Create User Groups for Access to Allowed Applications
Safely enabling applications means not only defining
the list of applications you want to allow, but also enabling access
only for those users who have a legitimate business need. For example,
some applications, such as SaaS applications that enable access
to Human Resources services (such as Workday or Service Now) must
be available to any known user on your network. However, for more
sensitive applications you can reduce your attack surface by ensuring
that only users who need these applications can access them. For
example, while IT support personnel may legitimately need access
to remote desktop applications, the majority of your users do not.
Limiting user access to applications prevents potential security
holes for an attacker to gain access to and control over systems
in your network.
For each application allow rule you define, identify the
user groups that have a legitimate business need for the applications
allowed by the rule. Keep in mind that because the best practice
approach is to map the application allow rules to your business
goals (which includes considering which users have a business need
for a particular type of application), you will have a much smaller
number of rules to manage than if you were trying to map individual
port-based rules to users.
If you don’t have an existing group on your AD server, you
can alternatively create custom LDAP groups to match the
list of users who need access to a particular application.