:::image type="content" source="images/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Intune admin center portal" lightbox="images/mem08-6-review-create.png"::: [!NOTE] In Microsoft Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard. Microsoft Defender for Endpoint integrates with this feature and adds more management and visibility when ASR is used at scale. See, When deployed through Group Policy or PowerShell, exclusions apply to all ASR rules. Rules can be enabled in audit with Group Policy, SCCM, or PowerShell. Powershell (get-mppreference).attacksurfacereductiononlyexclusions on one of the clients includes the SimonPro.exe entry. Overview of Attack Surface Reduction Rules in Intune. A tag already exists with the provided branch name. For Profile type, select Endpoint protection. You'll find it here: There no pre-requisites. Using the Exclude Files and Paths From Attack Surface Reduction Rules setting is completely optional. Nevertheless, there are some clear cut cases where you shouldnt enable a rule. Starting late 2022 exclusions for Microsoft Defender Antivirus can be protected by tamper protection. Shrinking the attack surface. #6 What are the available rules? . This rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" seems to prevent my students running or debugging their C++ programs after they are compiled. [!TIP] The Add Row OMA-URI Settings opens. Attack surface reduction, or ASR, is an umbrella term for all the built-in and cloud-based security features Windows 10 offers that help to minimize the surface of attack, or areas of entry, for an attacker. This information should be used to prioritize which parts of the surface to better protect or reduce first. Select Windows 10 and later as the platform. The major drawback of the free version is its limited options for management and reporting. From an ASR rules configuration perspective, there are no substantial changes, just make sure that you become acquainted with the new policy experience and configuration flows: One last, but very important observation is that not all ASR rules are available in Configuration Manager and Intune. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices. Choose Endpoint security > Attack surface reduction > + Create policy. I seem to be having an issue getting my ASR policy to apply to my clients. The value of 0 means that ASR rules will ignore this file/process and not block/audit it. Attack Surface Reduction Rules. In the next steps, select the Scope Tags where you can add tag information to specific devices. An exclusion is applied only when the excluded application or service starts. Double-click on the policy "Configure Attack surface reduction rules". He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information. As of now, we provide you a total of 15 rules. [!WARNING] Please note that adding exclusions like cmd.exe or powershell.exe would completely compromise the security of your endpoints, since it would not block threats from leveraging Office Apps to run malicious macros, for example. In future parts of this blog, we will cover the different reporting mechanisms and youll be able to see the exact benefits of E5 for ASR rules. It provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. We added new capabilities to each of the pillars of Windows Defender ATPs unified endpoint protection platform: improved attack surface reduction, better-than-ever next-gen protection, more powerful post-breach detection and response, enhanced automation capabilities, more security insights, and expanded threat hunting. Choose an existing ASR rule or create a new one. Value name). You can also select Import to import a CSV file that contains files and folders to exclude from ASR rules. Each ASR rule contains one of four settings: We recommend using ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender for Endpoint (Defender for Endpoint). "User Defined" allows a local admin user to configure the rule. However, if you have another license, such as Windows Professional or Windows E3 that doesn't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (for example, Event Forwarding). Cookie Preferences To help you figure out whats best for your environment, we highly recommended that you enable ASR rules in audit mode. Core Microsoft components, such as operating system files or Office applications, reside in a global exclusion list maintained as part of Defender. We hope this is helpful and feel free to ask any questions. c:\Folder\*\*\Test), #4 Currently, Microsoft Endpoint Configuration Manager *does not* support wildcards (* or ? - Name column: Enter a folder path or a fully qualified resource name. A friendly reminder that the security baselines for Windows 10 and Windows Server, version 20H2 set all attack surface reduction rules to block mode. Whenever a process tries to use the OpenProcess() function to access LSASS, with an access right of PROCESS_VM_READ, the rule will specifically block that access right (and only that access right!). When the inner ring is successfully deployed with required exclusions, the next ring can be deployed. The following rules stick out: Block Office communication application from creating child processes: here basically one app (detected file is a pdf reader) creates a few hundred detections per day. ASR rules can be found in Intune Device Configuration. See Enable attack surface reduction (ASR) rules. apps, such as WordPress, running on servers. Attack surface reduction rules help close off many of the common entry points used by malware and ransomware, preventing attacks from ever reaching the point where AV and EDR solutions would detect them. It's time to get the attack surface under control. As you might have guessed, the answer is: it depends! For example, "C:\Windows" will exclude all . Do we love them? As for Intune and Configuration Manager, both platforms already have a built-in list of ASR rules; therefore, you dont need to know the GUIDs, nor what each action value represents. It's a bog-standard Win10 domain, and the config is being pushed out via group policy. Weve decided to compile all the major ones into a blog series and share it with the broader world. Previous versions of Windows 10 will still reference *Windows Defender*. This rule detects suspicious properties within an obfuscated script. Stay tuned for the next one and make sure to check out all the blogs in this series here. All the points where your company is exposed to cyberthreats and attacks are known as attack surfaces. However, we still advise customers to initially enable ASR rules in audit mode to determine any possible impact they might have on your organization. In the Home menu, click Devices, select Configuration profiles, and then click Create profile. Under 'Set the state for each ASR rule', the list includes the GUID '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' with a value of '2'. Attack Surface Reduction (ASR) rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: Executable files and scripts used in Office apps or web mail that attempt to download or run files. Attack surface reduction rules have three settings: off, audit, and block. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. Set-MPPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions 1. Expand the tree to Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction. I have just released a new script in my GitHub repository that will report on the local device Attack Surface Reduction settings (ASR) as shown above. In the Configuration settings pane, select Attack Surface Reduction and then select the desired setting for each ASR rule. Use advanced protection against ransomware. Where the attack surface cannot be reduced, harden what remains exposed. Looking at the flow of this rule, it naturally makes sense to only exclude child processes that are attempting to be launched, rather than excluding WINWORD.EXE or POWERPOINT.EXE process altogether. For more information, see New functionality in the modern unified solution for Windows Server 2012 R2 and 2016 Preview. Program Managers@ Microsoft Defender ATP Product Group. Overall, we recommend enabling every possible rule. So, several exclusions are already built in. There is just the general, and mandatory, rule that no liquids above a certain volume are allowed. These provide expert, hands-on information about where surface attackers can get in. ), #5If you want to exclude a file, that contains random characters (think automated file generation), you can use the ? Block Adobe Reader from creating child processes. However, the core asr rules functionality is built into the Defender engine on Windows 10, and you can still use it on the following without any additional licensing Windows 10 . Provide a policy name, e.g., ASR rules. For example, in late 2017 Sensepost demonstrated the DDEAUTO attack, which was later discovered to be applicable to Outlook as well. ASR rules target and block entry points and code behavior used by malware and abused by attackers . Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place. Select Platform, choose Windows 10 and later, and select the profile Attack Surface Reduction rules > Create. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious. Step 1: Transition ASR Rules from Audit to Block. Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. Use cases include getting interface information and Modular network design is a strategic way for enterprises to group network building blocks in order to streamline network As the use of AI models has evolved and expanded, the concept of transparency has grown in importance. At the moment we have a number of rules configured in audit mode, but I'll pick one as an example. The default state for the Attack Surface Reduction (ASR) rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" changes from Not Configured to Configured and the default mode set to Block.All other ASR rules remain in their default state: Not Configured.Additional filtering logic has already been incorporated in the rule to reduce end user notifications. attack surface reduction rules best practices ASR rules advanced hunting ASR rules event viewer ASR rules deployment steps As with any new, wide-scale implementation which could potentially impact your line-of-business operations, it is important to be methodical in your planning and implementation. Attack surface reduction features across Windows versions. Open the Microsoft Intune admin center. Always take a step back and think about what the ASR rule you are configuring protects against, and how the actual execution flow pans out. Select Controlled Folder Access Protected Folders and add the folders that need to . Scripts that are obfuscated or otherwise suspicious. Currently, there is no ETA for when this will be fixed. Thats a wrap for the first blog post in this series on attack surface reduction rules! More importantly, we outline recommendations for deploying these rules in enterprise environments. In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: You can also use the Add-MpPreference PowerShell verb to add new rules to the existing list. With this approach, youll be able to determine the possible impact on your organization, e.g. Using Intune, you can create and configure ASR rules for your organization. As of March 2020, Microsoft Endpoint Manager made available a new policy experience focused on Endpoint Security in public preview. Please check the table here, for the latest updates and more detailed information on the ASR rules that support exclusions. If you want to further deep dive into this topic, we recommend you having a look at the Interpreting Exploit Guard ASR audit alerts blog post, from our friend Chris Jackson. Configure the ASR rules with the correct state (Off, Block, Audit, Warn) Configure ASR with GPO. Select the application you want to exclude and click on "Add Exclusion or Get exclusion details": The "Add Exclusions" button takes you right to Microsoft Defender for Endpoint > Attack Surface Reduction Profiles. For more information, please refer to Microsoft Endpoint Manager Overview. Here are a couple of examples of how to exclude processes or files in ASR rules. #1 What is the difference between ASR and ASR rules? Microsoft recommends you to test how Intune ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. In 1 Basics, in Name, type a name for your template, and in Description you can type a description (optional). This information can be fed into ASR to prioritize which systems or services need to be addressed to reduce the attack space. You can obtain a list of rules and their current state by using Get-MpPreference. Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. The process of creating a new ASR rule in Intune involves following steps: On Create a profile window, you have two options for choosing the platform. This puts the setting 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' into audit mode. Navigate through Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction. OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions. ClickCreateto apply the rules. This rule prevents attacks by blocking Adobe Reader from creating processes. ASR tools can gather data from the following sources. ASR asset discovery shines a light on shadow IT. #8 What are the rules Microsoft recommendsenabling? To make it easier I am going to list some resources for getting started with Attack Surface Reduction rules in Intune. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. For Intune, ASR rules target certain software behaviors, such as: By reducing the different attack surfaces, you can help prevent attacks from happening in the first place. Demystifying attack surface reduction rules - Part 1, Attack surface reduction features across Windows versions, Computers running Windows 10, versions 1709 and later, Windows Server version 1803 (Semi-Annual Channel or later) and Windows Server 2019, Microsoft Defender antivirus must be active (. As for wildcards, its important to understand how Microsoft Defender, overall, accepts and expects its usage.