mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-21 01:37:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into jdholo
This commit is contained in:
Jeanie Decker
commit
7c7eca574b
@ -435,6 +435,8 @@
|
||||
|
||||
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
||||
|
||||
### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md)
|
||||
|
||||
|
||||
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 10/17/2018
|
||||
ms.date: 10/15/2018
|
||||
---
|
||||
|
||||
# Reduce attack surfaces with attack surface reduction rules
|
||||
@ -20,27 +20,24 @@ ms.date: 10/17/2018
|
||||
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
|
||||
|
||||
Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
|
||||
- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
|
||||
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
|
||||
- Scripts that are obfuscated or otherwise suspicious
|
||||
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
|
||||
- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
|
||||
- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
|
||||
|
||||
Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
|
||||
|
||||
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
|
||||
- Scripts that are obfuscated or otherwise suspicious
|
||||
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
|
||||
|
||||
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
|
||||
|
||||
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
|
||||
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
|
||||
|
||||
## Requirements
|
||||
|
||||
Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
|
||||
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
|
||||
|
||||
## Attack surface reduction rules
|
||||
|
||||
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
|
||||
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
|
||||
|
||||
Rule name | GUID
|
||||
-|-
|
||||
@ -56,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
|
||||
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
The rules apply to the following Office apps:
|
||||
@ -70,7 +67,6 @@ The rules do not apply to any other Office apps.
|
||||
|
||||
### Rule: Block executable content from email client and webmail
|
||||
|
||||
|
||||
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
|
||||
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
@ -92,15 +88,12 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and
|
||||
|
||||
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
|
||||
|
||||
|
||||
### Rule: Block Office applications from injecting code into other processes
|
||||
|
||||
|
||||
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
|
||||
|
||||
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
||||
|
||||
@ -110,7 +103,6 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
|
||||
|
||||
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
||||
|
||||
@ -120,6 +112,8 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
|
||||
|
||||
This rule prevents scripts that appear to be obfuscated from running.
|
||||
|
||||
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
|
||||
|
||||
### Rule: Block Win32 API calls from Office macro
|
||||
|
||||
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
|
||||
@ -133,14 +127,14 @@ This rule blocks the following file types from being run or launched unless they
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
|
||||
>[!NOTE]
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
|
||||
### Rule: Use advanced protection against ransomware
|
||||
|
||||
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
|
||||
|
||||
>[!NOTE]
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
|
||||
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
|
||||
@ -166,7 +160,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
### Rule: Block Office communication applications from creating child processes
|
||||
### Rule: Block only Office communication applications from creating child processes
|
||||
|
||||
Office communication apps will not be allowed to create child processes. This includes Outlook.
|
||||
|
||||
@ -176,23 +170,29 @@ This is a typical malware behavior, especially for macro-based attacks that atte
|
||||
|
||||
This rule blocks Adobe Reader from creating child processes.
|
||||
|
||||
## Review attack surface reduction rule events in the Windows Defender ATP Security Center
|
||||
|
||||
Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
|
||||
|
||||
## Review attack surface reduction rule events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
|
||||
|
||||
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||
|
||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
||||
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
4. Click **OK**.
|
||||
5. Click **OK**.
|
||||
|
||||
5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
|
||||
6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
|
||||
|
||||
Event ID | Description
|
||||
-|-
|
||||
@ -200,8 +200,6 @@ You can review the Windows event log to see events that are created when an atta
|
||||
1122 | Event when rule fires in Audit-mode
|
||||
1121 | Event when rule fires in Block-mode
|
||||
|
||||
|
||||
|
||||
### Event fields
|
||||
|
||||
- **ID**: matches with the Rule-ID that triggered the block/audit.
|
||||
@ -209,6 +207,9 @@ You can review the Windows event log to see events that are created when an atta
|
||||
- **Process Name**: The process that performed the "operation" that was blocked/audited
|
||||
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
|
||||
|
||||
## Attack surface reduction rules in Windows 10 Enterprise E3
|
||||
|
||||
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
|
||||
|
||||
## In this section
|
||||
|
||||
|
||||
@ -0,0 +1,51 @@
|
||||
---
|
||||
title: Use attack surface reduction rules in Windows 10 Enterprise E3
|
||||
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
|
||||
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 10/15/2018
|
||||
---
|
||||
|
||||
# Use attack surface reduction rules in Windows 10 Enterprise E3
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise E3
|
||||
|
||||
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license.
|
||||
|
||||
A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises.
|
||||
|
||||
Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
|
||||
|
||||
The limited subset of rules that can be used in Windows 10 Enterprise E3 include:
|
||||
|
||||
- Block executable content from email client and webmail
|
||||
- Block all Office applications from creating child processes
|
||||
- Block Office applications from creating executable content
|
||||
- Block Office applications from injecting code into other processes
|
||||
- Block JavaScript or VBScript from launching downloaded executable content
|
||||
- Block execution of potentially obfuscated scripts
|
||||
- Block Win32 API calls from Office macro
|
||||
- Use advanced protection against ransomware
|
||||
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
- Block process creations originating from PSExec and WMI commands
|
||||
- Block untrusted and unsigned processes that run from USB
|
||||
|
||||
For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
|
||||
|
||||
## Related topics
|
||||
|
||||
Topic | Description
|
||||
---|---
|
||||
[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
|
||||
[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
|
||||
[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
|
||||
Loading…
x
Reference in New Issue
Block a user