From cc4c3a08713fb8e2ae3c16addf65cacd0a1013da Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 Jan 2020 12:49:53 -0500 Subject: [PATCH 01/18] some initial linting --- .../attack-surface-reduction.md | 14 ++++++++------ .../customize-attack-surface-reduction.md | 8 ++++---- .../enable-attack-surface-reduction.md | 6 +++--- .../evaluate-attack-surface-reduction.md | 7 +++---- .../overview-attack-surface-reduction.md | 7 ++++--- 5 files changed, 22 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 772ce99ae9..9638dcc454 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use attack surface reduction rules to prevent malware infection -description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +description: Microsoft Defender ATP's attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware. +keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -26,9 +26,7 @@ ms.custom: asr > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. - -To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events. +Attack surface reduction rules help prevent behaviors malware often use to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -42,6 +40,10 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +## Attack surface reduction features across Windows versions + +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. + ## Review attack surface reduction events in the Microsoft Defender Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. @@ -84,7 +86,7 @@ The "engine version" of attack surface reduction events in the event log, is gen The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: Rule name | GUID | File & folder exclusions ------------|------|-------------------------- +-|-|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 839daef3d1..6de945b1eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Configure how attack surface reduction rules work to finetune protection in your network +title: Configure how attack surface reduction rules work to fine-tune protection in your network description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh @@ -26,7 +26,7 @@ manager: dansimp > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as on Windows 10 clients. This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. @@ -39,12 +39,12 @@ You can exclude files and folders from being evaluated by attack surface reducti > [!WARNING] > This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). +If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md). Rule description | GUID -|-|- diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 80c8e25156..7581cd6d01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Enable ASR rules individually to protect your organization -description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques +description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -54,7 +54,7 @@ You can exclude files and folders from being evaluated by most attack surface re > * Block process creations originating from PSExec and WMI commands > * Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). @@ -62,7 +62,7 @@ The following procedures for enabling ASR rules include instructions for how to ## Intune -1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**. +1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**. 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 271622f774..d67ee360f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -23,7 +23,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as Windows 10 clients. This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. @@ -36,16 +36,15 @@ You can enable attack surface reduction rules in audit mode. This lets you see a You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. -To enable audit mode, use the following PowerShell cmdlet: +To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet: ```PowerShell Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all attack surface reduction rules in audit mode. - > [!TIP] > If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). + You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md). ## Review attack surface reduction events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index f67f450978..f56f13f460 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -1,8 +1,8 @@ --- title: Overview of attack surface reduction ms.reviewer: -description: Learn about the attack surface reduction capability in Microsoft Defender ATP -keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender +description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP. +keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,6 +22,7 @@ ms.topic: conceptual # Overview of attack surface reduction **Applies to:** + * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. @@ -31,7 +32,7 @@ Reduce your attack surfaces by minimizing the places where your organization is |[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. | |[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. | |[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. | -|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | |[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) | |[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) | |[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. | From a4f9577bd9b6d6708f9f2ee406f834dba8fa7ac2 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 8 Jan 2020 15:37:48 -0500 Subject: [PATCH 02/18] improving explanation of asr --- .../attack-surface-reduction.md | 18 +++++++++++------- .../customize-attack-surface-reduction.md | 6 +++--- .../enable-attack-surface-reduction.md | 2 +- .../evaluate-attack-surface-reduction.md | 4 ++-- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9638dcc454..bacf776678 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -26,15 +26,19 @@ ms.custom: asr > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent behaviors malware often use to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. +Your attack surface is the total number of places where an attacker could compromise your device or network. Reducing your attack surface means offering attackers fewer ways to perform attacks. -Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: +Attack surface reduction rules target software behaviors that are often abused to attack device or networks, such as: -* Executable files and scripts used in Office apps or web mail that attempt to download or run files -* Obfuscated or otherwise suspicious scripts -* Behaviors that apps don't usually initiate during normal day-to-day work +* Launching executable files and scripts that attempt to download or run files +* Running obfuscated or otherwise suspicious scripts +* Performing behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +While these behaviors can have legitimate uses as well, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors, or even block them entirely. + +You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. + +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center. @@ -48,7 +52,7 @@ To use the entire feature set of attack surface reduction rules, you need a Wind Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 6de945b1eb..2d4a24ee15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -26,11 +26,11 @@ manager: dansimp > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as on Windows 10 clients. +Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. -This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. +Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. -You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 7581cd6d01..70874ef5f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -19,7 +19,7 @@ manager: dansimp # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. Each ASR rule contains three settings: diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index d67ee360f7..9d1a0cbb6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -23,9 +23,9 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as Windows 10 clients. +Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. -This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. +Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization. > [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. From 4b24a82640ba2ebaf8b45cc748889561931a4f14 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 8 Jan 2020 15:37:48 -0500 Subject: [PATCH 03/18] improving explanation of asr --- .../attack-surface-reduction.md | 18 +++++++++++------- .../customize-attack-surface-reduction.md | 6 +++--- .../enable-attack-surface-reduction.md | 2 +- .../evaluate-attack-surface-reduction.md | 4 ++-- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9638dcc454..6985406904 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -26,15 +26,17 @@ ms.custom: asr > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent behaviors malware often use to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. +Your attack surface is the total number of places where an attacker could compromise your device or network. Reducing your attack surface means offering attackers fewer ways to perform attacks. -Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: +Attack surface reduction rules target software behaviors that are often abused to attack device or networks, such as: -* Executable files and scripts used in Office apps or web mail that attempt to download or run files -* Obfuscated or otherwise suspicious scripts -* Behaviors that apps don't usually initiate during normal day-to-day work +* Launching executable files and scripts that attempt to download or run files +* Running obfuscated or otherwise suspicious scripts +* Performing behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +While these behaviors can have legitimate uses as well, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors, or even block them entirely. + +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center. @@ -42,13 +44,15 @@ For information about configuring attack surface reduction rules, see [Enable at ## Attack surface reduction features across Windows versions +You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. + To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 6de945b1eb..2d4a24ee15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -26,11 +26,11 @@ manager: dansimp > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as on Windows 10 clients. +Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. -This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. +Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. -You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 7581cd6d01..70874ef5f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -19,7 +19,7 @@ manager: dansimp # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. Each ASR rule contains three settings: diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index d67ee360f7..9d1a0cbb6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -23,9 +23,9 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019, as well as Windows 10 clients. +Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. -This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. +Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization. > [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. From db578b9b4b1e057ae82a13f1daa667d2970f4201 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 13 Jan 2020 17:46:36 -0500 Subject: [PATCH 04/18] copy edits + more info in descriptions --- .../attack-surface-reduction.md | 120 +++++++++++------- 1 file changed, 73 insertions(+), 47 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 2d7cca4168..5f25820a3a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -28,31 +28,31 @@ ms.custom: asr Your attack surface is the total number of places where an attacker could compromise your device or network. Reducing your attack surface means offering attackers fewer ways to perform attacks. -Attack surface reduction rules target software behaviors that are often abused to attack device or networks, such as: +Attack surface reduction rules target software behaviors that are often abused by attackers, such as: * Launching executable files and scripts that attempt to download or run files * Running obfuscated or otherwise suspicious scripts * Performing behaviors that apps don't usually initiate during normal day-to-day work -While these behaviors can have legitimate uses as well, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors, or even block them entirely. +These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center. +Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. -For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. -To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. +Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -63,19 +63,19 @@ DeviceEvents ## Review attack surface reduction events in Windows Event Viewer -You can review the Windows event log to view events that are created when attack surface reduction rules fire: +You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. -2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer. +2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. -3. Click **Import custom view...** on the left panel, under **Actions**. +3. Under **Actions**, select **Import custom view...**. 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). -5. Click **OK**. +5. Select **OK**. -This will create a custom view that filters to only show the following events related to controlled folder access: +This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: Event ID | Description -|- @@ -83,39 +83,45 @@ Event ID | Description 1121 | Event when rule fires in Block-mode 1122 | Event when rule fires in Audit-mode -The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed. +The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: +This table lists all attack surface reduction rules, their corresponding GUIDs, and whether the rule supports having certain files and folders selectively excluded. Each rule also links to a longer rule description, for further details on how the rule works, why you would want to enable it, and which applications the rule applies to. + +Except when specified, attack surface reduction rules only apply to Word, Excel, PowerPoint, and OneNote, or Outlook. + +> [!TIP] +> +> Rule GUIDs are used when you're configuring the rules with Group Policy or PowerShell. GUIDs are not needed to manage rules from System Center Configuration Manager (SCCM) or Microsoft Intune. Rule name | GUID | File & folder exclusions -|-|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported -Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported -Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported -Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported - -Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. +[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported +[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported +[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported +[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported +[Block JavaScript or VBScript from launching downloaded executable content](#block-javaScript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported +[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported +[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported +[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported +[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported +[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-Windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported +[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported +[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported +[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported +[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported ### Block executable content from email client and webmail -This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers: +This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +Launching executable files or scripts obtained from email can be very dangerous, as it gives attackers a chance to run malware directly on a targeted device. + This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) @@ -128,7 +134,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. -This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -142,7 +148,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. -This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. +Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -154,7 +160,11 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Block Office applications from injecting code into other processes -Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection. +This rule blocks code injection attempts from Office apps into other processes. + +Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. + +There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint. @@ -168,9 +178,9 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 ### Block JavaScript or VBScript from launching downloaded executable content -Malware often uses JavaScript and VBScript scripts to launch other malicious apps. +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. -Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. +Although not common, line-of-business applications sometimes use scripts to download and launch installers. > [!IMPORTANT] > File and folder exclusions don't apply to this attack surface reduction rule. @@ -185,7 +195,9 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D ### Block execution of potentially obfuscated scripts -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -197,7 +209,9 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC ### Block Win32 API calls from Office macros -Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface. +This rule prevents VBA macros from calling Win32 APIs. + +Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -209,10 +223,12 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list: +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: * Executable files (such as .exe, .dll, or .scr) +Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious. + > [!NOTE] > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. @@ -231,7 +247,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 ### Use advanced protection against ransomware -This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. > [!NOTE] > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. @@ -246,7 +262,9 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 ### Block credential stealing from the Windows local security authority subsystem (lsass.exe) -Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. > [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. @@ -261,7 +279,7 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ### Block process creations originating from PSExec and WMI commands -This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. +This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. > [!IMPORTANT] > File and folder exclusions do not apply to this attack surface reduction rule. @@ -284,6 +302,8 @@ With this rule, admins can prevent unsigned or untrusted executable files from r * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +Running unsigned or untrusted files from a USB drive is very risky, because it might not be initially clear if the files are benign or malicious. + This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 Intune name: Untrusted and unsigned processes that run from USB @@ -294,7 +314,9 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 ### Block Office communication application from creating child processes -This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions. + +This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE] > This rule applies to Outlook and Outlook.com only. @@ -309,7 +331,9 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 ### Block Adobe Reader from creating child processes -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. +This rule prevents attacks by blocking Adobe Reader from creating additional processes. + +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019 @@ -321,7 +345,9 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ### Block persistence through WMI event subscription -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. +This rule prevents malware from abusing WMI to attain persistence on a device. + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. This rule was introduced in: Windows 10 1903, Windows Server 1903 From 5312629e119151df96e5785a02ab9e3adaac05f1 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 14 Jan 2020 10:58:28 -0500 Subject: [PATCH 05/18] trying to fix links --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 5f25820a3a..c25f7750e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -101,12 +101,12 @@ Except when specified, attack surface reduction rules only apply to Word, Excel, [Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported [Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported [Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported -[Block JavaScript or VBScript from launching downloaded executable content](#block-javaScript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported +[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported [Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported -[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-Windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported From c6d311dcacc0fb8262d96ecbf989e196cb76350d Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 14 Jan 2020 11:50:48 -0500 Subject: [PATCH 06/18] false positive from validator --- .../microsoft-defender-atp/attack-surface-reduction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c25f7750e3..f92974bfaa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -106,6 +106,7 @@ Except when specified, attack surface reduction rules only apply to Word, Excel, [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported + [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported From 141b16f30666a3401ec0d111ddcd24ca6c565703 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 14 Jan 2020 11:57:06 -0500 Subject: [PATCH 07/18] fixed broken table formatting --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index f92974bfaa..27a5a526c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -106,8 +106,7 @@ Except when specified, attack surface reduction rules only apply to Word, Excel, [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported - -[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported From db67a156399c9d8134bbeb220620c63fc619b7d8 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 15 Jan 2020 17:45:21 -0500 Subject: [PATCH 08/18] added asr faq 1st draft --- .../attack-surface-reduction-faq.md | 115 ++++++++++++++++++ .../attack-surface-reduction.md | 6 +- 2 files changed, 118 insertions(+), 3 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md new file mode 100644 index 0000000000..76f24fa783 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -0,0 +1,115 @@ +--- +title: Attack surface reduction frequently asked questions (FAQ) +description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules. +keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: martyav +ms.author: v-maave +ms.reviewer: +manager: dansimp +ms.custom: asr +--- + +# Attack surface reduction frequently asked questions (FAQ) + +**Applies to:** + +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +**Is attack surface reduction (ASR) part of Windows?** + +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR featureset is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions. + +**Do I need to have an enterprise license to run ASR rules?** + +The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10: specifically, an E5 license. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available. + +**Is ASR supported if I have an E3 license?** + +Yes. ASR is supported for Windows Enterprise E3 and above. Although Windows Enterprise E3 introduced ASR, not all features are available with an E3 license. Windows Enterprise E5 updated ASR with new rules, and added advanced management capabilities by integrating ASR with Microsoft Defender ATP. These capabilities include monitoring and configuring ASR event reports from Security Center, and accessing analytics on vulnerabilities. it is recommended to have an E5 license for a full ASR experience. + +See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. + +**Which rules are supported with an E3 license?** + +Windows Enterprise E3 supports a subset of the ASR rules. These include: + +- [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail) +- [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes) +- [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content) +- [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes) +- [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content) +- [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) +- [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) +- [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) +- [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) +- [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) +- [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) + +**Which rules and features are supported with an E5 license?** + +All of the rules supported with E3 are also supported in E5. E5 also added some new rules, including: + +- [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) +- [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes) +- [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) +- [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) + +E5 also added greater integration with Microsoft Defender ATP. With E5, you can use Microsoft Defender ATP to monitor and review analytics on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. + +**What are some good recommendations for getting started with ASR?** + +It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked, and exclude them from ASR. Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. + +**How long should I test an ASR rule in audit mode before enabling it?** + +You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. + +**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an “easy” way to export rules from another security solution to ASR?** + +Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities. + +From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. + +**Does ASR support file or folder exclusions that include system variables and wildcards in the path?** + +Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. + +**Do ASR rules cover all applications by default?** + +It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope. + +**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?** + +Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. + +**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.** + +Try opening the indexing options directly from Windows 10. + +1. Select the **Search** icon on the Windows taskbar. + +1. Enter **Indexing options** into the search box. + +**For the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* -- are these criteria configurable by an admin?** + +No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent this rule from being triggered. + +**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. I recently updated to a new version of a piece of software and the rule is now blocking it, even though it was considered trusted before. Did something go wrong?** + +This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. + +**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a lot of notifications. What is going on?** + +A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. + +**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?** + +Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 27a5a526c7..e48c683d1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -26,7 +26,7 @@ ms.custom: asr > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Your attack surface is the total number of places where an attacker could compromise your device or network. Reducing your attack surface means offering attackers fewer ways to perform attacks. +Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. Attack surface reduction rules target software behaviors that are often abused by attackers, such as: @@ -36,7 +36,7 @@ Attack surface reduction rules target software behaviors that are often abused b These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. -Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. @@ -87,7 +87,7 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -This table lists all attack surface reduction rules, their corresponding GUIDs, and whether the rule supports having certain files and folders selectively excluded. Each rule also links to a longer rule description, for further details on how the rule works, why you would want to enable it, and which applications the rule applies to. +The following table lists all attack surface reduction rules, their corresponding GUIDs, and whether the rule supports having certain files and folders selectively excluded. Each rule also links to a longer rule description, for further details on how the rule works, why you would want to enable it, and which applications the rule applies to. Except when specified, attack surface reduction rules only apply to Word, Excel, PowerPoint, and OneNote, or Outlook. From 91338671989758d03acaba799856a57607576c46 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 15 Jan 2020 17:57:48 -0500 Subject: [PATCH 09/18] spacing, related topics, copy edits --- .../attack-surface-reduction-faq.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 76f24fa783..cc5d6193d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -98,18 +98,30 @@ Try opening the indexing options directly from Windows 10. 1. Enter **Indexing options** into the search box. -**For the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* -- are these criteria configurable by an admin?** +**Are these criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* configurable by an admin?** No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent this rule from being triggered. -**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. I recently updated to a new version of a piece of software and the rule is now blocking it, even though it was considered trusted before. Did something go wrong?** +**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?** -This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. +This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. -**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a lot of notifications. What is going on?** +Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. -A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. +**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?** + +A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. + +Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. **Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?** Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. + +## Related topics + +- [Attack surface reduction overview](attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Customize attack surface reduction rules](customize-attack-surface-reduction.md) +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) From d00d6156ccd710d36827a264a922b4f5eddbba6b Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 15 Jan 2020 17:57:48 -0500 Subject: [PATCH 10/18] spacing, related topics, copy edits --- .../attack-surface-reduction-faq.md | 26 ++++++++++++++----- .../attack-surface-reduction.md | 2 +- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 76f24fa783..fee290e4d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -80,7 +80,7 @@ From within Microsoft Defender ATP, you can update your defenses with custom ind **Does ASR support file or folder exclusions that include system variables and wildcards in the path?** -Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. +Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-ASR-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. **Do ASR rules cover all applications by default?** @@ -98,18 +98,30 @@ Try opening the indexing options directly from Windows 10. 1. Enter **Indexing options** into the search box. -**For the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* -- are these criteria configurable by an admin?** +**Are these criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* configurable by an admin?** No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent this rule from being triggered. -**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. I recently updated to a new version of a piece of software and the rule is now blocking it, even though it was considered trusted before. Did something go wrong?** +**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?** -This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. +This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. -**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a lot of notifications. What is going on?** +Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. -A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. +**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?** + +A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. + +Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. **Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?** -Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. +Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. + +## Related topics + +- [Attack surface reduction overview](attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Customize attack surface reduction rules](customize-attack-surface-reduction.md) +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e48c683d1c..3c09dacb93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Use attack surface reduction rules to prevent malware infection -description: Microsoft Defender ATP's attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware. +description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware. keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security From 8f334c93df02be7107eda95f218b64bd42584903 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 27 Jan 2020 17:28:30 -0500 Subject: [PATCH 11/18] fixed url for validator - link validator is case sensitive --- .../microsoft-defender-atp/attack-surface-reduction-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index fee290e4d7..e572b77179 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -80,7 +80,7 @@ From within Microsoft Defender ATP, you can update your defenses with custom ind **Does ASR support file or folder exclusions that include system variables and wildcards in the path?** -Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-ASR-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. +Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. **Do ASR rules cover all applications by default?