Working with Attack Surface Reduction rules to reduce the attack surface of applications

This week is al about Attack Surface Reduction (ASR) rules. ASR rules are originally introduced as one of the four main features of Windows Defender Exploit Guard. Windows Defender Exploit Guard was introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709, and was the successor of Enhance Mitigation Experience Toolkit (EMET). Nowadays ASR rules are just part of the attack surface reduction controls of Microsoft Defender, but many configuration paths will still refer to Windows Defender Exploit Guard. In this post I’ll have a closer look at configuring ASR rules by using Microsoft Intune. I’ll start with a short introduction about licensing and the different configuration options, followed by the steps for configuring ASR rules and showing the actual configuration. I’ll end this post with showing the end-user experience.

Licensing for the usage of attack surface reduction rules

ASR rules target specific types of behavior that is typically used by malware and malicious apps to infect devices. That includes protection against files and scripts used in Office apps, suspicious scripts, unexpected behavior of apps and more. However, it’s good to keep in mind that the full set of ASR rules is only supported in combination with an Enterprise license for Windows 10. Some ASR rules might work without an Enterprise license, as the Defender\AttackSurfaceReductionRules node of the Policy CSP is also available with a Pro edition, but the usage is not officially supported. Also, keep in mind that Microsoft Defender ATP is not required for the usage of ASR rules. With that, I’m referring to the configuration and the local alerting. When an organization wants more, like for example insights and reporting, Microsoft Defender ATP will be required. Besides the licensing, it’s also good to keep in mind that the usage of Microsoft Defender Antivirus is required in combination with ASR rules.

Introducing the attack surface reduction rules configuration options

When looking at the configuration options for ASR rules, it’s clear that currently many options are available within Microsoft Intune. Depending on the organizations preferences, there will be a method for everyone. Now let’s go through these different options:

  • Endpoint protection configuration profile – An Endpoint protection configuration profile can be used to control the security of Windows devices, including BitLocker and Microsoft Defender. The latter category includes the Microsoft Defender Exploit Guard subcategory, which contains an Attack Surface Reduction subcategory. That subcategory contains nearly all currently available ASR rules. This is also the profile type that the Microsoft Defender ATP documentation is referring to. The challenge with this profile type is that the names of the settings don’t correspond with the recommendations of Microsoft Defender ATP.
  • MDM Security baseline profile – A MDM Security baseline profile can be used to apply pre-configured groups of Windows settings that help organization to configure default values that are recommended by the different relevant security teams. That includes the Microsoft Defender category. That category contains nearly all currently available ASR rules. The names of the settings also correspond to the recommendations of Microsoft Defender ATP.
  • Attack surface reduction rules profile – An Attack surface reduction rules profile can be used to specifically configure settings for attack surface reduction rules that target behaviors that malware and malicious apps typically use to infect computers. Nothing more, nothing less. This category also contains nearly all currently available ASR rules and the names of the settings also correspond to the recommendations of Microsoft Defender ATP. Based on the recent introduction of this profile in the Endpoint security section, this profile might be the future.
  • Custom configuration policy – A Custom configuration profile can be used to configure most of the settings that are available in Windows 10 via Configuration Service Provider (CSP). Nearly all MDM-settings are available via CSPs. That includes the ASR rules that can be configured via the Defender node in Policy CSP. This enables an organization to configure all the available ASR rules that are recommended via Microsoft Defender ATP. It does require a bit more work.

