation attempts detected and blocked
Related controls
The hardware and firmware of platforms are managed
Platform Security
The software of platforms is managed, including operating systems and applications
Platform Security
Data are destroyed according to policy when platforms or storage media are decommissioned
Platform Security
Log records are generated and made available for continuous monitoring
Platform Security