Reducing the Windows 10 attack surface

Digging In

15 ASR Rules

In total, Microsoft defines 15 ASR rules for the execution of content from received email or from Office and script files. The following sections look at the GUID and the effect of applying each rule.

The rule with GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 prevents the execution of programs and scripts, JavaScript, and Visual Basic or PowerShell if they are saved from Outlook or Microsoft promises that email attachments from other webmail providers are also protected but supply no overview of supported providers in the documentation. Outlook itself can be restricted significantly by applying rule 26190899-1602-49E8-8B27-EB1D0A1CE869 when creating child processes.

Different rules protect your system from misbehavior from within Office applications. Enabling the GUID D4F940AB-401B-4EFC-AADC-AD5F3C50688A lets you prevent Office applications from starting additional child processes. This rule contains macros that retroactively load and run files from the Internet and sometimes restricts the ability of legitimate programs and macros that you use as an extension of your Office package to work correctly. However, as described before, exceptions can be defined for this purpose; you should use them carefully, of course.

Keeping Malware Out

To prevent malware from being stored on your system's hard drive from within Office (e.g., for manual execution by one of your employees later on), you need to enable the rule with GUID 3B576869-A4EC-4529-8536-B80A7769E899 . Doing so automatically prevents a very common method of permanently embedding malware on a system. You can block calls to the Win32 API from within Office applications with rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B , which prevents the direct execution of malware, without it having been written to the hard drive first.

You can prevent access to working memory areas used by third-party processes and thus the ability of malware to infiltrate other active processes from within Microsoft Office by activating GUID rule 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 . For the most part, you can use this rule safely. Virtually no legitimate enterprise software implements this kind of functionality.

To prevent scripts that are used to download and then install malware on a system, activate two rules: GUID D3E037E1-3EB8-44C8-A917-57927947596D blocks JavaScript such that no content downloaded from the Internet or another internal system can be executed, and GUID 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC prevents scripts from executing if source code obfuscation methods are detected in them.

Blocking Unknown Software

To prevent the execution of unknown or previously unused software on your systems, use GUID rule 01443614-CD74-433A-B99E-2ECDC07BFC25 . However, this is only enabled if you also enable Microsoft Defender cloud delivery protection at the same time with:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

You also need cloud delivery protection enabled for the next rule, GUID C1DB55AB-C21A-4637-BB3F-A12568109D35 , which prevents executable files that Microsoft classifies as potential ransomware from entering your system. When it comes to execution prevention rules, you must always keep in mind that the list of exceptions, which you may have already expanded in one of the previous rules, will apply to all rules when they are checked.

The use of analysis tools such as Mimikatz [3] to grab valid login or session data through the Local Security Authority Subsystem Service (LSASS) are restricted with the rule 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 . Microsoft mentions in the documentation for this rule that it can generate many false positives under certain circumstances, because the legitimate use of the LSASS interface (e.g., when creating a child process) is also restricted when you apply the rule.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=