** From ee425c01a0351b1a54040f28ded903dfecafd143 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 4 Mar 2020 15:38:14 -0500 Subject: [PATCH 12/18] linking pages to asr faq --- windows/security/threat-protection/TOC.md | 1 + .../microsoft-defender-atp/attack-surface-reduction.md | 1 + .../microsoft-defender-atp/customize-attack-surface-reduction.md | 1 + .../microsoft-defender-atp/enable-attack-surface-reduction.md | 1 + .../microsoft-defender-atp/evaluate-attack-surface-reduction.md | 1 + 5 files changed, 5 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2b444785f5..02a87fe3a5 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -19,6 +19,7 @@ ### [Attack surface reduction]() #### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) +#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 740744f933..805b9f7639 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -349,6 +349,7 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b ## Related topics +* [Attack surface reduction FAQ](attack-surface-reduction.md) * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) * [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 2d4a24ee15..a1d4579881 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -103,3 +103,4 @@ See the [Windows Security](../windows-defender-security-center/windows-defender- * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +* [Attack surface reduction FAQ](attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 7b9637aee9..655d13f73e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -186,4 +186,5 @@ Value: c:\path|e:\path|c:\Whitelisted.exe * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) * [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) +* [Attack surface reduction FAQ](attack-surface-reduction.md) * [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index b20da27a88..70a03c74e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -67,3 +67,4 @@ See the [Customize attack surface reduction rules](customize-attack-surface-redu * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) * [Use audit mode to evaluate Windows Defender](audit-windows-defender.md) +* [Attack surface reduction FAQ](attack-surface-reduction.md) From d11e14cc1e296b9a7d48aafb5d67515d0168601e Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 10 Mar 2020 15:26:25 -0400 Subject: [PATCH 13/18] correcting info re: E3 vs E5 --- .../attack-surface-reduction-faq.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index e572b77179..1a4ff4413b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -29,17 +29,15 @@ ASR was originally a feature of the suite of exploit guard features introduced a **Do I need to have an enterprise license to run ASR rules?** -The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10: specifically, an E5 license. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available. +The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available. **Is ASR supported if I have an E3 license?** -Yes. ASR is supported for Windows Enterprise E3 and above. Although Windows Enterprise E3 introduced ASR, not all features are available with an E3 license. Windows Enterprise E5 updated ASR with new rules, and added advanced management capabilities by integrating ASR with Microsoft Defender ATP. These capabilities include monitoring and configuring ASR event reports from Security Center, and accessing analytics on vulnerabilities. it is recommended to have an E5 license for a full ASR experience. - -See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. +Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. **Which rules are supported with an E3 license?** -Windows Enterprise E3 supports a subset of the ASR rules. These include: +Windows Enterprise E3 supports the ASR rules. These include: - [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail) - [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes) @@ -62,7 +60,7 @@ All of the rules supported with E3 are also supported in E5. E5 also added some - [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) - [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) -E5 also added greater integration with Microsoft Defender ATP. With E5, you can use Microsoft Defender ATP to monitor and review analytics on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. **What are some good recommendations for getting started with ASR?** @@ -72,7 +70,7 @@ It is generally best to first test how ASR rules will impact your organization b You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an “easy” way to export rules from another security solution to ASR?** +**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?** Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities. From b6f8fdff6b38a43a230f03a071d9ad8907ad9507 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 10:04:17 -0400 Subject: [PATCH 14/18] addressing q's answered by PM Cedola --- .../attack-surface-reduction-faq.md | 65 ++++++++++--------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 1a4ff4413b..1bdbb4ba2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -25,7 +25,7 @@ ms.custom: asr **Is attack surface reduction (ASR) part of Windows?** -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR featureset is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions. **Do I need to have an enterprise license to run ASR rules?** @@ -35,36 +35,37 @@ The full set of ASR rules and features are only supported if you have an enterpr Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. -**Which rules are supported with an E3 license?** +**Which features are supported with an E5 license?** -Windows Enterprise E3 supports the ASR rules. These include: - -- [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail) -- [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes) -- [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content) -- [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes) -- [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content) -- [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) -- [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) -- [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) -- [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) -- [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) -- [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) - -**Which rules and features are supported with an E5 license?** - -All of the rules supported with E3 are also supported in E5. E5 also added some new rules, including: - -- [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) -- [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes) -- [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) -- [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) +All of the rules supported with E3 are also supported with E5. E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +**What are the the currently supported ASR rules??** + +ASR currently supports all of the rules below: + +* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail) +* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes) +* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content) +* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes) +* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content) +* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) +* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) +* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) +* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) +* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) +* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) +* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) +* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes) +* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) +* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) + **What are some good recommendations for getting started with ASR?