From 89c52bbf5f413460ab87081cb5182ef1a81c50b1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 29 May 2020 12:54:05 -0700 Subject: [PATCH 1/5] Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index e31b0b4fc7..bb6e6c5647 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -12,14 +12,14 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/20/2020 +ms.date: 05/29/2020 ms.reviewer: manager: dansimp --- # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later @@ -27,22 +27,22 @@ manager: dansimp Each ASR rule contains one of three settings: -* Not configured: Disable the ASR rule -* Block: Enable the ASR rule -* Audit: Evaluate how the ASR rule would impact your organization if enabled +- Not configured: Disable the ASR rule +- Block: Enable the ASR rule +- Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). You can enable attack surface reduction rules by using any of these methods: -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. @@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. +You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) + > [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). @@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: - *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* + `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path` 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. @@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules). -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` The values to enable, disable, or enable in audit mode are: -* Disable = 0 -* Block (enable ASR rule) = 1 -* Audit = 2 +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. Example: -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -Value: c:\path|e:\path|c:\Whitelisted.exe +`Value: c:\path|e:\path|c:\Whitelisted.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. @@ -122,11 +124,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - * Disable = 0 - * Block (enable ASR rule) = 1 - * Audit = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) @@ -186,9 +188,9 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. -## Related topics +## Related articles -* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) -* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -* [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) +- [Attack surface reduction FAQ](attack-surface-reduction.md) +- [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) From 041e635365c0f75ed6e8881ad6b0995b8697d01e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 29 May 2020 12:55:11 -0700 Subject: [PATCH 2/5] Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index bb6e6c5647..7537a3854b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -105,11 +105,16 @@ Example: ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. -1. Choose which rules will block or audit actions and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. + +2. Click **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. + +4. Choose which rules will block or audit actions and click **Next**. + +5. Review the settings and click **Next** to create the policy. + +6. After the policy is created, click **Close**. ## Group Policy From 6ded40365611ddaaa335bab9f2f3d033f3a4ef49 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 29 May 2020 12:56:17 -0700 Subject: [PATCH 3/5] Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 7537a3854b..cf188244f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -131,11 +131,11 @@ Example: Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Disable = 0 - - Block (enable ASR rule) = 1 - - Audit = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 - ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. From 94df75f6b2427db34e0f1ad5e59223939f2fa358 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 29 May 2020 13:09:18 -0700 Subject: [PATCH 4/5] Update enable-attack-surface-reduction.md --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index cf188244f7..f010f23e9d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -196,6 +196,9 @@ Example: ## Related articles - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) + - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) + - [Attack surface reduction FAQ](attack-surface-reduction.md) + - [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) From 787042ed2abf271e143f738d3e4e6468177d15fc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 May 2020 14:04:14 -0700 Subject: [PATCH 5/5] Fixes for grammar and punctuation --- .../enable-attack-surface-reduction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index f010f23e9d..a0a0720c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -127,7 +127,7 @@ Example: 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section. Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: @@ -176,11 +176,11 @@ Example: > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode > ``` - You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list. > [!WARNING] > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. - > You can obtain a list of rules and their current state by using `Get-MpPreference` + > You can obtain a list of rules and their current state by using `Get-MpPreference`. 3. To exclude files and folders from ASR rules, use the following cmdlet: