- Delegate permissions for domain join - Mon, Jun 5 2023
- Join Windows 11 to an Active Directory domain - Thu, Jun 1 2023
- Change Windows network profiles between public and private - Wed, May 24 2023
Common entry points for attackers include email attachments that contain malicious code such as scripts, executables, or macros embedded in Office. Other points of attack include web browsers in particular as well as widely used programs, such as Adobe Reader, which regularly suffer from vulnerabilities.
Complement to app-specific measures
On top of the measures admins can take by configuring the applications themselves, Defender provides an additional layer of protection. For example, Office macros can be tamed to a large extent with the help of group policies, but the rules for reducing the attack surface (Attack Surface Reduction, or ASR) seal them even further.
For example, Office can be prevented from generating executable content, injecting code into other processes, or creating child processes. The latter can also be enforced for Adobe Reader. And Defender can block executable content if it enters the computer via a mail client.
The setting for advanced protection against ransomware is also interesting. It obtains information about a suspicious file from the Microsoft Cloud and checks to see whether it is prevalent enough to not be considered ransomware or proven harmless, for example. The function requires that cloud-based protection be active.
Advanced ransomware protection requires data from the Microsoft cloud
Limited management options
Attack surface reduction is not only included in paid products, such as Defender for Endpoint, but is also part of Windows 10/11 and Windows Server, although some rules are not supported on older versions.
The major drawback of the free version is its limited options for management and reporting. There is no GUI in the Settings app for this at all, and rule administration is handled via group policies or PowerShell. They are limited to the activation or deactivation of individual rules, as well as the optional definition of directories and files that should be excluded.
Evaluation using audit mode
By default, ASR is not enabled. In any case, admins should take a look at the rules and check which ones are suitable for their environment.
You don't have to switch them to blocking mode right away, but you can run them in audit mode first and observe what impact they would have.
Manage ASR via PowerShell
If you need to get the current status of the ASR rules, PowerShell will master this task:
Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
This command shows which rules have been configured and what their status is. However, you do not get their name - only a GUID. The table at the end of this post (source) can be used to resolve them.
The values 0, 1, 2, and 6 define the status ("Actions"). 0 stands for deactivated, 1 for activated, 2 for audit mode (merely logging as soon as a rule is triggered), and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking.
Query status of ASR empty by default and add a new rule for Adobe Reader
If you want to configure rules, the Set-MpPreference cmdlet provides the constants Disabled, Enabled, and AuditMode for the parameter AttackSurfaceReductionRules Actions instead of these numeric values. Additionally, you pass the GUID for AttackSurfaceReductionRules_Ids to the cmdlet.
For example, to prevent Adobe Reader from starting child processes, use PowerShell as follows:
Set-MpPreference ` -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ` -AttackSurfaceReductionRules_Actions Enabled
To define exclusions for directories and files, invoke Set-MpPreference as follows:
Set-MpPreference -AttackSurfaceReductionOnlyExclusions "c:\windows"
You can then query the status of this property using the following command:
Get-MpPreference | select AttackSurfaceReductionOnlyExclusions
Manage exclusions for ASR rules with PowerShell
Configure ASR rules using group policies
Two settings are available in the group policies for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.
Both are located under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
Instead of simply enabling a separate option for each rule, you need to use a common setting for all of them ("Configure Attack Surface Reduction rules"). There, you enter the GUID mentioned above and the numeric value for the action into a table.
Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting
To set up exclusions for directories and files, configure the other setting in this folder. Here, too, you enter all the Value names in a table, and you always choose 0 for the field in the right-hand column.
Define ASR exclusions via group policies
Monitor ASR in the event log
Since the onboard tools do not provide any reporting for ASR, you have to limit yourself to evaluating the logs. They are recorded under Application and Service Logs > Microsoft > Windows > Windows Defender > Operational.
The following IDs are of interest here:
| Event ID | Description |
|---|---|
| 5007 | Event when settings are changed |
| 1121 | Event when rule fires in block mode |
| 1122 | Event when rule fires in audit mode |
To monitor these events, you can create a custom view in the Event Viewer.
Event log for Windows Defender
Alternatively, you can query the log entries with PowerShell:
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' |
where {$_.ID -eq "5007" -or $_.ID -like "112?"}
Conclusion
Reducing the attack surface can make an important contribution to increasing the security of the most exposed applications. The feature is included with all current Windows versions but is not enabled by default.
If you don't want to use a paid service, like Defender for Endpoint, a management tool, like ConfigMgr, or a third-party tool, you are limited to managing using group policies and PowerShell. Notably, there is a lack of reasonable reporting capabilities.
If you introduce ASR in the company, you should start with the monitoring mode and use the event log to study the effects the rules would have in practice. If no major impairment of the users is to be expected, then they can be activated.
Subscribe to 4sysops newsletter!
ASR rule to GUID matrix
| Rule name | Rule GUID |
|---|---|
| Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 |
| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c |
| Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 |
| Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc |
| Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d |
| Block Office applications from creating executable content | 3b576869-a4ec-4529-8536-b80a7769e899 |
| Block Office applications from injecting code into other processes | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 |
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 |
| Block persistence through WMI event subscription * File and folder exclusions not supported |
e6db77e5-3df2-4cf1-b95a-636979351e5b |
| Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
| Block Win32 API calls from Office macros | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b |
| Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 |
Have any of you used these ASR rules in the past? Have you experienced any negative side-effects?
I am interested in the “Block JavaScript or VBScript from launching downloaded executable content” rule. It sounds useful and it seems like it aught to be the default setting.
I’ve run into the blocking of addons for powerpoint, configured folder exception in our gpo, and additionaly ran powershell command to add exception on a particular client computer. The addon installed and activated just fine afterwards. There is some great info in this article, great post!