ThreatLocker as an Essential Eight Maturity Model Mitigation Strategy

16 min. readlast update: 07.25.2023
Use Case: The purpose of the information below is to help the reader understand how ThreatLocker can support Essential Eight Maturity Model mitigation strategies. For each level 1-3, we have outlined if and how we can help support that strategy. We have made our best effort to define which products support each sub-section. In the cases where sub-sections are missing, we do not support that sub-section. 
Disclaimer: We make no claim on the end-user. If ThreatLocker policies are not configured correctly, they will not support mitigation strategies.

Level 1

Application Control  

  • Description - "The execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications and control panel applets are prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients."

Patch Applications  

  • Description - "Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed."
    • ThreatLocker can help meet this mitigation strategy. Allowlisting Policies can be configured to Deny access to any products that you don't want users to access. 

Configure Microsoft Office Macro Settings

  • Description- “Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.”
    • While ThreatLocker cannot change configurations within Microsoft Office, ThreatLocker can provide ways to help with this mitigation strategy. ThreatLocker's Network Access Control and Ringfencing can be configured to prevent Microsoft Office applications from accessing the internet entirely for all or specific users. Also, ThreatLocker’s Configuration Manager allows administrators to create a policy that will not allow Microsoft products to execute macros. 
  • Description- “Microsoft Office macros in files originating from the internet are blocked.”
    • While ThreatLocker cannot change configurations within Microsoft Office, ThreatLocker can provide ways to help with this mitigation strategy. ThreatLocker's Network Access Control and Ringfencing can be configured to prevent Microsoft's Office applications from accessing the internet entirely for all or specific users. The Allowlisting Policies for web browsers can be configured to block file access and then you can manually whitelist any file locations you wish to allow the browsers to access. Lastly, ThreatLocker’s Configuration Manager allows administrators to create a policy that will not allow Microsoft to execute macros. 
  • Description- “Microsoft Office macro antivirus scanning is enabled.”
    • While ThreatLocker cannot change configurations within Microsoft Office, ThreatLocker can provide help with this mitigation strategy. If the Microsoft Office macro antivirus scanning is not enabled, ThreatLocker can act in its place. ThreatLocker's Allowlisting can block Microsoft's Office applications from accessing the internet for all or some users. Lastly, ThreatLocker’s Configuration Manager allows administrators to create a policy that will block Microsoft from executing macros. 
  • Description- “Microsoft Office macro security settings cannot be changed by users.”
    • While ThreatLocker cannot change configurations within Microsoft Office, ThreatLocker can provide help with this mitigation strategy. Policies created in ThreatLocker can only be changed by a ThreatLocker Administrator, including Configuration Manager policies set to disable macros in Office. Therefore, while end-users may have access to Microsoft Office settings depending on company-specific policies, they will not have access to the ThreatLocker policies that have been specifically configured by administrators to prevent Microsoft Office from allowing unrecognized macros to run.

User Application Hardening

  • Description - " Web browsers do not process Java from the internet."
    • ThreatLocker can help meet this mitigation strategy. By utilizing Allowlisting and Ringfencing, you can block your web browsers from interacting with any Java file extensions. 
  • Description - "Internet Explorer 11 does not process content from the internet."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Allowlisting , Ringfencing, and/or Network Access Contol, you can block Internet Explorer 11 from accessing the internet. 

Restrict Administrative Privileges

  • Description - "Requests for privileged access to systems and Applications are validated when first requested."
    • ThreatLocker can help meet this mitigation strategy. By enabling Elevation Control, you can eliminate local admin accounts and users will need to request access to Elevated privileges. Once requested, a ThreatLocker Administrator will need to approve the request before Elevation is enabled. These privileges are only enabled on the specific applications in which you have set them to apply to. Using Ringfencing, you can ensure that these Elevated applications cannot interact with other applications, preventing the possibility of application hopping.
  • Description - "Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services."
    • ThreatLocker can help meet this mitigation strategy. With Allowlisting, you can block specific users/accounts from accessing any internet browsers, enabling you to specify the users with admin credentials and prevent them from using any web browsers.

