Attack Surface Reduction or ASR for short is all about prevention and endpoint hardening. Two things I want you to understand first:
- Attack Surface Reduction or ASR is a Windows 10 feature. Microsoft Defender for Endpoint integrates with this feature and adds more management and visibility when ASR is used at scale.
- Attack Surface Reduction or ASR is an umbrella term for a lot of the Windows built-in capabilities and the cloud-based features that Windows 10 offers.
When we talk about ASR, think about all the Windows 10 built-in defenses that help reducing the probability for an attack to compromise your machines. It is hardening the places where a threat is likely to attack and closing the gaps to reduce the risks. In fact, you can consider ASR as some sort of Host Intrusion Prevention System (HIPS).
Both Attack Surface Reduction (ASR) and Threat Vulnerability Management (TVM) capabilities are considered preventative security controls. They help neutralize threats before these threats can impact your machines. Attack Surface Reduction (ASR) also plays a big role when you have disconnected clients (without internet connections) as it compensates the lack of some protection capabilities delivered through the cloud.
Read other parts here:
|Note: Attack Surface Reduction (ASR) is an umbrella term for a lot of the Windows built-in capabilities including a feature called ASR Rules. So, we have ASR and we have ASR rules. Attack Surface Reduction represents the bigger picture, a principle that includes many other features, of which one is ASR rules.
Attack Surface Reduction in Windows 10 comes with a lot of features such as:
- ASR Rules
- Hardware-based Isolation, which includes application control.
- Exploit Protection
- Network Protection
- Controlled Folder Access
- Device Control
- Web Protection
All those Windows 10 built-in features are delivered as part of Attack Surface Reduction (ASR), and they provide a rich collection of capabilities. For example, Application Control allows only trusted applications to run, while attack surface reduction rules help you to restrict certain behaviors in apps, files, or scripts. Network Protection prevents any app from accessing dangerous locations based on their reputations.
You can use Microsoft Endpoint Manager or other management tools to turn them on and configure them. You can also configure those features in Audit Mode without enforcing them, to understand how they might impact your environment.
DISCLAIMER: This content was written for the “Microsoft 365 Security for IT PRO 2020/2021” Edition which talks in great details about the entire security stack for Microsoft 365. Newer version of the book is now released and can be accessed here. I encourage you to download the book to get updated content of defender for endpoint and many other M365 security products.
Attack Surface Reduction – ASR Rules
Think of ASR rules as measures that help you close many of the entry points used by malware. They help you to restrict certain behaviors in apps, files, or scripts that are associated with malicious activity and by doing so, making the job of an attacker harder. The following action are often used by attackers:
- Launching an executable file or a script that tries to download or run files, a common technique used by attackers to download malicious tools used to carry on their attack inside your network.
- Make legitimate applications load malicious code like modified dll files or other processes.
- Running malicious script on your endpoints.
Although some of this behavior might be legitimate for some applications to work, they are considered risky as attackers abuse them to carry on their attacks. Before enabling ASR rules in block-mode, you can run the rules in audit mode to capture more data and understand their impact on your line-of-business applications.
ASR rules are not about trusting or not trusting certain apps in your endpoints, they are meant to minimize the probability of an attacker exploiting a weakness, and by doing so, minimizing the overall risk level.
A good comparison: I want to quote from António Vasconcelos and Rob Mallicoat, Program Managers @ Microsoft Defender for Endpoint Product Group “A very good analogy is the liquids restrictions when entering a checkpoint at an airport. It’s not about whether the security personnel trusts you or not. There is just the general, and mandatory, rule that no liquids above a certain volume are allowed. As you can understand, this minimizes the risk of, or even mitigates against, certain types of attacks.”
ASR Rule Requirements
You can configure attack surface reduction rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro/Enterprise/Education, version 1709 or later.
- Windows Server, version 1803 (Semi-Annual Channel) or later.
- Windows Server 2019.
With Windows 10 Pro, you get the ASR rule capabilities. However, Windows 10 Enterprise E3 license gives you the entire feature-set of ASR rules, and you can use Event viewer to review attack surface reduction rule events.
While using event viewer might work for you, having the Windows E5 license with Microsoft Defender for Endpoint adds management and reporting layer for the ASR rules, such as monitoring, analytics and workflow as part of Microsoft Defender for Endpoint.
In fact, Microsoft Defender for Endpoint takes ASR rules to the next level by onboarding those ASR rule events within the Microsoft Defender for Endpoint Security Centre as well as reporting and configuration capabilities in the Microsoft Defender portal.
