How to use Windows Defender Attack Surface Reduction rules

With all the attacks in the news recently, can you take steps to protect workstations that you already have and might not have enabled? Yes, and most of the steps are built into the operating system you already have.

Windows 10’s Attack Surface Reduction (ASR) rules are part of Windows Defender Exploit Guard. These settings block certain processes and executable processes that attackers use. ASR features are available in:

• Windows 10 Pro, version 1709 or later
• Windows 10 Enterprise, version 1709 or later
• Windows Server, version 1803 (Semi-Annual Channel) or later
• Windows Server 2019

If you have Windows 10 Pro but no enterprise license, you won’t have the full reporting and monitoring features, but you can still set up the protections.

ASR can help prevent many forms of ransomware and malware injection. Even with good email hygiene, malicious content can wiggle into users’ systems. It’s key, then, to review which users are at higher risk and those that need extra protection.

Recently in the Threat Analytics Report console in the Microsoft Defender for Endpoint (the new name for Defender ATP), Microsoft discussed referenced the Zloader banking Trojan, providing guidance on whether it impacts your organization and how to mitigate it. You can access this report and console by purchasing a single Microsoft Defender for Endpoint license. While you can’t then implement the monitoring and features across your firm, you can at least access these excellent write-ups and mitigation guidance.

For example, to defend yourself against Zloader, one of the recommendations is to use these ASR rules in your environment:

• In Group Policy, open the Group Policy Management Editor.
• Go to “Computer configuration” and select “Administrative templates”.
• Browse to “Windows components”, then to “Microsoft Defender Antivirus”, then to “Windows Defender Exploit Guard” (old name) or “Microsoft Defender Exploit Guard” (new name).
• Go to “Attack Surface Reduction”.
• Click on “Configure Attack Surface Reduction rules”.
• Select “Configure Attack surface reduction rules” and select “Enabled”.
• Set the individual state for each rule in the options section.

How to block child processes

A key setting that will probably block 99.9% of macro-based droppers found in the wild is “Block all Office applications from creating child processes”. This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote and Access.

Creating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.

In Intune, the name of the rule is “Office apps launching child processes”. In Configuration Manager, the name is “Block Office application from creating child processes”. In local Group Policy the GUID is: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

To set this rule enter set the policy values in these areas in this order:

1. “Computer Configuration”
2. “Administrative Templates”
3. “Windows Components”
4. “Windows Defender Antivirus”
5. “Windows Defender Exploit Guard”
6. “Attack Surface Reduction”

Then set “Configure Attack Surface Reduction rules” to “Enabled”. Click “Show…”. Set the “Value” name to “D4F940AB-401B-4EFC-AADC-AD5F3C50688A” and the Value to “2” to audit or “1” to block.

Susan Bradley

You may wish to monitor this process before blocking it to ensure that it doesn’t impact in your network. Once you determine that the impact to your users is nominal, change the setting from 2 (audit mode) to 1 (block mode)

You then want to monitor for event ID 1122 in your event logs under “Applications and Services logs”, then “Microsoft”, then “Windows then to Security — Mitigations”. Click on “Kernel” mode and review the events.

If you need to exclude a file or folder from the processing, use Group Policy. In the same section, under “Attack Surface Reduction exceptions”, enter those files and folders. You can also select “Import” to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:

C:folder, %ProgramFiles%folderfile, C:path

While that one rule will probably go a long way to protecting your systems from malicious activity, it’s not the only one that you can use to ensure your systems are more secure. Additional ASR rules for protection include:

• Block Office applications from creating executable content
• Block executable content from email client and webmail
• Block Office applications from injecting code into other processes
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Block process creations originating from PsExec and WMI commands

If you are more comfortable with a graphical user interface, you can use the PoSH GUI. After installing PoSH, choose the rules you want for each workstation you are protecting. This sets the rule for the workstation via PowerShell. You can test the settings for your environment before rolling them out firm-wide.

Susan Bradley

The tool also allows you to audit a workstation to determine what settings have been set via Intune or Group Policy. It’s recommended to run a workstation in audit mode for 30 days before you enable the rules to review the impact on your systems.

If you use a third-party antivirus tool, you will not be able to use ASR rules as they work only with Defender. Check whether your antivirus and protection platforms provide similar features to the ASR rules. Too often businesses pick antivirus solutions due to licensing and contractual arrangements. It may be time to revisit your deployments and determine if Defender and Defender with ATP provides a better solution.