Reducing the Windows 10 attack surface

Digging In

Setting Up ASR

The full scope of ASR is only available with a license for Windows 10 Enterprise. However, some of the ASR rules can also be used in other versions. You have different options for enabling and configuring rules on your systems: Microsoft Intune, Mobile Device Management (MDM), Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. Depending on which tool you typically use to configure your machines, the convenience of activating the rules varies.

Figure 1 shows ASR rules in the Endpoint Configuration Manager. You will find more information about the effects of the different rules there. Even if it seems to make sense at first glance to activate all rules, you will want to define different rulesets depending on the activity of your employees on the affected system. You can choose different actions for each rule. To check the effects of different rules, select audit mode. You can then first check the effects of the individual rules in the event log.

Figure 1: Setting up security rules in Endpoint Configuration Manager.

PowerShell for Quick Tests

If you want to try out ASR rules on individual systems without the available device management tools, PowerShell is a quick alternative for testing. Unlike the graphical interfaces, you need the GUID assigned to each rule when selecting rules in PowerShell. You will already be familiar with the PowerShell Get-, Set-, and Add-MpPreference cmdlets from Windows Defender, which you can use to define, for example, exceptions in monitoring for individual folders or processes.

With the introduction of attack surface reduction, you can also use it to change the actions for ASR rules. The AttackSurfaceReductionRules_Ids parameter lets you specify one or more of the GUIDs for which you want to change the status, and you pass in the new status with the AttackSurfaceReductionRules_Actions parameter. Given three different rules, you could then configure the actions as follows if you want to disable the first rule, enable the second rule, and disable checking for the third rule:

Set-MpPreference -AttackSurfaceReductionRules_Ids <GUID1>, <GUID2>, <GUID3> -AttackSurfaceReductionRules_Actions Disabled, Enabled, AuditMode

Keep in mind that you need to specify the action for each rule separated by a comma, even if you want to apply the same action for all rules.

Defining Exceptions

If you want to disable protection with ASR rules for individual objects, you can specify them with the AttackSurfaceReductionOnlyExclusions parameter. As the argument, specify the absolute path to a directory or a program. Note the difference between the calls to Set-MpPreference and Add-MpPreference. The first call completely deletes the existing list of exceptions and creates a new exception list with the values you pass in. However, if you want to add individual objects as exceptions to an existing list, choose the second cmdlet.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.