mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 07:17:24 +00:00
Edited headings for clarity.
This commit is contained in:
Andrea Bichsel
parent
e078156b9d
commit
f93df55c57
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Use attack surface reduction rules to prevent malware infection
|
||||
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
|
||||
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
|
||||
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
@ -21,7 +21,7 @@ ms.author: v-anbic
|
||||
|
||||
Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
|
||||
|
||||
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
|
||||
To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with attack surface reduction rules.
|
||||
|
||||
Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
@ -63,9 +63,9 @@ The rules apply to the following Office apps:
|
||||
- Microsoft PowerPoint
|
||||
- Microsoft OneNote
|
||||
|
||||
Except where specified, ASR rules do not apply to any other Office apps.
|
||||
Except where specified, attack surface reduction rules do not apply to any other Office apps.
|
||||
|
||||
### Rule: Block executable content from email client and webmail
|
||||
### Block executable content from email client and webmail
|
||||
|
||||
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
|
||||
|
||||
@ -79,7 +79,7 @@ SCCM name: Block executable content from email client and webmail
|
||||
|
||||
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
||||
|
||||
### Rule: Block all Office applications from creating child processes
|
||||
### Block all Office applications from creating child processes
|
||||
|
||||
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
|
||||
|
||||
@ -91,7 +91,7 @@ SCCM name: Block Office application from creating child processes
|
||||
|
||||
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
|
||||
### Rule: Block Office applications from creating executable content
|
||||
### Block Office applications from creating executable content
|
||||
|
||||
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
|
||||
|
||||
@ -103,7 +103,7 @@ SCCM name: Block Office applications from creating executable content
|
||||
|
||||
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
|
||||
### Rule: Block Office applications from injecting code into other processes
|
||||
### Block Office applications from injecting code into other processes
|
||||
|
||||
Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes.
|
||||
|
||||
@ -115,14 +115,14 @@ SCCM name: Block Office applications from injecting code into other processes
|
||||
|
||||
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
|
||||
### Rule: Block JavaScript or VBScript From launching downloaded executable content
|
||||
### Block JavaScript or VBScript From launching downloaded executable content
|
||||
|
||||
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
|
||||
|
||||
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>File and folder exclusions do not apply to this ASR rule.
|
||||
>File and folder exclusions do not apply to this attack surface reduction rule.
|
||||
|
||||
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
|
||||
|
||||
@ -130,7 +130,7 @@ SCCM name: Block JavaScript or VBScript from launching downloaded executable con
|
||||
|
||||
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
### Rule: Block execution of potentially obfuscated scripts
|
||||
### Block execution of potentially obfuscated scripts
|
||||
|
||||
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
|
||||
|
||||
@ -142,7 +142,7 @@ SCCM name: Block execution of potentially obfuscated scripts.
|
||||
|
||||
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
|
||||
### Rule: Block Win32 API calls from Office macro
|
||||
### Block Win32 API calls from Office macro
|
||||
|
||||
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
|
||||
|
||||
@ -154,7 +154,7 @@ SCCM name: Block Win32 API calls from Office macros
|
||||
|
||||
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
|
||||
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
### Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
|
||||
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
|
||||
|
||||
@ -169,7 +169,7 @@ SCCM name: Block executable files from running unless they meet a prevalence, ag
|
||||
|
||||
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
|
||||
### Rule: Use advanced protection against ransomware
|
||||
### Use advanced protection against ransomware
|
||||
|
||||
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
|
||||
|
||||
@ -182,12 +182,12 @@ SCCM name: Use advanced protection against ransomware
|
||||
|
||||
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
|
||||
|
||||
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
|
||||
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
|
||||
|
||||
>[!NOTE]
|
||||
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
|
||||
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. This rule will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
|
||||
|
||||
Intune name: Flag credential stealing from the Windows local security authority subsystem
|
||||
|
||||
@ -195,12 +195,12 @@ SCCM name: Block credential stealing from the Windows local security authority s
|
||||
|
||||
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
|
||||
### Rule: Block process creations originating from PSExec and WMI commands
|
||||
### Block process creations originating from PSExec and WMI commands
|
||||
|
||||
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>File and folder exclusions do not apply to this ASR rule.
|
||||
>File and folder exclusions do not apply to this attack surface reduction rule.
|
||||
|
||||
>[!WARNING]
|
||||
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
|
||||
@ -211,7 +211,7 @@ SCCM name: Not applicable
|
||||
|
||||
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
|
||||
### Rule: Block untrusted and unsigned processes that run from USB
|
||||
### Block untrusted and unsigned processes that run from USB
|
||||
|
||||
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
|
||||
|
||||
@ -224,7 +224,7 @@ SCCM name: Block untrusted and unsigned processes that run from USB
|
||||
|
||||
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
|
||||
### Rule: Block Office communication application from creating child processes
|
||||
### Block Office communication application from creating child processes
|
||||
|
||||
This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment.
|
||||
|
||||
@ -239,7 +239,7 @@ SCCM name: Not applicable
|
||||
|
||||
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
|
||||
### Rule: Block Adobe Reader from creating child processes
|
||||
### Block Adobe Reader from creating child processes
|
||||
|
||||
This rule blocks Adobe Reader from creating child processes.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user