Additionally, and regardless of the license of choice, Microsoft Defender Antivirus must be active and can’t be in passive mode. This is because ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking currently. Usually, when you are using a third-party antivirus solution, the built-in Microsoft Defender Antivirus automatically goes into passive mode. Finally, some ASR rules require the Microsoft Defender Antivirus cloud-delivered protection to be enabled. Note: For more information about Microsoft Defender Antivirus passive mode, click here. For more information on how to enable cloud-delivered protection, click here.
List of ASR Rules
ASR provides you a total of 15 rules, spanning across multiple pillars of protection, like Office, credentials, scripts, email, etc. Each rule is identified by a GUID which is used to configure ASR rules (via a PowerShell script or Group Policy). For each of the rules, the minimum OS support is Windows 10, version 1709 (RS3, build 16299) or later.
|File & folder exclusions
|E-mail and Webmail
|Block executable content from email client and webmail
|Block all Office applications from creating child processes
|Block Office applications from creating executable content
|Block Office communication application from creating child processes
|Block Win32 API calls from Office macros
|Block Office applications from injecting code into other processes
|Executables and Scripts
|Executables and Scripts
|Block execution of potentially obfuscated scripts
|Executables and Scripts
|Block executable files from running unless they meet a prevalence, age, or trusted list criterion
|Executables and Scripts
|Use advanced protection against ransomware
|Block abuse of exploited vulnerable signed drivers
|Block persistence through WMI event subscription
|Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|Windows Management Interface (WMI)
|Block process creations originating from PSExec and WMI commands
|Windows Management Interface (WMI)
|Block persistence through WMI event subscription
|Windows Management Interface (WMI)
|Note: This setting is not yet available in MEM/MEMCM.
|Block untrusted and unsigned processes that run from USB
|3rd Party Apps
|Block Adobe Reader from creating child processes
ASR Rules Exclusions
When looking into enabling ASR, you will most certainly require a few exclusions, as not all applications behave the way ASR wants them to. This means that the ASR rule will ignore the execution of certain processes, it will not block the file from running. Keep in mind the following:
- If you add an exclusion, it will affect every ASR rule. The reason for this is for performance and reliability (you can’t specify what ASR rule to exclude)
- Not all rules support exclusions, as sometimes it would be impractical to do so.
- Excluded files/folders will be allowed to run, and no report or event will be recorded.
- ASR rules exclusions are managed separately from Microsoft Defender Antivirus exclusions.
- ASR rules exclusions support wildcards, paths, and environmental variables. This is, however, only supported if you use Microsoft Intune. If you manage ASR rules through SCCM, you cannot use wildcards.
- Wildcards cannot be used to define a drive letter.
- ASR rules exclusions are not aware of user context (ASR rules run under NT AUTHORITY\SYSTEM account), so it’s not possible to add user profile folder to exclusions using environmental variables such as %USERPROFILE%.
- Microsoft built ASR rules to work nicely with OS components and several legitimate 3rd party apps, so several exclusions are already built in. However, you should always run ASR rules in audit mode first.
|Note: To learn more how Microsoft Defender accepts wildcards, read this article here.
Configuring ASR Rules
You don’t have to enable all ASR rules at once. In fact, many line-of-business applications were written with limited security concerns, and they might perform tasks that resemble malware or malicious activity. It is highly recommended to test each of these rules individually before enforcing them across your endpoints, to better understand the possible impact on your line-of-business applications.
A recommended approach is to enable ASR rules in audit mode first to better understand the impact of enabling each of these rules. By monitoring audit data and adding exclusions for necessary applications, you can deploy ASR rules without impacting productivity.
It is worth mentioning that Office macros are a nightmare for every security professional. They represent an easy way for attackers to launch their attacks. Unfortunately, many customers still depend on Office macros to run their business. It is up to you to determine if your organization is using them and whether you want to (and can) disable them. Therefore, you should understand your business needs before deciding to use ASR to restrict the use of macros in your organization!
|Note: Read Microsoft documentation here to understand each rule-specific information and/or warning.
Recently added is the new ASR warn mode. This new mode is available for all rules except:
- Block persistence through WMI event subscription.
- Use advanced protection against.
When warn mode is enabled, the rule will be enforced but the end-user will receive a toast notification to allow the blocked action. If a user acts on this notification, the rule will be temporarily disabled for the next 24 hours. This allows you to test rules, without necessarily blocking your end-users.
