Attack Surface Reduction Rules within Microsoft Defender for Endpoint
This week
it has been all about helping a customer improve on their Microsoft Security
Score. A lot of recommendations were related to Attack Surface Reduction (ASR)
and I wanted to cover some tips and tricks in setting things up through this blog.
There are various
ways of rolling out ASR through Intune. Namely –
1. Endpoint protection configuration profile.
2. MDM Security baseline profile.
3. Microsoft Defender ATP Baseline.
4. Custom configuration policy
I chose to
deploy all the rules as part of the Microsoft Defender ATP Baseline as I wanted
to cover all aspects of Defender as part of the rules. But for now I am only covering ASR.
Before you
begin, there are some pre-requisites that one needs to be mindful of. They are as follows –
- Licensed tenant for Enterprise Mobility +
Security E3 and Windows E5 (or Microsoft 365 Business Premium)
- Microsoft Intune environment, with Intune managed devices that are Azure AD joined.
- Microsoft Defender ATP environment which will give you
access to the Microsoft Defender Security Center (ATP portal)
- Endpoints that are running Windows 10
Enterprise, version 1709 or later.
- Endpoints must be using Microsoft Defender
Antivirus as the sole antivirus protection app. Using any other antivirus app will
cause Microsoft Defender AV to disable itself.
- Real-time protection is
enabled.
I
will not cover the Defender onboarding process and so I will jump right into
configuring ASR rules. If you want to read about the onboarding process, then
you can refer to the official Microsoft link here.
Configuring
Attack Surface Reduction Rules
As
stated earlier, since I wanted to roll out the Microsoft Defender ATP
baseline, I configured the ASR rules as part of it. Just make sure that you use
the recent revision as Microsoft updates the versions regularly. Most recent
version is 5 from September 2020 and you can read all about it over here.
Microsoft
recommends –
It's
best to run all rules in audit mode first so you can understand their impact on
your line-of-business applications. Many line-of-business applications are
written with limited security concerns, and they may perform tasks in ways that
seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack
surface reduction rules without impacting productivity.
Keeping in line with this recommendation, here
are the rules that I configured and deployed to devices –
One
can also run powershell cmdlet Get-MPPreference to get the configuration
and Get-MPComputerStatus to get the status on the Defender AV and RealtimeprotectionEnabled Status.
AttackSurfaceReductionrules_Actions = 1 (Indicates Block is enabled)
AttackSurfaceReductionrules_Actions = 2 (Indicates Audit is enabled)
Verifying
the ASR rules
For
testing purposes, one can use the demo scripts provided by Microsoft. They can
be found here. It contains a
specific section for testing different ASR rules that includes sample files
to trigger each of the ASR rules. When the user is performing an action that is
not allowed as per rule, but set in Audit mode, an entry will be
logged in the Event Viewer, in the Windows
Defender > Operational log, with Event
ID 1122. The same action will be logged as Event ID 1121 if the rule is set
to Block the action. In this case the user will also see a notification
that the action has been blocked.
Head
over to Microsoft
Defender Security Center and open the Attack Surface Management report. The
report will provide details on the status of the Blocked\Audited files.
Another
great way to get real time details on the ASR events is through the Advanced Hunting in the
Microsoft Defender Security Center.
Conclusion
Attack surface reduction
rules are great for detecting behaviors like launching executable files and
scripts that attempt to download or run files, performing behaviors that apps don't usually initiate etc. Such actions can be legitimate so it is good to evaluate results of the rules by using Audit mode before enabling the Block mode.
Use the Defender Security Center detection reports to monitor and then work
your way up to add more security rules. The Microsoft Defender ATP baseline
alone has many other policies that are good way to standardize the security on
your end points and improve the Security score of your organization.
Until next time.
I read your blog. It's very nice and very helpful. I learn something new every time from this website. Thanks for sharing this information with us.You can visit our services here
ReplyDeleteProduct Engineering Services Company
App Modernization Services
Enterprise App Development Services
Mobile App Development Services
Low Code Development Services
Mendix Development Services
Cloud Migration Services
Digital Assurance Services
Software testing services
I read your blog. It's very nice and very helpful. I learn something new every time from this website. Thanks for sharing this information with us.You can visit our services here
ReplyDeleteProduct Engineering Services Company
App Modernization Services
Enterprise App Development Services
Mobile App Development Services
Low Code Development Services
Mendix Development Services
Cloud Migration Services
Digital Assurance Services
Software testing services
Thank you so much for this nice information.
ReplyDeleteData Lake Solutions
Data Warehouse Services
Data Analytics Services
Big Data Services
Great Blog Article.Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Mendix Online Training Institute in Hyderabad
Great post and informative blog. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Nice Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Good Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Awesome Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Nice Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Nice Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Nice Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad
Awesome Blog Post. Thanks for sharing.
ReplyDeleteMendix Training
Mendix Training in Hyderabad
Mendix Online Training
Mendix Online Training Institute in Hyderabad
Mendix Online Training Course
Mendix Training in Ameerpet
Mendix Online Certification Course
Mendix Online Training in Hyderabad