In addition to the virus scanner, Microsoft Defender offers other security functions. These include the reduction of the attack surface, which hardens applications such as Office, browsers, and Adobe Reader. The feature is not active by default and can be configured via group policies or PowerShell.

Common entry points for attackers include email attachments that contain malicious code such as scripts, executables, or macros embedded in Office. Other points of attack include web browsers in particular as well as widely used programs, such as Adobe Reader, which regularly suffer from vulnerabilities.

Complement to app-specific measures ^

On top of the measures admins can take by configuring the applications themselves, Defender provides an additional layer of protection. For example, Office macros can be tamed to a large extent with the help of group policies, but the rules for reducing the attack surface (Attack Surface Reduction, or ASR) seal them even further.

For example, Office can be prevented from generating executable content, injecting code into other processes, or creating child processes. The latter can also be enforced for Adobe Reader. And Defender can block executable content if it enters the computer via a mail client.

The setting for advanced protection against ransomware is also interesting. It obtains information about a suspicious file from the Microsoft Cloud and checks to see whether it is prevalent enough to not be considered ransomware or proven harmless, for example. The function requires that cloud-based protection be active.

Advanced ransomware protection requires data from the Microsoft cloud

Advanced ransomware protection requires data from the Microsoft cloud

Limited management options ^

Attack surface reduction is not only included in paid products, such as Defender for Endpoint, but is also part of Windows 10/11 and Windows Server, although some rules are not supported on older versions.

The major drawback of the free version is its limited options for management and reporting. There is no GUI in the Settings app for this at all, and rule administration is handled via group policies or PowerShell. They are limited to the activation or deactivation of individual rules, as well as the optional definition of directories and files that should be excluded.

Evaluation using audit mode ^

By default, ASR is not enabled. In any case, admins should take a look at the rules and check which ones are suitable for their environment.

You don't have to switch them to blocking mode right away, but you can run them in audit mode first and observe what impact they would have.

Manage ASR via PowerShell ^

If you need to get the current status of the ASR rules, PowerShell will master this task:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

This command shows which rules have been configured and what their status is. However, you do not get their name - only a GUID. The table at the end of this post (source) can be used to resolve them.

The values 0, 1, 2, and 6 define the status ("Actions"). 0 stands for deactivated, 1 for activated, 2 for audit mode (merely logging as soon as a rule is triggered), and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking.

Query status of ASR empty by default and add a new rule for Adobe Reader

Query status of ASR empty by default and add a new rule for Adobe Reader

If you want to configure rules, the Set-MpPreference cmdlet provides the constants Disabled, Enabled, and AuditMode for the parameter AttackSurfaceReductionRules Actions instead of these numeric values. Additionally, you pass the GUID for AttackSurfaceReductionRules_Ids to the cmdlet.

For example, to prevent Adobe Reader from starting child processes, use PowerShell as follows:

Set-MpPreference `
-AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c `
-AttackSurfaceReductionRules_Actions Enabled

To define exclusions for directories and files, invoke Set-MpPreference as follows:

Set-MpPreference -AttackSurfaceReductionOnlyExclusions "c:\windows"

You can then query the status of this property using the following command:

Get-MpPreference | select AttackSurfaceReductionOnlyExclusions
Manage exclusions for ASR rules with PowerShell

Manage exclusions for ASR rules with PowerShell

Configure ASR rules using group policies ^

Two settings are available in the group policies for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

Both are located under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.

Instead of simply enabling a separate option for each rule, you need to use a common setting for all of them ("Configure Attack Surface Reduction rules"). There, you enter the GUID mentioned above and the numeric value for the action into a table.

Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

To set up exclusions for directories and files, configure the other setting in this folder. Here, too, you enter all the Value names in a table, and you always choose 0 for the field in the right-hand column.

Define ASR exclusions via group policies

Define ASR exclusions via group policies

Monitor ASR in the event log ^

Since the onboard tools do not provide any reporting for ASR, you have to limit yourself to evaluating the logs. They are recorded under Application and Service Logs > Microsoft > Windows > Windows Defender > Operational.

The following IDs are of interest here:

Event IDDescription
5007Event when settings are changed
1121Event when rule fires in block mode
1122Event when rule fires in audit mode

To monitor these events, you can create a custom view in the Event Viewer.

Event log for Windows Defender

Event log for Windows Defender

Alternatively, you can query the log entries with PowerShell:

Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' | 
where {$_.ID -eq "5007" -or $_.ID -like "112?"}

Conclusion ^

Reducing the attack surface can make an important contribution to increasing the security of the most exposed applications. The feature is included with all current Windows versions but is not enabled by default.

If you don't want to use a paid service, like Defender for Endpoint, a management tool, like ConfigMgr, or a third-party tool, you are limited to managing using group policies and PowerShell. Notably, there is a lack of reasonable reporting capabilities.

If you introduce ASR in the company, you should start with the monitoring mode and use the event log to study the effects the rules would have in practice. If no major impairment of the users is to be expected, then they can be activated.

Subscribe to 4sysops newsletter!

ASR rule to GUID matrix ^

Rule nameRule GUID
Block abuse of exploited vulnerable signed drivers56a863a9-875e-4185-98a7-b882c64b5ce5
Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processesd4f940ab-401b-4efc-aadc-ad5f3c50688a
Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block executable content from email client and webmailbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Block executable files from running unless they meet a prevalence, age, or trusted list criterion01443614-cd74-433a-b99e-2ecdc07bfc25
Block execution of potentially obfuscated scripts5beb7efe-fd9a-4556-801d-275e5ffc04cc
Block JavaScript or VBScript from launching downloaded executable contentd3e037e1-3eb8-44c8-a917-57927947596d
Block Office applications from creating executable content3b576869-a4ec-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
Block Office communication application from creating child processes26190899-1602-49e8-8b27-eb1d0a1ce869
Block persistence through WMI event subscription
* File and folder exclusions not supported
e6db77e5-3df2-4cf1-b95a-636979351e5b
Block process creations originating from PSExec and WMI commandsd1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USBb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Win32 API calls from Office macros92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
Use advanced protection against ransomwarec1db55ab-c21a-4637-bb3f-a12568109d35
avataravatar
2 Comments
  1. Job Cacka 2 months ago

    Have any of you used these ASR rules in the past? Have you experienced any negative side-effects?

    I am interested in the “Block JavaScript or VBScript from launching downloaded executable content” rule. It sounds useful and it seems like it aught to be the default setting.

  2. Matija Kapraljevic 1 month ago

    I’ve run into the blocking of addons for powerpoint, configured folder exception in our gpo, and additionaly ran powershell command to add exception on a particular client computer. The addon installed and activated just fine afterwards. There is some great info in this article, great post!

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account