Working with Attack Surface Reduction rules to reduce the attack surface of applications

This week is al about Attack Surface Reduction (ASR) rules. ASR rules are originally introduced as one of the four main features of Windows Defender Exploit Guard. Windows Defender Exploit Guard was introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709, and was the successor of Enhance Mitigation Experience Toolkit (EMET). Nowadays ASR rules are just part of the attack surface reduction controls of Microsoft Defender, but many configuration paths will still refer to Windows Defender Exploit Guard. In this post I’ll have a closer look at configuring ASR rules by using Microsoft Intune. I’ll start with a short introduction about licensing and the different configuration options, followed by the steps for configuring ASR rules and showing the actual configuration. I’ll end this post with showing the end-user experience.

Licensing for the usage of attack surface reduction rules

ASR rules target specific types of behavior that is typically used by malware and malicious apps to infect devices. That includes protection against files and scripts used in Office apps, suspicious scripts, unexpected behavior of apps and more. However, it’s good to keep in mind that the full set of ASR rules is only supported in combination with an Enterprise license for Windows 10. Some ASR rules might work without an Enterprise license, as the Defender\AttackSurfaceReductionRules node of the Policy CSP is also available with a Pro edition, but the usage is not officially supported. Also, keep in mind that Microsoft Defender ATP is not required for the usage of ASR rules. With that, I’m referring to the configuration and the local alerting. When an organization wants more, like for example insights and reporting, Microsoft Defender ATP will be required. Besides the licensing, it’s also good to keep in mind that the usage of Microsoft Defender Antivirus is required in combination with ASR rules.

Introducing the attack surface reduction rules configuration options

When looking at the configuration options for ASR rules, it’s clear that currently many options are available within Microsoft Intune. Depending on the organizations preferences, there will be a method for everyone. Now let’s go through these different options:

  • Endpoint protection configuration profile – An Endpoint protection configuration profile can be used to control the security of Windows devices, including BitLocker and Microsoft Defender. The latter category includes the Microsoft Defender Exploit Guard subcategory, which contains an Attack Surface Reduction subcategory. That subcategory contains nearly all currently available ASR rules. This is also the profile type that the Microsoft Defender ATP documentation is referring to. The challenge with this profile type is that the names of the settings don’t correspond with the recommendations of Microsoft Defender ATP.
  • MDM Security baseline profile – A MDM Security baseline profile can be used to apply pre-configured groups of Windows settings that help organization to configure default values that are recommended by the different relevant security teams. That includes the Microsoft Defender category. That category contains nearly all currently available ASR rules. The names of the settings also correspond to the recommendations of Microsoft Defender ATP.
  • Attack surface reduction rules profile – An Attack surface reduction rules profile can be used to specifically configure settings for attack surface reduction rules that target behaviors that malware and malicious apps typically use to infect computers. Nothing more, nothing less. This category also contains nearly all currently available ASR rules and the names of the settings also correspond to the recommendations of Microsoft Defender ATP. Based on the recent introduction of this profile in the Endpoint security section, this profile might be the future.
  • Custom configuration policy – A Custom configuration profile can be used to configure most of the settings that are available in Windows 10 via Configuration Service Provider (CSP). Nearly all MDM-settings are available via CSPs. That includes the ASR rules that can be configured via the Defender node in Policy CSP. This enables an organization to configure all the available ASR rules that are recommended via Microsoft Defender ATP. It does require a bit more work.

Configuring attack surface reduction rules

When looking at configuring attack surface reduction rules, I’ll show how to do that by using the relatively new Attack surface reduction rules profile that’s available in the Endpoint security section in Microsoft Intune. When that profile doesn’t provide enough configuration options, probably none of the other policies and/or profiles does either. Except creating a Custom configuration policy. For that reason, I’ll also show the required information for creating a custom configuration policy for the attack surface reduction rules. That being said, configuring attack surface reduction rules by using an Attack surface reduction rules profile can be achieved by following the next eight steps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security  > Attack surface reduction to open the Endpoint security | Attack surface reduction blade
  2. On the Endpoint security | Attack surface reduction blade, click Create Profile to open the Create profile wizard
  3. On the Create a profile page, provide the following information and click Create to open the Custom wizard
  4. On the Basics page, provide the following information for the ASR rules profile and click Next
  • Name: Provide a valid name for the Attack surface reduction profile
  • Description: (Optional) Provide a valid description for the Attack surface reduction profile
  • Platform: Windows 10 and later
  1. On the Configuration settings page, configure the required ASR rules and click Next
  2. On the Scope tags page, configure the applicable scopes for the ASR rules profile and click Next
  3. On the Assignments page, configure the assignment for the ASR rules profile and click Next
  4. On the Review + create page, verify the configuration and click Create