Configuring attack surface reduction rules

When looking at configuring attack surface reduction rules, I’ll show how to do that by using the relatively new Attack surface reduction rules profile that’s available in the Endpoint security section in Microsoft Intune. When that profile doesn’t provide enough configuration options, probably none of the other policies and/or profiles does either. Except creating a Custom configuration policy. For that reason, I’ll also show the required information for creating a custom configuration policy for the attack surface reduction rules. That being said, configuring attack surface reduction rules by using an Attack surface reduction rules profile can be achieved by following the next eight steps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security  > Attack surface reduction to open the Endpoint security | Attack surface reduction blade
  2. On the Endpoint security | Attack surface reduction blade, click Create Profile to open the Create profile wizard
  3. On the Create a profile page, provide the following information and click Create to open the Custom wizard
  4. On the Basics page, provide the following information for the ASR rules profile and click Next
  • Name: Provide a valid name for the Attack surface reduction profile
  • Description: (Optional) Provide a valid description for the Attack surface reduction profile
  • Platform: Windows 10 and later
  1. On the Configuration settings page, configure the required ASR rules and click Next
  2. On the Scope tags page, configure the applicable scopes for the ASR rules profile and click Next
  3. On the Assignments page, configure the assignment for the ASR rules profile and click Next
  4. On the Review + create page, verify the configuration and click Create

Once the configuration is applied on a Windows device, the Event Viewer can be used to see what exactly is applied. The DeviceManagement-Enteprise-Diagnostics-Provide > Admin log provides all the information regarding the applied (mobile) device management configurations. That includes this ASR rules configuration. A successful configuration shows an Event ID 814 about the AttackSurfaceReductionRules policy in the Defender area with a configuration string and an Event ID 814 about the AttackSurfaceReductionRulesOnlyExclusion policy in the Defender area with a configuration string.

In other words, when configuring ASR rules by using a custom configuration profile, the AttackSurfaceReductionRules policy, which is an ADMX-backed policy, can be used. The different required GUIDs are documented here and a GUID can be set to 0 (disable), 1 (block) or 2 (audit). An example of the required information that would configure all the currently available rules is mentioned below.

  • OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
  • Data type: String
  • Value: {BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1|{D4F940AB-401B-4EFC-AADC-AD5F3C50688A}=1|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=1|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=1|{92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}=1|{01443614-cd74-433a-b99e-2ecdc07bfc25}=1|{c1db55ab-c21a-4637-bb3f-a12568109d35}=1|{9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2}=1|{d1e49aac-8f56-4280-b9ba-993a6d77406c}=1|{b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4}=1|{26190899-1602-49e8-8b27-eb1d0a1ce869}=1|{7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c}=1|{e6db77e5-3df2-4cf1-b95a-636979351e5b}=1

Verifying the configured attack surface reduction rules

Now let’s end this post by verifying the configured ASR rules, by looking at the Event Viewer and the actual end-user experience. For testing purposes the demo scenarios of Microsoft Defender ATP can be used. That contains a specific section for testing the different ASR rules that includes sample files to trigger each of the ASR rules. When the user is performing an action that is not allowed, like running malicious macro code in a Word-document, the user will receive a notification that the action is blocked (as shown with number 1, in Figure 3). Besides the notification to the user, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1121 (as shown with number 2, in Figure 3). That event provides information about the blocked action.

More information

For more information about (configuring) attack surface reduction rules, refer to the following documents:

6 thoughts on “Working with Attack Surface Reduction rules to reduce the attack surface of applications”

  1. Hi Thanks for this post it has really helped me. I still have one thing i am slightly confused about.
    When creating Endpoint security | Attack surface reduction rules, should the assignment apply to the device or user? Or both? Same question applies to the configuration profiles as well. I am assuming it is Device but just want to be sure.

  2. Hi Peter,

    Thanks for the great post. I’m having a hard time figuring out the Endpoint Security Baselines and how they relate to the individual policies (i.e. attack surface reduction, disk encryption, etc..). They appear to overlap with some settings and I often see conflicts. To work around this, I unassigned the security baselines. It’s not clear as to how they relate because the settings don’t match up. Any words of wisdom? Thank you!

  3. Hi Dave,
    That’s correct. Many settings in the security baseline overlap with the different device configuration profiles. The best thing is to start with a security baseline and add settings on top of that via the different configuration profiles.
    Regards, Peter

  4. Thanks Peter. But how do you handle the settings that overlap? For example, if setting X is set to “Block” in the baseline, what do you set setting X to in the individual ASR policy? Wont any setting cause a conflict?

  5. Hi David,
    I intend to configure settings on a single place. And that starts with the security baseline. When the setting doesn’t exist in the baseline, I’ll configure it in a separate profile.
    Regards, Peter

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.