Regular Backups

  • Description - "Unprivileged accounts can only access their own backups."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files or directories to specific users and/or applications. 
  • Description - "Unprivileged accounts are prevented from modifying or deleting backups."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files or directories to specific users and/or applications, and you can also specify Read-Only access. 

Level 2

Application Control

  • Description - "Application control is implemented on workstations and internet-facing servers to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications and control panel applets to an organization-approved set."
  • Description - "Allowed and blocked executions on workstations and internet-facing servers are logged."
    • ThreatLocker can help meet this mitigation strategy. The ThreatLocker Unified Audit will log in real-time all executions that are occurring or being attempted on all endpoints in one central location.

Configure Microsoft Office Macro Settings

  • Description - "Microsoft Office macros are blocked from making Win32 API calls."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker Configuration Manager permits admins to create a policy to disable Office macros, which will prevent macros from running. Allowlisting and Ringfencing can be configured to block Office from communicating with the internet, therefore preventing any Win32 API calls.
  • Description - "Allowed and blocked Microsoft Office macro executions are logged."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker’s Configuration Manager policies can block Microsoft macros from executing. The Unified Audit will log all blocked macros attempting to run, once the Configuration Manager policy is enabled.

User Application Hardening

  • Description - "Microsoft Office is blocked from creating child processes."
    • ThreatLocker can help meet this mitigation strategy. Allowlisting and Ringfencing enable you to block Office's ability to interact with all/any applications, thereby stopping it from being able to create any child processes.
  • Description - "Microsoft Office is blocked from creating executable content."
    • ThreatLocker can help meet this mitigation strategy. By default, all executable content will be blocked, and will only be permitted to run once it has been approved. You could also configure Allowlisting and Ringfencing to block Office's access to any files with an executable extension.
  • Description - "PDF software is blocked from creating child processes."
    • ThreatLocker can help meet this mitigation strategy. Allowlisting and Ringfencing enables you to block a PDF software's ability to interact with other applications, thereby stopping it from being able to create any child processes.
  • Description - "Blocked PowerShell script executions are logged."
    • ThreatLocker can help meet this mitigation strategy. Allowlisting and Ringfencing enable you to block PowerShell scripts. The ThreatLocker Unified Audit will log, in real-time, all executions that are attempting to execute, on all endpoints, in one central location.

Restrict Administrative Privileges

  • Description - "Privileged access to systems and Applications is automatically disabled after 12 months unless revalidated."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Elevation Control provides the ability to set an expiration of your choosing on Elevated privileges for any and/or all specified applications.  
  • Description - "Privileged access to systems and Applications is automatically disabled after 45 days of inactivity."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Elevation Control provides the ability to set an expiration of your choosing on Elevated privileges for any and/or all specified applications.
  • Description - "Privileged operating environments are not virtualized within unprivileged operating environments."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Allowlisting enables you to block all virtualization environments, ensuring that no VMs can be created with privileged access on non-privileged machines.
  • Description - "Use of privileged access is logged."
    • ThreatLocker can help meet this mitigation strategy. The ThreatLocker Unified Audit will log all executions on the endpoint, and distinguish if it was with elevated privileges or not, in real-time.   

Regular Backups

  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), can only access their own backups."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or applications.
  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files to specific users and/or applications, and you can also specify Read-Only access.

Level 3

Application Control

  • Description - "Application control is implemented on workstations and servers to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications, control panel applets and drivers to an organization-approved set."
  • Description - "Microsoft’s ‘recommended block rules’ are implemented."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Allowlisting policies can be configured to block every Microsoft Recommended block rule, and many of these rules are premade as Recommended Policies within ThreatLocker.
  • Description - "Microsoft’s ‘recommended driver block rules’ are implemented."
    • ThreatLocker can help meet this mitigation strategy. With ThreatLocker's Allowlisting, only executables you have created a Policy for will be allowed. No drivers can run unless you create a Policy for them. And Policies can be manually created to block any drivers you want to explicitly deny in your environment.
  • Description - "Application control rulesets are validated on an annual or more frequent basis."
    • Although ThreatLocker does not review your rulesets, it does provide reports that can help meet this mitigation strategy. Using ThreatLocker's Reports, you can easily generate a list of all approved applications.
  • Description - "Allowed and blocked executions on workstations and servers are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected."
    • ThreatLocker can help you meet this mitigation strategy by providing protected, centralized logs of all blocked and allowed executions. ThreatLocker's Unified Audit will capture all successful and failed executions of enabled policies, from every endpoint, in a central location. The Unified Audit entries cannot be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired. ThreatLocker Ops policies can be set to monitor your environment for IOCs specified by you, and then it can alert and/or respond to these behaviors based on thresholds set by you.

