With all the attacks in the news recently, can you take steps to protect workstations that you already have and might not have enabled? Yes, and most of the steps are built into the operating system you already have.Windows 10\u2019s Attack Surface Reduction (ASR) rules are part of Windows Defender Exploit Guard. These settings block certain processes and executable processes that attackers use. ASR features are available in:Windows 10 Pro, version 1709 or laterWindows 10 Enterprise, version 1709 or laterWindows Server, version 1803 (Semi-Annual Channel) or laterWindows Server 2019 If you have Windows 10 Pro but no enterprise license, you won\u2019t have the full reporting and monitoring features, but you can still set up the protections.ASR can help prevent many forms of ransomware and malware injection. Even with good email hygiene, malicious content can wiggle into users\u2019 systems. It\u2019s key, then, to review which users are at higher risk and those that need extra protection.Recently in the Threat Analytics Report console in the Microsoft Defender for Endpoint (the new name for Defender ATP), Microsoft discussed referenced the Zloader banking Trojan, providing guidance on whether it impacts your organization and how to mitigate it. You can access this report and console by purchasing a single Microsoft Defender for Endpoint license. While you can\u2019t then implement the monitoring and features across your firm, you can at least access these excellent write-ups and mitigation guidance.For example, to defend yourself against Zloader, one of the recommendations is to use these ASR rules in your environment:In Group Policy, open the Group Policy Management Editor.Go to \u201cComputer configuration\u201d and select \u201cAdministrative templates\u201d.Browse to \u201cWindows components\u201d, then to \u201cMicrosoft Defender Antivirus\u201d, then to \u201cWindows Defender Exploit Guard\u201d (old name) or \u201cMicrosoft Defender Exploit Guard\u201d (new name).Go to \u201cAttack Surface Reduction\u201d.Click on \u201cConfigure Attack Surface Reduction rules\u201d.Select \u201cConfigure Attack surface reduction rules\u201d and select \u201cEnabled\u201d.Set the individual state for each rule in the options section.How to block child processesA key setting that will probably block 99.9% of macro-based droppers found in the wild is \u201cBlock all Office applications from creating child processes\u201d. This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote and Access.Creating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.In Intune, the name of the rule is \u201cOffice apps launching child processes\u201d. In Configuration Manager, the name is \u201cBlock Office application from creating child processes\u201d. In local Group Policy the GUID is: D4F940AB-401B-4EFC-AADC-AD5F3C50688ATo set this rule enter set the policy values in these areas in this order:\u201cComputer Configuration\u201d\u201cAdministrative Templates\u201d\u201cWindows Components\u201d\u201cWindows Defender Antivirus\u201d\u201cWindows Defender Exploit Guard\u201d\u201cAttack Surface Reduction\u201dThen set "Configure Attack Surface Reduction rules" to "Enabled\u201d. Click \u201cShow...\u201d. Set the \u201cValue\u201d name to \u201cD4F940AB-401B-4EFC-AADC-AD5F3C50688A\u201d and the Value to \u201c2\u201d to audit or \u201c1\u201d to block. Susan BradleySetting up ASR to block Office applications from creating child processesYou may wish to monitor this process before blocking it to ensure that it doesn\u2019t impact in your network. Once you determine that the impact to your users is nominal, change the setting from 2 (audit mode) to 1 (block mode)You then want to monitor for event ID 1122 in your event logs under \u201cApplications and Services logs\u201d, then \u201cMicrosoft\u201d, then \u201cWindows then to Security \u2014 Mitigations\u201d. Click on \u201cKernel\u201d mode and review the events.If you need to exclude a file or folder from the processing, use Group Policy. In the same section, under \u201cAttack Surface Reduction exceptions\u201d, enter those files and folders. You can also select \u201cImport\u201d to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:C:folder, %ProgramFiles%folderfile, C:pathWhile that one rule will probably go a long way to protecting your systems from malicious activity, it\u2019s not the only one that you can use to ensure your systems are more secure. Additional ASR rules for protection include:Block Office applications from creating executable contentBlock executable content from email client and webmailBlock Office applications from injecting code into other processesBlock executable files from running unless they meet a prevalence, age, or trusted list criterionBlock credential stealing from the Windows local security authority subsystem (lsass.exe)Block process creations originating from PsExec and WMI commandsIf you are more comfortable with a graphical user interface, you can use the\u00a0PoSH GUI. After installing PoSH, choose the rules you want for each workstation you are protecting. This sets the rule for the workstation via PowerShell. You can test the settings for your environment before rolling them out firm-wide. Susan BradleyASR rules using the PoSH GUIThe tool also allows you to audit a workstation to determine what settings have been set via Intune or Group Policy. It\u2019s recommended to run a workstation in audit mode for 30 days before you enable the rules to review the impact on your systems.If you use a third-party antivirus tool, you will not be able to use ASR rules as they work only with Defender. Check whether your antivirus and protection platforms provide similar features to the ASR rules. Too often businesses pick antivirus solutions due to licensing and contractual arrangements. It may be time to revisit your deployments and determine if Defender and Defender with ATP provides a better solution.