Audit vs warn: While the addition of warn mode is great, it has left some wondering what the use case for it is. This isn’t ideal for your end-users as they probably won’t fully grasp what the intention of this is. In my opinion, warn mode is a great way to test rules within the IT population. This way, administrators should know exactly by which action the rule has been hit. A big improvement compared to the audit logs, which can be cumbersome to interpret.
There are three states for any ASR rule:
- Not configured: which means disabled (Equals 0)
- Block: which means enabled or enforced (Equals to 1)
- Audit: great way to evaluate the impact if enabled (Equals to 2)
- Warn: warn mode will enforce the rules but provide the users with an overview (Equals to 6)
You can configure ASR rules using one of the following methods:
- Microsoft Intune
- 3rd-party Mobile Device Management (MDM)
- Microsoft Endpoint Configuration Manager
- Group Policy
Set-MPPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions 1
Beware of conflicts: If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software might overwrite any conflicting PowerShell settings at start-up.
Here is a PowerShell script that you can use to enable all ASR rules in audit mode:
# Verifies that the script is running as admin
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
# Verifies that script is running on Windows 10 or greater
if ([System.Environment]::OSVersion.Version.Major -ge "10" -and [System.Environment]::OSVersion.Version.Build -ge "16299")
throw "Please run this script from an elevated PowerShell prompt"
throw "Please run this script on Windows 10"
Write-Host "`nUpdating Windows Defender AV settings`n" -ForegroundColor Green
Write-Host "Enabling Exploit Guard ASR rules and setting to audit mode"
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids E6DB77E5-3DF2-4CF1-B95A-636979351E5B -AttackSurfaceReductionRules_Actions AuditMode
Write-Host "`nSettings update complete" -ForegroundColor Green
Write-Host "`nOutput Windows Defender AV settings status" -ForegroundColor Green
Note: Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, you should use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference.
You can also use Group Policy to configure ASR rules. Navigate through Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction
You can exclude files and folders from ASR rule by selecting Exclude files and paths from Attack surface reduction rules setting and set the option to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the Value column for each item. Do not use quotes as they are not supported for either the Value name column or the Value column!
Next, open the Configure Attack Surface Reduction rules policy and add a GUID for each ASR rule you want to configure in the Value name, and the desired state under value.
Both PowerShell and Group Policy require the use of the GUID value of the ASR rules. For Intune and Configuration Manager, they both have built-in list of ASR rules, so it is as simple as choosing which actions you want to set for the rule you want to configure.
Review ASR Rule events
Using Microsoft Defender for Endpoint Advanced Hunting capability, you can extract ASR rules information, generate reports, and get in-depth information about ASR rules. For example, a simple query such as the one below, can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count.
| where Timestamp > ago(30d)
| where ActionType startswith ‘Asr’
| summarize EventCount=count() by ActionType
To focus on a specific ASR rule (AsrOfficeChild for example) and get details on the actual files and processes involved, you can run this query.
| where (ActionType startswith “AsrOfficeChild”)
| extend RuleId=extractjson(“$Ruleid”, AdditionalFields, typeof(string))
| project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
With queries you can do almost anything; scope your search, or extract insights from your entire environment. It is definitely one of the more flexible and powerful reporting capabilities that come with Microsoft Defender for Endpoint. An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline which is accessible from the machine view in Microsoft Defender Portal. You can filter events based on any of the Event Groups available along the right-side pane, including (ASR Events). This is mainly handy if you want to understand what’s happening on a specific machine, not an entire group of devices.
There are some built-in reports available, baked into the Microsoft 365 Security Portal. Within the reports section, you get a complete look at the current ASR rules configuration and events in your organizations if the devices are onboarded in Microsoft Defender for Endpoint.
Navigate to Reports and choose Security report and scroll down to the devices section.
Remember we talked about ASR rules being supported on Windows 10 E3 but without any management and reporting capabilities? With E5, you get Microsoft Defender for Endpoint and centralized view and control over your ASR rules at scale.
You can also drill down to the device level, select Manage Configuration from the Attack surface reduction rules pane. This will take you the following screen, where you can see:
- Device name
- ASR overall configurations
- Rules in block mode
- Rules in audit mode
- Rules turned off
Application Guard (application isolation)
Application Guard, also referred to as application isolation, protects systems from advanced attacks while helping to keep users productive. Designed for Microsoft Edge, It isolates untrusted websites in a lightweight (virtualized) container, separate from the rest of the system.
You define which sites are trusted (based on hostnames or IP addresses); everything else is considered untrusted. If the website turns out to be malicious and tries to execute code on the device, it is limited to the sandbox that the instance of the browser is running in; once the user closes the session, the threat is wiped away along with any damage it might have done inside the container.
