User application hardening reduces the attack surface of the applications staff use every day. Web browsers, Microsoft Office, and PDF readers are the most commonly exploited user-facing applications. Hardening these applications means disabling or restricting features that are frequently exploited but rarely needed for legitimate work.
Browser Hardening
At Maturity Level One: disable web advertisements (using an ad blocker or browser policy), disable Java in the browser, disable Flash (now effectively moot as Flash is end-of-life). At Maturity Level Two: configure browsers to block access to sites using deprecated TLS versions, restrict browser extensions to approved lists. At Maturity Level Three: use Chromium-based browsers with strict policy management through Intune.
Microsoft Office Configuration
The macro settings control (Essential Eight control 3) overlaps with this area. Beyond macro management, hardening Office includes: blocking Object Linking and Embedding (OLE) from untrusted sources, disabling DDE (Dynamic Data Exchange) which has been exploited in malware campaigns, and configuring Protected View for documents from the internet.
PDF Reader Hardening
Adobe Acrobat Reader and similar PDF applications should be configured to disable JavaScript execution (a common vector for malicious PDFs), sandbox PDF rendering, and prevent automatic execution of embedded attachments. Browser-native PDF rendering — where the browser renders PDFs directly rather than passing them to an external application — reduces the attack surface further.
Does hardening these applications break legitimate workflows?
Some hardening measures do affect workflows — disabling browser Java may break legacy web applications. The approach should be to audit legitimate use of each feature before disabling it, implement in audit or monitoring mode first, and establish an exception process for legitimate business requirements. Exceptions should be documented, approved, and reviewed regularly rather than becoming permanent workarounds.
