Essential Eight - application control

The first of the Essential Eight from the Australian Signals Directorate (ASD) is application control, which means only allowing approved programs to run on computers and servers to block malware and unwanted software from executing in the first place.cyber+2

What it is

Application control is a policy and technical setup that lets approved software run and stops everything else by default, reducing the chances that malicious code can execute and spread. In practice, it covers executables, software libraries (DLLs), scripts, installers, compiled HTML, HTML applications and even control panel applets, using robust rules such as cryptographic hashes, trusted publisher certificates, and tightly managed file paths.cyber+2

Why it matters

Most attacks need code to run (a dropper, macro, script, or payload), so blocking unapproved code cuts off that path early and complements antivirus and patching rather than replacing them. ASD ranks application control among its Essential Eight because stopping execution at the endpoint has consistently reduced incident likelihood and impact across assessments and incident response experience.cyber+3

In plain English

Think of a venue with a strict guest list: only names on the list get in, and everyone else is turned away at the door. Application control is the “guest list” for computers—approved apps run, everything else is blocked—so surprise “party crashers” like ransomware don’t get the chance to start up at all.cyber+1

What it isn’t

Just using an app store, a software portal, email/web filtering, “reputation” checks, or next‑gen firewalls is not application control on its own; those can help, but they don’t enforce a default‑deny rule on execution at the device level. File names or other easily changed attributes are also not reliable controls, since adversaries can trivially evade them; ASD recommends hashes, publishers, and carefully permissioned paths instead.cyber

How to implement

ASD’s high‑level steps are: identify the approved applications; create rules so only those can run; maintain the rules under change management; and validate them at least annually, generating logs for both allowed and blocked executions to aid detection. The Essential Eight maturity model expects application control on workstations and internet‑facing servers, applied to user profiles and temporary folders (where malware often lands), and extended to all other execution locations, with Microsoft’s recommended driver and application blocklists enforced and rulesets reviewed regularly.cyber+2

Maturity in context

The Essential Eight is meant to be implemented as a package and assessed against ASD’s maturity model (Levels 0–3), which scales protections to counter increasing attacker tradecraft; full control effectiveness requires meeting every requirement at the target level. Governments and enterprises are encouraged to choose a target maturity level, implement progressively, and use ASD’s assessment process and templates to gather evidence and verify effectiveness over time.forgov+2

Practical tips for SMEs

• Start with critical devices: enforce allow‑lists on endpoints used for finance, admin, and remote access, where attackers pivot first.cyber+1
• Use publisher rules for mainstream apps and hashes for in‑house tools; protect rule locations and allowed paths with strict file permissions.cyber
• Pair with macro controls, user app hardening, MFA, and rapid patching to close other common execution paths and privilege abuse routes in the Essential Eight.cyber+1

Helpful government guidance for everyone

ASD’s “Essential Eight explained” is the authoritative overview, including current maturity requirements and assessment artifacts for organisations of all sizes in Australia. For the broader community, the Australian Government’s Act Now. Stay Secure campaign highlights everyday actions—like multi‑factor authentication, strong passphrases, and prompt updates—that complement application control by shrinking the attack surface users present to adversaries.actnowstaysecure+3

Key takeaways

• The first Essential Eight strategy is application control: a default‑deny model that allows only approved software to run, blocking malware at launch.cyber+1
• Implement robust rules (hash, trusted publisher, locked‑down paths), log allow/deny events, and validate rulesets at least annually across workstations and servers for higher maturity.cyber+1
• Treat the Essential Eight as a whole, selecting a maturity target and using ASD’s assessment guide to verify effectiveness alongside user‑focused measures like MFA and updates from national guidance hubs.cyber+2

References: ASD Cyber.gov.au Essential Eight pages and PDFs; Australian Government Act Now. Stay Secure campaign materials.actnowstaysecure+7

1. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-application-control
2. https://www.cyber.gov.au/sites/default/files/2023-03/PROTECT%20-%20Implementing%20Application%20Control%20(October%202021).pdf
3. https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20(November%202023).pdf
4. https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Explained%20(November%202023).pdf
5. https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight/essential-eight-maturity-model
6. https://www.forgov.qld.gov.au/information-technology/queensland-government-enterprise-architecture-qgea/qgea-directions-and-guidance/qgea-policies-standards-and-guidelines/essential-eight-guideline
7. https://www.cyber.gov.au/sites/default/files/2024-08/PROTECT%20-%20Essential%20Eight%20Assessment%20Process%20Guide%20(August%202024).pdf
8. https://www.actnowstaysecure.gov.au/sites/default/files/documents/2025-05/Fact%20sheet%20-%20Stay%20cyber%20secure%20online_0.pdf
9. https://www.actnowstaysecure.gov.au/what-are-you-risking-online
10. https://www.actnowstaysecure.gov.au
11. https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight
12. https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight/essential-eight-explained
13. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents
14. https://secureframe.com/blog/essential-eight
15. https://www.6clicks.com/resources/guides/asd-essential-8
16. https://www.macquariegovernment.com/wp-content/uploads/sites/4/2017/03/Government-Essential-8-eGuide.pdf
17. https://bremmar.com.au/protect-not-for-profit-cyber-threats-essential-8/
18. https://www.cyber.gov.au/sites/default/files/2023-05/PROTECT%20-%20Essential%20Eight%20Explained%20(May%202023).pdf
19. https://soc.cyber.wa.gov.au/pdfs/essential-eight-assessment-process-guide.pdf