Attack Surface Reduction Rules within Microsoft Defender for Endpoint

-
This week it has been all about helping a customer improve on their Microsoft Security Score. A lot of recommendations were related to Attack Surface Reduction (ASR) and I wanted to cover some tips and tricks in setting things up through this blog.

There are various ways of rolling out ASR through Intune. Namely –

1. Endpoint protection configuration profile.
2. MDM Security baseline profile.
3. Microsoft Defender ATP Baseline.
4. Custom configuration policy 


I chose to deploy all the rules as part of the Microsoft Defender ATP Baseline as I wanted to cover all aspects of Defender as part of the rules. But for now I am only covering ASR.
Before you begin, there are some pre-requisites that one needs to be mindful of. They are as follows –

- Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Business Premium)
Microsoft Intune environment, with Intune managed devices that are Azure AD joined.
Microsoft Defender ATP environment which will give you access to the Microsoft Defender Security Center (ATP portal)
- Endpoints that are running Windows 10 Enterprise, version 1709 or later.
- Endpoints must be using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender AV to disable itself.
Real-time protection is enabled.

I will not cover the Defender onboarding process and so I will jump right into configuring ASR rules. If you want to read about the onboarding process, then you can refer to the official Microsoft link here.

Configuring Attack Surface Reduction Rules

As stated earlier, since I wanted to roll out the Microsoft Defender ATP baseline, I configured the ASR rules as part of it. Just make sure that you use the recent revision as Microsoft updates the versions regularly. Most recent version is 5 from September 2020 and you can read all about it over here.

Microsoft recommends –

It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity.

Keeping in line with this recommendation, here are the rules that I configured and deployed to devices –




Once the configuration is applied on a Windows device, the Event Viewer can be used to see what exactly is applied. The DeviceManagement-Enteprise-Diagnostics-Provide > Admin log provides all the information regarding the applied device management configurations, including ASR rules configuration. A successful configuration shows an Event ID 814 about the AttackSurfaceReductionRules policy in the Defender area with a configuration string.

One can also run powershell cmdlet Get-MPPreference to get the configuration and Get-MPComputerStatus to get the status on the Defender AV and RealtimeprotectionEnabled Status.

AttackSurfaceReductionrules_Actions = 1 (Indicates Block is enabled)

AttackSurfaceReductionrules_Actions = 2 (Indicates Audit is enabled)




Verifying the ASR rules

For testing purposes, one can use the demo scripts provided by Microsoft. They can be found here. It contains a specific section for testing different ASR rules that includes sample files to trigger each of the ASR rules. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.



Head over to Microsoft Defender Security Center and open the Attack Surface Management report. The report will provide details on the status of the Blocked\Audited files.

 


 


Another great way to get real time details on the ASR events is through the Advanced Hunting in the Microsoft Defender Security Center.

 


Conclusion

Attack surface reduction rules are great for detecting behaviors like launching executable files and scripts that attempt to download or run files, performing behaviors that apps don't usually initiate etc. Such actions can be legitimate so it is good to evaluate results of the rules by using Audit mode before enabling the Block mode. Use the Defender Security Center detection reports to monitor and then work your way up to add more security rules. The Microsoft Defender ATP baseline alone has many other policies that are good way to standardize the security on your end points and improve the Security score of your organization.

Until next time.

 

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more