Patch Applications

  • Description - "Applications that are no longer supported by vendors are removed."
    • ThreatLocker cannot remove applications from your endpoints. However, ThreatLocker can help to meet this mitigation strategy because any application can have a policy created to deny it. Once denied, it is unable to run in your environment.  

Configure Microsoft Office Macro Settings

  • Description - "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Configuration Manager provides the ability to configure rules to allow or deny macros. Once secured, the policy will prevent macros from running on any machine with ThreatLocker policy enabled.
  • Description - "Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations."
    • ThreatLocker can help meet this strategy. Storage Control enables you to allow or deny access to any specified data locations or limit access to Read-Only to only specific users and/or applications. 
  • Description – “Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.”
    • ThreatLocker can provide help with this mitigation strategy. Allowlisting Policies can deny any unapproved publisher’s signed certificates. Also, Configuration Manager policies provide the ability to block macros for all users or specific users.  
  • Description – “Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.”
    • ThreatLocker cannot help you meet this mitigation strategy.
  • Description – “Event logs are protected from unauthorized modification and deletion.”
    • ThreatLocker does not monitor your endpoint activity but does help you meet this mitigation strategy by providing uneditable, centralized logs of all blocked and allowed policy executions. ThreatLocker's Unified Audit will capture all successful and failed policy executions from every endpoint in a central location. The Unified Audit entries cannot be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired.
  • Description – “Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.”
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker’s Ops tool will monitor all transactional activity of everything that ThreatLocker is securing and alert administrators of incoming signs of compromise based on alert policies they’ve enacted.

User Application Hardening

  • Description - "Internet Explorer 11 is disabled or removed."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Allowlisting enables you to deny Internet Explorer 11, preventing it from executing. 
  • Description - "Blocked PowerShell script executions are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected."
    • ThreatLocker can help you meet this mitigation strategy by providing protected, centralized logs of all blocked and allowed executions. ThreatLocker's Unified Audit will capture all successful and failed executions from every endpoint in a central location. The Unified Audit entries can not be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired. ThreatLocker Ops policies can be set to monitor your environment for IOCs specified by you, and then it can alert and/or respond to these behaviors based on thresholds set by you. 

Restrict Administrative Privileges

  • Description - "Privileged access to systems and Applications is limited to only what is required for users and services to undertake their duties."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Elevation Control enables you to reduce or eliminate privileged access accounts, and then allow Elevation for only specified users and/or specified applications as needed for their specific job duties. Allowlisting provides the ability to prevent any applications that are not needed from running.
  • Description - "Privileged accounts are prevented from accessing the internet, email and web services."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Allowlisting enables you to specify only specific users that can access web browsers.
  • Description - "Just-in-time administration is used for administering systems and Applications."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Elevation Control enables you to reduce or eliminate privileged access accounts, and then allow Elevation for only specified users and/or specified applications as needed for their specific job duties. Allowlisting enables you to limit the time of day and/or days of the week that specific Applications can be used.
  • Description - "Use of privileged access is centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise and actioned when cyber security events are detected."
    • ThreatLocker can help you meet this mitigation strategy by providing a centralized log. The Unified Audit will capture all successful and failed policy executions, and if they were performed with elevated privileges, from every endpoint in a central location. The Unified Audit entries cannot be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired. ThreatLocker Ops policies can be set to monitor your environment for IOCs specified by you, and then it can alert and/or respond to these behaviors based on thresholds set by you. 

Regular Backups

  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), cannot access backups."
    • ThreatLocker can help meet this mitigation Strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or applications.
  • Description - "Unprivileged accounts, and privileged accounts (excluding backup break glass accounts), are prevented from modifying or deleting backups."
    • ThreatLocker can help meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or applications, and you can also specify Read-Only access.

 Resources: 

Was this article helpful?