diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 3a7c584172..b8cfb0c4f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -195,7 +195,6 @@ #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) ##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) #### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md) #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index c66852c277..6db53d2fcf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -20,19 +19,21 @@ ms.date: 10/17/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. -Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: +Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +Attack surface reduction rules each target specific behaviors that malware and malicious apps typically use to infect computers, including: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious - Behaviors that apps undertake that are not usually initiated during normal day-to-day work -When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When a rule triggers, the Action Center displays a notification. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. ## Requirements @@ -66,7 +67,7 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -The rules do not apply to any other Office apps. +Except where specified, the rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 2ba64377c3..2d6e86d1fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,14 +11,132 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 --- # Enable attack surface reduction rules -**Applies to:** +Attack surface reduction rules help prevent actions in apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. + +## Exclude files and folders from ASR rules + +You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. +> +>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all rules that are enabled or are set to audit mode. + +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + +The procedures below for enabling ASR rules include instructions for how to exclude files and folders. + +## Enable and audit attack surface reduction rules + +You're most likely to use Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or MDM CSPs. + +For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md). + +Each ASR rule contains three settings: + +* Not configured: Disable the ASR rule +* Block: Enable the ASR rule +* Audit: Evaluate how the ASR rule would impact your organization if enabled + +For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). + +### Enable ASR rules in Intune + +1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*. + +2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. + +3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. + +4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. + +### Enable ASR rules in SCCM + +For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). + +### Enable ASR rules with group policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. + +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: + - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + - Block (enable ASR rule) = 1 + - Disable = 0 + - Audit = 2 + +![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + +### Enable ASR rules with PowerShell + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. + +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled + ``` + +You can enable the feature in audit mode using the following cmdlet: + +```PowerShell +Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode +``` +Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. + +>[!IMPORTANT> +>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. +> +>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: +> +>```PowerShell +>Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode +>``` + +You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + +>[!WARNING] +>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. +>You can obtain a list of rules and their current state by using `Get-MpPreference` + +3. To exclude files and folders from ASR rules, enter the following cmdlet: + + ```PowerShell + Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" + ``` + +Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + +>[!IMPORTANT] +>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + +### Enable ASR rules with MDM CSPs + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. + +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. + +## Related topics + +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) + + + +**OLD TOPIC FOR COMPARISON** Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.