Back

Implement safeguards to prevent unauthorized code execution.


CONTROL ID
10686
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Microsoft Office is blocked from creating executable content. (Control: ISM-1668; Revision: 0, Australian Government Information Security Manual, June 2023)
  • PDF software is blocked from creating child processes. (Control: ISM-1670; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Only trusted and supported operating systems, applications and computer code can execute on systems. (P6:, Australian Government Information Security Manual, June 2023)
  • Application control restricts the execution of drivers to an organisation-approved set. (Control: ISM-1658; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Microsoft Office is blocked from injecting code into other processes. (Control: ISM-1669; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Microsoft Office macros in files originating from the internet are blocked. (Control: ISM-1488; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Microsoft Office is blocked from creating child processes. (Control: ISM-1667; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. (Control: ISM-1657; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. (Control: ISM-1657; Revision: 0, Australian Government Information Security Manual, June 2024)
  • PDF software is blocked from creating child processes. (Control: ISM-1670; Revision: 0, Australian Government Information Security Manual, June 2024)
  • Application control restricts the execution of drivers to an organisation-approved set. (Control: ISM-1658; Revision: 0, Australian Government Information Security Manual, June 2024)
  • Microsoft Office is blocked from creating executable content. (Control: ISM-1668; Revision: 0, Australian Government Information Security Manual, June 2024)
  • Microsoft Office is blocked from injecting code into other processes. (Control: ISM-1669; Revision: 0, Australian Government Information Security Manual, June 2024)
  • Microsoft Office macros in files originating from the internet are blocked. (Control: ISM-1488; Revision: 1, Australian Government Information Security Manual, June 2024)
  • Microsoft Office is blocked from creating child processes. (Control: ISM-1667; Revision: 0, Australian Government Information Security Manual, June 2024)
  • Only trusted and supported operating systems, applications and code can execute on systems. (PROTECT-6:, Australian Government Information Security Manual, June 2024)
  • Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros. (Security Control: 1487; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. (Security Control: 1490; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. (Security Control: 0843; Revision: 8, Australian Government Information Security Manual, March 2021)
  • Microsoft Office macros in documents originating from the internet are blocked. (Security Control: 1488; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Only trusted and supported operating systems, applications and computer code can execute on systems. (P6:, Australian Government Information Security Manual, September 2023)
  • PDF software is blocked from creating child processes. (Control: ISM-1670; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Application control restricts the execution of drivers to an organisation-approved set. (Control: ISM-1658; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. (Control: ISM-1657; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Microsoft Office is blocked from creating executable content. (Control: ISM-1668; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Microsoft Office is blocked from injecting code into other processes. (Control: ISM-1669; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Microsoft Office macros in files originating from the internet are blocked. (Control: ISM-1488; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Microsoft Office is blocked from creating child processes. (Control: ISM-1667; Revision: 0, Australian Government Information Security Manual, September 2023)
  • preventing the execution of mobile code; (6.6.1 ¶ 1(a), IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The host device shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (14.2.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control the code execution based upon integrity checks on mobile code and prior to the code being executed (15.4.1 ¶ 1 c), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control the code execution based upon integrity checks on the mobile code and prior to the code being executed. (14.2.1 ¶ 1 c), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Control execution of mobile code; (13.2.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control execution of mobile code; (14.2.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control execution of mobile code; (15.4.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. (5.5.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application employs integrity protections, such as code signing or subresource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet. (10.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify the device uses code signing and validates code before execution. (C.30, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed. (5.2.4, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that memory protection controls such as ASLR and DEP are enabled by the embedded/IoT operating system, if applicable. (C.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Installation and execution of unauthorized software are prevented (PR.PS-05, The CRI Profile, v2.0)
  • Control the code execution based upon integrity checks on mobile code and prior to the code being executed (15.4.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Mobile code technologies include, but are not limited to, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations and VBScript. Usage restrictions apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual work… (13.2.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (13.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (12.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (14.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The host device shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (14.2.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (15.4.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control the code execution based upon integrity checks on the mobile code and prior to the code being executed. (14.2.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software. (M1044 Restrict Library Loading, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Block execution of code on a system through application control, and/or script blocking. (M1038 Execution Prevention, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Implement the following controls to protect the system memory from unauthorized code execution: hardware-based or software-based data execution prevention. (SI-16 ¶ 1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Installation and execution of unauthorized software are prevented (PR.PS-05, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The process that validates the application's executable code integrity mechanism checksum or hash should be invoked every time the application is executed to ensure that the application's executable code state has not changed since the original integrity mechanism was applied. If this validation fai… (INPUT VALIDATION AND DATA INTEGRITY DATA INTEGRITY CONTROLS: ¶ 24, Guideline 661G1: Application Security, 661G1-01)
  • The application should find and validate the digital signature and any hash, checksum, or other additional integrity mechanism applied to that code prior to executing it. If the code's integrity mechanism cannot be validated, or is not present, the application should discard the code without executi… (INPUT VALIDATION AND DATA INTEGRITY DATA INTEGRITY CONTROLS: ¶ 20, Guideline 661G1: Application Security, 661G1-01)
  • validates the digital signature on the code. (INPUT VALIDATION AND DATA INTEGRITY DATA INTEGRITY CONTROLS: ¶ 25 Bullet 2, Guideline 661G1: Application Security, 661G1-01)
  • verifies that the code has been digitally signed; and (INPUT VALIDATION AND DATA INTEGRITY DATA INTEGRITY CONTROLS: ¶ 25 Bullet 1, Guideline 661G1: Application Security, 661G1-01)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, TX-RAMP Security Controls Baseline Level 1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, TX-RAMP Security Controls Baseline Level 2)