Essential Eight ML1: the SMB baseline checklist

ML1 requires application control on internet-facing servers and on workstations that authenticate users. The intent is to prevent execution of arbitrary unauthorised code - the standard delivery vector for ransomware. The control is the single most effective mitigation on the list and also the most operationally invasive, which is why most SMBs skip it. They shouldn't.

For ML1, Microsoft's Defender Application Control or AppLocker in deny-by-default mode is the practical implementation on Windows. macOS is covered by the platform's built-in code-signing enforcement. We deploy application control in audit mode first to identify legitimate signed software in your environment, then transition to enforce. The transition is the work; the steady state is mostly invisible.

Evidence the assessor expects: the configured policy, a sample of attempted-but-blocked executions from the last 30 days, and the change record for the most recent policy update. The configuration is not the evidence - the live, recent block events are.

Patch internet-facing applications and online services within 48 hours of an exploit being known or two weeks of vendor release, whichever comes first. ML1 names browsers, email clients, Office, PDF readers, and security products as the priority set. Anything older than 18 months gets removed entirely.

The 48-hour clock is the bit most SMBs miss. The clock starts when a working exploit is public, not when the vendor publishes the CVE. For practical compliance, you need a tool that tells you about exploited vulnerabilities on the day they're exploited, and a patching capability that can deploy within two business days. We use NinjaOne for the patching layer and CISA's Known Exploited Vulnerabilities catalogue as the priority queue.

Evidence: the patch cadence policy, the last 90 days of patch deployment reports per application, and an auditable record of any deferred patches with the documented business justification. "We patch every Tuesday" is not the evidence.

Block macros from the internet, block macros in files not from a trusted location, and ensure macro security settings can't be changed by users. The control exists because Office macros remain a primary initial-access vector despite Microsoft's recent default-block changes.

For ML1 the practical deployment is the Microsoft Cloud Policy or Intune Administrative Templates targeting Office 365 Apps for Enterprise. Block-by-default at the tenant level, with an allowlist for the two or three legacy spreadsheets the finance team genuinely needs. Document the allowlisted files and review them annually - macros tend to accumulate when no-one is looking.

Evidence: the policy configuration in your tenant, the list of allowlisted macro-enabled files with business owner and last-review date, and a sample audit log of macro execution attempts that were blocked.

Disable Internet Explorer 11 (if anyone is still using it), block Flash content in browsers (you should not be running Flash), block web advertisements, block Java from running in browsers, and configure Office to block the inclusion of OLE-packaged objects from the internet. ML1 is mostly about cleaning up the legacy attack surface.

In a contemporary Microsoft 365 environment, most of this is the platform default. The work is auditing it - confirming that Conditional Access blocks IE11, that your endpoint management baselines apply the OLE-block setting, and that your DNS or browser-level ad blocker is enforced. The audit is the deliverable, not the configuration.

Evidence: the baseline configuration document, a tested sample of policy application on a representative endpoint, and a log sample showing the blocks taking effect.

Privileged access is requested, approved, and re-validated. Admin accounts are separate from standard user accounts. Privileged accounts can't access email or the internet from the privileged account itself. ML1 is the floor here - ML2 introduces Privileged Access Workstations, ML3 requires Just-in-Time provisioning.

For ML1 the implementation in a Microsoft tenant uses Entra ID role assignments with the separation enforced - the same person can be both a standard user and a Global Administrator, but they are two distinct accounts with two distinct sign-ins. We enforce MFA on the privileged account specifically, block internet browsing from privileged sessions via Conditional Access, and review the privileged role assignments quarterly.

Evidence: the list of privileged role holders, the cadence of the quarterly review, the access request and approval log for the last 12 months, and a sample of denied requests showing the process is real.

Patch operating systems on internet-facing servers within 48 hours of an exploited CVE, two weeks for non-exploited. End-of-support operating systems are removed from the environment. The clock starts on exploitation, same as application patching.

Most SMBs are now in a hybrid state: Windows endpoints patched via Microsoft Update or Intune, Windows servers via WSUS or a third-party tool, macOS via Jamf or Intune, and Linux servers via the distribution's package manager. The trick is unified visibility across all of them, not a separate dashboard per platform. We use NinjaOne as the unified reporting layer.

Evidence: the cross-platform patch report, the SLA compliance percentages over the last 90 days, the list of end-of-support systems with their decommission schedule, and the auditable record of deferred patches.

MFA on all users for cloud-based services and internet-facing services. ML1 specifically calls out remote access, privileged accounts, and any account that handles "important" data. We treat that as a green-light to mandate MFA on every user, every account, with no opt-outs except for documented service accounts using certificate-based authentication.

The current best practice is Microsoft Authenticator with number-matching or a hardware token like YubiKey for the highest-privilege accounts. SMS as a fallback is officially deprecated but still acceptable for ML1. The thing to avoid is leaving long-lived OAuth tokens or app passwords in place that bypass MFA - we audit these quarterly.

Evidence: the MFA enforcement policy in Entra ID, a per-user enrolment report showing 100 percent coverage, and the documented exceptions list with the technical justification for each.

Daily backups, retained for at least three months, with quarterly restore tests. Backups are stored offline, immutable, or otherwise out of reach of an attacker who's compromised the production environment. ML1 names "important data, software, and configuration settings" as the scope.

Where most SMBs fail at this control isn't the backup - it's the restore test. The backup runs, the report says success, the data sits there, and no-one ever verifies the data can be put back. We run quarterly restore tests with documented evidence: the file or service restored, the time taken, and the validation that the restored data is intact. The first time you discover backups aren't restorable should not be during an incident.

Evidence: the backup configuration showing 3-month retention, the immutability or air-gap arrangement, the last four quarterly restore test reports with the artefacts restored, and the SLA-aligned RPO and RTO targets for each backup workload.

For a 50-person SMB starting from a typical Microsoft 365 baseline, ML1 is a 4 to 6 week implementation followed by ongoing operations. The work distributes roughly: application control 30 percent, privileged access cleanup 20 percent, patching tooling and reporting 20 percent, MFA and Office macro policy 10 percent, backup restore test cadence 10 percent, and documentation and evidence 10 percent.

The ongoing cost lives in the patching SLA, the quarterly privileged access review, the quarterly restore test, and the annual self-assessment. None of those are heavy. The heavy lift is the implementation - which is also where most providers stop and where the evidence trail starts looking like a wishlist instead of a record.

Most SMB customers should target ML1 as a 12-month achievement. Faster is possible with the right starting point. Slower means you're still in the implementation, which is fine, but you should be honest about it with customers, insurers, and auditors who ask.