** -It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked, and exclude them from ASR. Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. +It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR. + +Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. **How long should I test an ASR rule in audit mode before enabling it?** @@ -84,6 +85,10 @@ Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-redu It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope. +**Does ASR support third-party security solutions?** + +ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. + **I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?** Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. @@ -94,17 +99,17 @@ Try opening the indexing options directly from Windows 10. 1. Select the **Search** icon on the Windows taskbar. -1. Enter **Indexing options** into the search box. +1. Enter **Indexing options** into the search box. -**Are these criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion* configurable by an admin?** +**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?** -No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent this rule from being triggered. +No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered. **I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?** -This rule relies upon each application having a known reputation, as measured by prevalence, age, or being otherwise included on a list of trusted or excluded apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. +This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. -Usually, cloud protection can figure out that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time to build reputation after switching versions of an application, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. +Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. **I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?** From 5e177aa64e1ee9a72b3baf128a5d67cbc9dadfcf Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 10:31:26 -0400 Subject: [PATCH 15/18] updated overview page + linting --- .../attack-surface-reduction-faq.md | 10 ++++---- .../overview-attack-surface-reduction.md | 23 ++++++++++--------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 1bdbb4ba2f..8f13e78322 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -123,8 +123,8 @@ Enabling this rule will not provide additional protection if you have [LSA prote ## Related topics -- [Attack surface reduction overview](attack-surface-reduction.md) -- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -- [Customize attack surface reduction rules](customize-attack-surface-reduction.md) -- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +* [Attack surface reduction overview](attack-surface-reduction.md) +* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +* [Customize attack surface reduction rules](customize-attack-surface-reduction.md) +* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 42ac18188b..da9f1bb8a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -25,15 +25,16 @@ ms.topic: conceptual * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. +Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. -|Article | Description | -|-------|------| -|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. | -|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. | -|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. | -|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | -|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content. -|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) | -|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) | -|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. | +Article | Description +-|- +[Attack surface reduction]((./attack-surface-reduction.md)) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). +[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. +[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. +[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. +[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) +[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content. +[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) +[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. +[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more. From 04f701cc4965200f6854e972a0bfe87b2143d296 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 10:50:22 -0400 Subject: [PATCH 16/18] minor typo --- .../microsoft-defender-atp/overview-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index da9f1bb8a7..4be3a91029 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -29,7 +29,7 @@ Help reduce your attack surfaces, by minimizing the places where your organizati Article | Description -|- -[Attack surface reduction]((./attack-surface-reduction.md)) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). +[Attack surface reduction]((./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. From 973a6135825d3506d840d86bf6588d3e5feaa600 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 11:00:12 -0400 Subject: [PATCH 17/18] minor typo --- .../microsoft-defender-atp/overview-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 4be3a91029..4fda24160f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -29,7 +29,7 @@ Help reduce your attack surfaces, by minimizing the places where your organizati Article | Description -|- -[Attack surface reduction]((./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). +[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. From aff98e1c38048eb5916da00fa6dc3497c6248d7e Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 11:19:30 -0400 Subject: [PATCH 18/18] updated problematic parentheses-bearing bookmark --- .../microsoft-defender-atp/attack-surface-reduction-faq.md | 2 +- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 8f13e78322..9f14575d2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -53,7 +53,7 @@ ASR currently supports all of the rules below: * [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) * [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) * [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) -* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) +* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) * [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) * [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) * [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 805b9f7639..828455927c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -100,7 +100,7 @@ The following sections describe each of the 15 attack surface reduction rules. T [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported -[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem-(lsass.exe)) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported @@ -252,7 +252,7 @@ Configuration Manager name: Use advanced protection against ransomware GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 -### Block credential stealing from the Windows local security authority subsystem (lsass.exe) +### Block credential stealing from the Windows local security authority subsystem This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).