mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 22:37:22 +00:00
Changed toc, added more ASR details
This commit is contained in:
Andrea Bichsel
parent
e8ed8baa43
commit
83d06de81c
@ -422,6 +422,8 @@
|
||||
|
||||
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
||||
|
||||
### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md)
|
||||
|
||||
|
||||
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
|
||||
|
||||
|
||||
@ -26,31 +26,20 @@ Attack surface reduction rules help prevent actions and apps that are typically
|
||||
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
|
||||
- Scripts that are obfuscated or otherwise suspicious
|
||||
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
|
||||
- Centralized monitoring and reporting
|
||||
- Analytics to enable ease of deployment
|
||||
- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
|
||||
- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
|
||||
|
||||
|
||||
|
||||
|
||||
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
|
||||
|
||||
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
|
||||
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
|
||||
|
||||
## Requirements
|
||||
|
||||
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
|
||||
|
||||
This feature includes:
|
||||
|
||||
* Rules for enabling or disabling select behaviors that apps and scripts can use
|
||||
* Centralized monitoring and reporting
|
||||
* Analytics to enable ease of deployment
|
||||
|
||||
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics.
|
||||
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
|
||||
|
||||
## Attack surface reduction rules
|
||||
|
||||
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rules that are only supported on Windows 10 Enterprise E5 are marked with an asterisk (\*).
|
||||
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
|
||||
|
||||
Rule name | GUID
|
||||
-|-
|
||||
@ -61,13 +50,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73
|
||||
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
\* Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
|
||||
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
\* Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
\* Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
The rules apply to the following Office apps:
|
||||
|
||||
@ -80,7 +69,6 @@ The rules do not apply to any other Office apps.
|
||||
|
||||
### Rule: Block executable content from email client and webmail
|
||||
|
||||
|
||||
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
|
||||
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
@ -102,15 +90,12 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and
|
||||
|
||||
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
|
||||
|
||||
|
||||
### Rule: Block Office applications from injecting code into other processes
|
||||
|
||||
|
||||
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
|
||||
|
||||
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
||||
|
||||
@ -120,7 +105,6 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
|
||||
|
||||
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
||||
|
||||
@ -188,23 +172,29 @@ This is a typical malware behavior, especially for macro-based attacks that atte
|
||||
|
||||
This rule blocks Adobe Reader from creating child processes.
|
||||
|
||||
## Review attack surface reduction rule events in the Windows Defender ATP Security Center
|
||||
|
||||
Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
|
||||
|
||||
## Review attack surface reduction rule events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
|
||||
|
||||
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||
|
||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
||||
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
4. Click **OK**.
|
||||
5. Click **OK**.
|
||||
|
||||
5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
|
||||
6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
|
||||
|
||||
Event ID | Description
|
||||
-|-
|
||||
@ -212,8 +202,6 @@ You can review the Windows event log to see events that are created when an atta
|
||||
1122 | Event when rule fires in Audit-mode
|
||||
1121 | Event when rule fires in Block-mode
|
||||
|
||||
|
||||
|
||||
### Event fields
|
||||
|
||||
- **ID**: matches with the Rule-ID that triggered the block/audit.
|
||||
|
||||
@ -82,7 +82,6 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code
|
||||
|
||||
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
|
||||
|
||||
@ -149,16 +148,6 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
|
||||
- Executable files (such as .exe, .dll, or .scr)
|
||||
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
### Rule: Block only Office communication applications from creating child processes
|
||||
|
||||
Office communication apps will not be allowed to create child processes. This includes Outlook.
|
||||
|
||||
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
|
||||
|
||||
### Rule: Block Adobe Reader from creating child processes
|
||||
|
||||
This rule blocks Adobe Reader from creating child processes.
|
||||
|
||||
## Review attack surface reduction rule events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user