Essential 8 Implementation Guide for MSP Workers
The Australian Signals Directorate (ASD) Essential 8 is the baseline cyber security framework for Australian government agencies and increasingly for private sector organisations. As an MSP worker, you'll be implementing these controls across multiple clients. This guide covers practical implementation, not theory.
What Are the Essential 8?
The Essential 8 are eight prioritised mitigation strategies designed to make it harder for adversaries to compromise systems:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Maturity Levels
Each control has four maturity levels:
- Level 0 — Controls not aligned with intent
- Level 1 — Partly aligned with intent
- Level 2 — Mostly aligned with intent
- Level 3 — Fully aligned with intent
Control 1: Application Control
What It Does
Prevents execution of unapproved/malicious programs including .exe, DLL, scripts, and installers.
Practical Implementation
Level 1: - Identify and inventory all authorised applications - Implement application whitelisting on workstations - Use Microsoft AppLocker or Windows Defender Application Control (WDAC)
Level 2: - Extend to servers - Implement application control on internet-facing servers - Regular review of whitelists
Level 3: - Application control on all executeables, libraries, scripts, and installers - Block execution from user-writable directories - Centrally log and monitor application control events
Common Pitfalls
- Blocking legitimate business applications
- Not updating whitelists when software changes
- Forgetting about PowerShell scripts and macros
- Not testing before deployment
MSP Tip
Create standard application whitelists per client type (e.g., law firm, medical practice, construction) and maintain them centrally.
Control 2: Patch Applications
What It Does
Patches security vulnerabilities in applications within a defined timeframe.
Practical Implementation
Level 1: - Patch internet-facing applications within 48 hours of release - Patch other applications within one month - Use automated patch management tools
Level 2: - Automated deployment with verification - Regular vulnerability scanning to confirm patches applied - Document exceptions and compensating controls
Level 3: - Automated scanning and deployment - Patch within 48 hours for all critical vulnerabilities - Regular testing of patch deployment processes
Common Pitfalls
- Forgetting about third-party applications (Java, Adobe, Chrome)
- Patching test environment but not production
- Not having a rollback plan
- Client resistance to downtime for patching
MSP Tip
Use your RMM tool's patch management module. Set up automated scanning and deployment schedules. Document all exceptions in a central register.
Control 3: Configure Microsoft Office Macro Settings
What It Does
Blocks or restricts macros to prevent malware delivery via Office documents.
Practical Implementation
Level 1: - Block macros from the internet - Only allow macros from trusted locations - Disable macros for users who don't need them
Level 2: - Only allow macros digitally signed by trusted publishers - Block all macros except those explicitly approved - Log macro execution events
Level 3: - Macros only allowed from digitally signed trusted publishers - Block macros from internet zone entirely - Centrally log and monitor all macro activity
Common Pitfalls
- Blocking macros breaks business processes
- Users finding workarounds (copying files to local drives)
- Not updating trusted publisher lists
- Forgetting about VBA in Access databases
MSP Tip
Many clients rely on macro-enabled Excel spreadsheets. Work with them to identify legitimate macro use cases before blocking everything.
Control 4: User Application Hardening
What It Does
Configures web browsers and applications to block or restrict Flash, Java, web advertisements, and other risky features.
Practical Implementation
Level 1: - Block Flash, Java, and web advertisements in browsers - Block web advertisements in Microsoft Office - Disable unneeded features in Office applications
Level 2: - Block PowerShell, Windows Script Host, and htas for standard users - Block execution of scripts from user-writable directories - Disable .NET Framework 3.5 (unless needed)
Level 3: - Block all web advertisement content - Block all Microsoft Office child processes - Block PowerShell for standard users - Centrally log and monitor blocked events
Common Pitfalls
- Blocking JavaScript breaks legitimate web applications
- Disabling .NET 3.5 breaks legacy applications
- Users needing PowerShell for legitimate automation
MSP Tip
Use Group Policy or Intune to apply these settings centrally. Test with a pilot group before full deployment.
Control 5: Restrict Administrative Privileges
What It Does
Limits admin access to only those who need it, reducing the attack surface.
