Attack Surface Reduction Rules within Microsoft Defender for Endpoint

This week it has been all about helping a customer improve on their Microsoft Security Score. A lot of recommendations were related to Attack Surface Reduction (ASR) and I wanted to cover some tips and tricks in setting things up through this blog.

There are various ways of rolling out ASR through Intune. Namely –

1. Endpoint protection configuration profile.

2. MDM Security baseline profile.

3. Microsoft Defender ATP Baseline.

4. Custom configuration policy 

I chose to deploy all the rules as part of the Microsoft Defender ATP Baseline as I wanted to cover all aspects of Defender as part of the rules. But for now I am only covering ASR.

Before you begin, there are some pre-requisites that one needs to be mindful of. They are as follows –

- Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Business Premium)

- Microsoft Intune environment, with Intune managed devices that are Azure AD joined.

- Microsoft Defender ATP environment which will give you access to the Microsoft Defender Security Center (ATP portal)

- Endpoints that are running Windows 10 Enterprise, version 1709 or later.

- Endpoints must be using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender AV to disable itself.

- Real-time protection is enabled.

I will not cover the Defender onboarding process and so I will jump right into configuring ASR rules. If you want to read about the onboarding process, then you can refer to the official Microsoft link here.

Configuring Attack Surface Reduction Rules

As stated earlier, since I wanted to roll out the Microsoft Defender ATP baseline, I configured the ASR rules as part of it. Just make sure that you use the recent revision as Microsoft updates the versions regularly. Most recent version is 5 from September 2020 and you can read all about it over here.

Microsoft recommends –

It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity.

Keeping in line with this recommendation, here are the rules that I configured and deployed to devices –

Once the configuration is applied on a Windows device, the Event Viewer can be used to see what exactly is applied. The DeviceManagement-Enteprise-Diagnostics-Provide > Admin log provides all the information regarding the applied device management configurations, including ASR rules configuration. A successful configuration shows an Event ID 814 about the AttackSurfaceReductionRules policy in the Defender area with a configuration string.

One can also run powershell cmdlet Get-MPPreference to get the configuration and Get-MPComputerStatus to get the status on the Defender AV and RealtimeprotectionEnabled Status.

AttackSurfaceReductionrules_Actions = 1 (Indicates Block is enabled)

AttackSurfaceReductionrules_Actions = 2 (Indicates Audit is enabled)

Verifying the ASR rules

For testing purposes, one can use the demo scripts provided by Microsoft. They can be found here. It contains a specific section for testing different ASR rules that includes sample files to trigger each of the ASR rules. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.

Head over to Microsoft Defender Security Center and open the Attack Surface Management report. The report will provide details on the status of the Blocked\Audited files.

 

 

Another great way to get real time details on the ASR events is through the Advanced Hunting in the Microsoft Defender Security Center.

 

Conclusion

Attack surface reduction rules are great for detecting behaviors like launching executable files and scripts that attempt to download or run files, performing behaviors that apps don't usually initiate etc. Such actions can be legitimate so it is good to evaluate results of the rules by using Audit mode before enabling the Block mode. Use the Defender Security Center detection reports to monitor and then work your way up to add more security rules. The Microsoft Defender ATP baseline alone has many other policies that are good way to standardize the security on your end points and improve the Security score of your organization.

Until next time.