Once the configuration is applied on a Windows device, the Event Viewer can be used to see what exactly is applied. The DeviceManagement-Enteprise-Diagnostics-Provide > Admin log provides all the information regarding the applied (mobile) device management configurations. That includes this ASR rules configuration. A successful configuration shows an Event ID 814 about the AttackSurfaceReductionRules policy in the Defender area with a configuration string and an Event ID 814 about the AttackSurfaceReductionRulesOnlyExclusion policy in the Defender area with a configuration string.

In other words, when configuring ASR rules by using a custom configuration profile, the AttackSurfaceReductionRules policy, which is an ADMX-backed policy, can be used. The different required GUIDs are documented here and a GUID can be set to 0 (disable), 1 (block) or 2 (audit). An example of the required information that would configure all the currently available rules is mentioned below.

  • OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
  • Data type: String
  • Value: {BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1|{D4F940AB-401B-4EFC-AADC-AD5F3C50688A}=1|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=1|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=1|{92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}=1|{01443614-cd74-433a-b99e-2ecdc07bfc25}=1|{c1db55ab-c21a-4637-bb3f-a12568109d35}=1|{9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2}=1|{d1e49aac-8f56-4280-b9ba-993a6d77406c}=1|{b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4}=1|{26190899-1602-49e8-8b27-eb1d0a1ce869}=1|{7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c}=1|{e6db77e5-3df2-4cf1-b95a-636979351e5b}=1

Verifying the configured attack surface reduction rules

Now let’s end this post by verifying the configured ASR rules, by looking at the Event Viewer and the actual end-user experience. For testing purposes the demo scenarios of Microsoft Defender ATP can be used. That contains a specific section for testing the different ASR rules that includes sample files to trigger each of the ASR rules. When the user is performing an action that is not allowed, like running malicious macro code in a Word-document, the user will receive a notification that the action is blocked (as shown with number 1, in Figure 3). Besides the notification to the user, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1121 (as shown with number 2, in Figure 3). That event provides information about the blocked action.

More information

For more information about (configuring) attack surface reduction rules, refer to the following documents:

35 thoughts on “Working with Attack Surface Reduction rules to reduce the attack surface of applications”

  1. Hi Thanks for this post it has really helped me. I still have one thing i am slightly confused about.
    When creating Endpoint security | Attack surface reduction rules, should the assignment apply to the device or user? Or both? Same question applies to the configuration profiles as well. I am assuming it is Device but just want to be sure.

    Reply
  2. Hi Peter,

    Thanks for the great post. I’m having a hard time figuring out the Endpoint Security Baselines and how they relate to the individual policies (i.e. attack surface reduction, disk encryption, etc..). They appear to overlap with some settings and I often see conflicts. To work around this, I unassigned the security baselines. It’s not clear as to how they relate because the settings don’t match up. Any words of wisdom? Thank you!

    Reply
    • Hi Dave,
      That’s correct. Many settings in the security baseline overlap with the different device configuration profiles. The best thing is to start with a security baseline and add settings on top of that via the different configuration profiles.
      Regards, Peter

      Reply
  3. Thanks Peter. But how do you handle the settings that overlap? For example, if setting X is set to “Block” in the baseline, what do you set setting X to in the individual ASR policy? Wont any setting cause a conflict?

    Reply
    • Hi David,
      I intend to configure settings on a single place. And that starts with the security baseline. When the setting doesn’t exist in the baseline, I’ll configure it in a separate profile.
      Regards, Peter

      Reply
  4. Hi Peter,
    Does this impact App Deployments? If we are using intunewin pushapss (Win32) or LOB – will attack surface reduction impact it?

    when do you apply exclusions?

