SI-7(14) — Binary or Machine Executable Code

Restrict or prohibit the use of binary or machine-executable code from unverified sources — do not run random executables on your systems.

Example 1: Use Windows Defender Application Control (WDAC) to allow only signed, approved executables to run. Create a policy that allows Microsoft-signed binaries, your organization's signed software, and specifically approved third-party applications. Block everything else.

Example 2: Implement AppLocker via GPO to restrict executable files, scripts, and DLLs to approved locations and publishers. Users cannot run executables downloaded from the internet or saved to their desktop — only approved software from approved installation paths can execute.