The Microsoft Defender for Endpoint sensors are part of the container and will report a potential threat back to your security report within the Microsoft 365 Defender portal. Even through the threat is gone, you still have visibility.
Application Control can prevent untrusted applications from running on the system. Trusting everything and only blocking apps that are malicious doesn’t work. There are simply too many apps and too little time. A better model is to trust nothing until it earns trust. That’s the idea behind Application Control: You identify which applications are trustworthy, and Application Control only allows those applications to run.
Application Control makes defining trusted application easy. For example, you can trust all apps that have good reputation from Microsoft. Organizations can also trust applications they deploy by using Microsoft Intune or System Center Configuration Manager.
Controlled Folder Access
Controlled Folder Access prevents untrusted apps from accessing protected folders. What if a malware finds its way around all the other protections? Let’s take the example of ransomware: once it’s on a machine, it could potentially encrypt (all of your) files, holding them hostage for ransom. This is where Controlled Folder Access can help to protect your valuable data. You define the list of protected folders and only allow trusted apps to access those folders. If an app is not trusted, Controlled Folder Access blocks it from changing files in the protected folders. Note that whilst this may help prevent ransomware from encrypting files within those folders, it doesn’t prevent encryption of files and folders outside of the defined list of locations.
Network Protection blocks access to low reputation internet destinations by using scores that the Microsoft Intelligent Security Graph provides. It extends SmartScreen to block all outbound traffic to dangerous internet resources by any application, not only Microsoft Edge. Additionally, Network Protection enables other capabilities like custom IP and URL allow and block lists and provides endpoint policy enforcement for the Microsoft Defender for Endpoint integration with Microsoft Cloud App Security.
Web Protection includes web threat protection to harden machines against threats like phishing sites, malware payloads, exploit sites, low reputation web sites, any site you add to the custom indicators list. All this works without the need of a web proxy by the way, protecting machine whether on corporate network or not. It also reports back to Microsoft Defender for Endpoint, so you can use those signals in your investigations.
Exploit Protection automatically applies exploit mitigation techniques to operation system processes and apps. Data Execution Prevention (DEP) and Arbitrary Code Guard (ACG) are examples of these mitigation techniques. While you can enable Exploit Protection on an individual machine, you can enable Exploit Protection at scale by using Microsoft Endpoint Manager. Then, Exploit Protection reports events to Microsoft Defender for Endpoint so you can use them as part of your usual alert investigations.
With Device Control, security teams can allow or block certain removable devices to prevent threats they might contain. You can get rather granular with this configuration. For example, you can allow or deny write access to all removable disks or just a specific vendor by using the vendor ID. You can also enable direct memory access protection to mitigate DMA attacks including DMA kernel protection.
Real-world deployments of Attack Surface Reduction. As you can tell by now, Attack Surface Reduction (ASR) contains a lot of features that can be extremely useful to reduce the attack surface of your devices and therefore of your environment. In reality though, some features are easier to implement than others. For example, ASR rules are fairly easy to implement, as is Network Protection, Web Protection, Device Control and to some degree Controlled Folder Access. Exploit Protection and Application Control, on the other hand, require a bit more work and aren’t always as easy to implement. For example, the idea of creating a white list of applications that can run on device sounds great, but in many organizations there are equally many permutations of applications that can run on a device, and sometimes the IT department isn’t involved when new software is installed. As such, a policy which only allows specific apps to run isn’t always welcomed by the business. In contrast, Application Control is very popular when, for example, creating a Secure Access Workstation, used to administer sensitive parts of the infrastructure. By only allowing a specific set of applications, you greatly reduce the risk these workstations represent should they ever get compromised.
About this Microsoft Defender for Endpoint Blog Series
During the years, I have worked with many security and Infrastructure services, and I usually don’t find good information in the web on how a product or service works. For me to master a service, I need to learn how it thinks, the internal mechanics, and even how the product group who designed it really thought about different features.
So, I started blogging years back to reflect my understanding and help others find useful information that is not found elsewhere on the internet (at least in one place) and direct from my experience.
This blog series is written after careful consideration and will help you imagine how Defender for Endpoint works from the bottom up. I rarely have time to blog these days, so I might not update the blog on new features. However, the content here will give the information you need to build on top.
CREDITS Big thanks to my friend and fellow Microsoft MVP and RD: Ahmad Nabil who helped me put such content and the Microsoft 365 Security for IT PRO book family who helped in reviewing and editing this chapter. Newer version of the book is available here with updated content and valuable content about other Microsoft 365 security services. Download the new book here.