Practical Implementation
Level 1: - Admin accounts used only for administrative tasks - Separate admin accounts from daily-use accounts - Implement just-in-time (JIT) access where possible
Level 2: - Privileged access automatically expires after 12 months - Privileged access to systems validated every 6 months - Admin actions logged and monitored
Level 3: - Privileged access automatically expires after 45 days - Revalidation every 3 months - Real-time monitoring of privileged account usage - Just-in-time administration with time-limited access
Common Pitfalls
- "Domain Admin" accounts used for daily email
- Shared admin credentials
- Not revoking access when staff leave
- Admin accounts not monitored for compromise
MSP Tip
Implement Azure AD PIM (Privileged Identity Management) or similar for JIT access. Use separate admin accounts for every technician. This is critical for MSP environments where many people need elevated access.
Control 6: Patch Operating Systems
What It Does
Patches security vulnerabilities in operating systems within a defined timeframe.
Practical Implementation
Level 1: - Patch within one month of release - Use automated OS patching tools - Include server operating systems
Level 2: - Automated deployment with verification - Regular scanning to confirm patches applied - Document exceptions
Level 3: - Patch within 48 hours for critical vulnerabilities - Automated scanning and deployment - Regular testing of patch processes
Common Pitfalls
- Server patching causes downtime
- Legacy operating systems that can't be patched
- Not patching network devices (routers, switches, firewalls)
- Client reluctance to approve patching windows
MSP Tip
Negotiate patching windows during client onboarding. Establish a standard patching schedule (e.g., second Tuesday of each month) and stick to it.
Control 7: Multi-Factor Authentication
What It Does
Requires two or more forms of authentication to verify user identity.
Practical Implementation
Level 1: - MFA for all users when accessing internet-facing services - MFA for all privileged actions - MFA for all remote access (VPN, RDP)
Level 2: - MFA using phishing-resistant methods (FIDO2, hardware tokens) - MFA for all authentication events - Disable SMS-based MFA where possible
Level 3: - MFA for all users and all authentication events - Phishing-resistant MFA only - MFA for all privileged access - Central logging and monitoring of MFA events
Common Pitfalls
- Using SMS-based MFA (phishable)
- MFA fatigue attacks
- Not enforcing MFA for all accounts
- Forgetting service accounts
MSP Tip
Move clients to Microsoft Authenticator or FIDO2 keys. Block SMS-based MFA where possible. Use Conditional Access policies in Azure AD to enforce MFA based on risk.
Control 8: Regular Backups
What It Does
Ensures data can be restored after a cyber security incident or data loss event.
Practical Implementation
Level 1: - Backup important data, software, and configuration settings - Backups stored for 3-6 months - Test restoration at least annually
Level 2: - Backups of important data, software, and configuration - Backups stored for 3-12 months - Test restoration every 6 months - Backups stored offline or in separate location
Level 3: - Unprivileged accounts can't access or modify backups - Privileged accounts (except backup admin) can't access or modify backups - Backup admin accounts have separate credentials - Test restoration every 3 months - Backup integrity monitoring
Common Pitfalls
- Backups that aren't tested
- Backups accessible to the same accounts as production data
- Not backing up cloud data (M365, Google Workspace)
- Backup retention too short for compliance requirements
MSP Tip
Use immutable backups (like Veeam with immutability or cloud-based backup with WORM). Test restores regularly and document results. Many MSPs skip restore testing — don't be one of them.
Common Pitfalls Across All Controls
- Not documenting exceptions — Every exception must be documented with a compensating control
- Client resistance — Some controls impact user experience; communicate the security benefit
- Overlooking third-party software — Not just Microsoft products
- Not monitoring — Implementation without monitoring is theatre
- Treating it as a one-time project — Essential 8 is ongoing; maturity levels require continuous maintenance
[!TIP] Start with Level 1 across all controls, then work up. Don't try to achieve Level 3 on one control while leaving others at Level 0. A balanced approach reduces risk more effectively.
Related Guides
- Essential 8 Maturity Model — Overview of the Essential 8 framework
- M365 Governance — M365 compliance and security
- Remote Work Security — Security checklist for remote work
- Incident Management — How to handle security incidents
- PowerShell Automation — Automate security tasks
Was this helpful?