    Reply
  5. Hey Peter – I have a question that I can’t seem to locate. How does ASR work on WVD’s or is that not even supported? I do not see the ‘Windows 10 Enterprise for Virtual Desktops’ in the supported list. I am just trying to understand that area a little better as I am fairly new to WVD’s. Thank you sir.

    Reply
  6. Great article.
    Is there a way to find out which settings will trigger a restart of the device?
    I have configured several settings and all my devices have been forced to reboot.

    Reply
  7. This ASR thing is downright confusing. I have a user with some Excel files being blocked via ASR. I created an individual ASR policy. Any rules present in both Security Baseline and the individual ASR policy, i disable them from Sec Baseline and configure them in the ASR policy. I added an exclusion for a folder where the Excel doco is located. When using the file, it is still getting blocked. What is the correct syntax to exclude the files in that folder.

    Q:\foldername\folder name2\ ??

    Do you need the quotation marks ?

    Reply
      • Hi Peter,

        I have been having some problems with the ASR. So same issue I had above. What I decided to do was to create a duplicate security baseline from the original. I also created a new group with the user’s workstation in it. This was added to the excluded group on the original baseline. The new baseline I have it applied to the user’s workstation. This new baseline has a few of the ASR rules disabled. I can see the new baseline being applied successfully with no conflicts. However it is still getting blocked. Checking Microsoft 365 Defender portal and the report on ASR in there, I see those rules are still applying. Can’t figure out is causing this. I did find via google that someone was having similar issue and it seems like all the settings from the original baseline gets “tattooed” into the machine and cannot be removed !!!

        Reply
        • Hi Chris,

          According to the docs – and I haven’t verified it recently – the merge behavior for ASR rules applies to the different configuration options, including the security baselines, unless there are conflicting settings. When that’s not the behavior that you’re experiencing, then I would suggest to create a (free) case with Microsoft.

          Regards, Peter

          Reply
  8. Peter , what is the difference in configuring the security baseline ASR rules vs the ASR rules themselves under endpoint protection . Would there be conflicts if settings are the same There might be conflicts if a baseline setting is different I suppose but what is best practice

    Reply
  9. Hi Peter

    Have you noticed that Microsoft appears to have introduced new ASR parameters such as “Block abuse of exploited vulnerable signed drivers”? If you edit an existing ASR policy, that option is not there. Once you create and save a new ASR policy, you will also see the target (on page with all asr policies listed) now says “mdm,microsoftSense” instead of “mdm”. I also found similar properties to be different if you create a new AV policy with type Windows Security Experience.

    The whole Endpoint Security section feels like an afterthought on Microsoft’s part. I wonder if different teams are working on different pieces and dont communicate. I try and stick with the security baselines but they don’t have everything needed especially in order to increase a secure score.

    After creating new ASR/AV policies, I’ve had to go in and remove powershell scripts that were doing the same thing.

    And finally, i’ve noticed that some of the parameters are different (Block vs Enabled) between the baselines and new asr policies which I believe causes conflicts.

    Curious if you’ve run across these changes and how you’ve adapted if so.

    Thank you!

    Reply
  10. Hi Peter

    By using custom configuration profiles, can you configure a single profile for one ASR rule and add exclusions specifically for that rule instead of having exclusions apply to all rules across the board?

    Reply
  11. First, thanks for posting all the great information. I wish MS would create a profile, whether it lives in the Security Baseline or Custom, that just matches up with the Secure Score recommendations. Those two are so disjointed, but at the same time intertwined. So much time is spent hunting where a configuration is done now, and whether it conflicts with another ‘container’ of the same setting.

    Reply
  12. I have found real issue using Defender Baseline policy in tandem with Attack Surface Reduction policy. They constantly fight and overwrite each other on my test laptops. This happens even if I turn all the settings on in the baseline policy then only configure the extra ASR rules in the ASR policy. I have found that no matter what you do you can only run one ASR Policy or they conflict and overwrite each other constantly when they check in to Intune. I am almost at the point where I’m going to set all the baseline ASR rules to not configured and just use my new ASR rules policy.

    I guess the big question for this forum I have is “Has any actually managed to turn on all the baseline policies and then successfully build on that using a separate ASR policy with them all turned on and it work ok with no conflicts or errors?”
    If so please could provide some info on the best way to achieve it as I must be missing something.

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.