Application control is implemented on internet-facing servers
Ensure only approved applications can run on servers accessible from the internet.
Plain language
This control is about making sure that only software you have approved can run on servers that people outside your organisation can access via the internet. This matters because if random or harmful programs can run on these servers, it opens the door to cyber attackers who might steal information, cause disruption, or damage your reputation.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Application control is implemented on internet-facing servers.
Why it matters
Without application control on internet-facing servers, attackers can run unauthorised executables or scripts, enabling initial access, web shell deployment and data exfiltration.
Operational notes
Maintain a tested allowlist on each internet-facing server: review additions/changes after patching and deployments, and alert on any blocked execution attempts.
Implementation tips
- IT team should review and document all current software on internet-facing servers to ensure it's approved, by conducting a software inventory.
- System administrator should set up application control to allow only approved software to run, using tools like Microsoft AppLocker, by configuring rules that specify allowed applications.
- Security officer should ensure that Microsoft’s recommended blocklist is implemented to prevent running applications known to be harmful, by updating the application control policy with the latest blocklist.
- IT team should document and review application control rules annually to keep them up-to-date with organisational changes, by scheduling regular updates and reviews.
- System administrator should centrally log application control events to monitor what runs on the servers, by configuring logging settings in the application control solution.
Audit / evidence tips
-
AskDoes the organisation have a policy to approve and control software on internet-facing servers?
-
GoodThere is a documented and current application control policy with a list of approved software that matches application control settings
-
AskHow are application control event logs managed and analysed?
-
GoodLogs are centrally stored, protected from unauthorised changes, and regularly reviewed for suspicious activities
Cross-framework mappings
How E8-AC-ML2.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.18 | E8-AC-ML2.1 requires application control on internet-facing servers to prevent unapproved code execution | |
| Annex A 8.19 | E8-AC-ML2.1 requires application control on internet-facing servers to prevent execution of unapproved software | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1656 | ISM-1656 requires application control to be implemented on non-internet-facing servers to reduce execution of unauthorised software in se... | |
| handshake Supports (5) expand_less | ||
| ISM-0955 | E8-AC-ML2.1 requires application control to be implemented on internet-facing servers | |
| ISM-1483 | ISM-1483 requires the latest release of internet-facing server applications to be used to reduce exploitation risk | |
| ISM-1657 | E8-AC-ML2.1 requires application control on internet-facing servers to ensure only approved applications run | |
| ISM-1658 | E8-AC-ML2.1 requires application control on internet-facing servers to prevent unauthorised code from running | |
| ISM-1871 | ISM-1871 defines where application control should and should not be applied, specifically excluding user profiles and temporary folders | |
| extension Depends on (2) expand_less | ||
| ISM-1392 | E8-AC-ML2.1 requires application control on internet-facing servers, often relying on allow rules to constrain what can run | |
| ISM-1746 | E8-AC-ML2.1 requires application control on internet-facing servers to limit execution to approved applications | |
| link Related (1) expand_less | ||
| ISM-1490 | E8-AC-ML2.1 requires application control to be implemented on internet-facing servers so only approved applications can execute | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.