Scripts Security | Vulnerability Scans and Assessment Windows Windows Server

Attack Surface Reduction Configuration with Microsoft Defender

Attack Surface Reduction Configuration with Microsoft Defender

Microsoft Defender is a free, built-in antivirus for Windows. Until May 10th, 2020, it was known as Windows Defender, and in the most recent versions of Windows 10, it is also referred to as Windows Security. It contains a number of security features aimed at protecting devices and the internet from malware such as spyware, adware, ransomware, and other threats. It is an easy-to-use antivirus program for Windows users. Take a look at the following related articles to learn more: How to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor, Configuration Manager Tools: How to install and debug logs with the CMTrace Tool, and Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption.

Windows devices have broad appeal due to the pre-installed and free availability of Windows Defender, the antivirus program. In addition to the features mentioned above, other security features are also available with Microsoft Defender. These include lowering the attack surface, which hardens software like Adobe Reader, Office, and browsers. Here are some more guides you may want to read: How to turn on Windows 10 Tamper Protection for Microsoft Defender, and how to manage Microsoft Defender Antivirus with Group Policy and Microsoft Malware Protection from the Command Line.

In this write-up, I show you how to configure Microsoft Defender using PowerShell. The feature is not turned on by default. Malicious code thrives in email attachments—scripts, executables, or tainted Office macros. Web browsers and products like Adobe Reader pose vulnerabilities. Defender enhances security beyond app-specific efforts, adding a layer against attacks.

For instance, group policies can significantly control office macros. Attack Surface Reduction (ASR) rules further enclose them. For instance, you can stop Office from producing executable content, injecting code into other processes, or establishing new processes. For example, you might also need to require the latter for Adobe Reader. Defender can stop executable content from entering the computer through a mail client.

It’s also intriguing to observe the configuration of advanced ransomware prevention. The system collects data on suspicious files via Microsoft Cloud, verifying common ransomware or known harmlessness. Enabling cloud-based protection is necessary for the function to work.

Configure ASR in Microsoft Defender Using PowerShell

Here I show you how to configure Attack Surface Reduction in Microsoft Defender via PowerShell. But before we do that, if you need to ascertain the current status of the ASR rules, use the PowerShell Cmdlet below to do so:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
No Rules have been configured
Status of ASR Rules

The above command displays the configured rules and their status. The output screen shows that no rules have been configured yet.

Invoke the Set-MpPreference to specify directories and files that are excluded as follows:

Configure exclusions for ASR rules with PowerShell
Configure exclusions for ASR rules with PowerShell

Then use the Get-MpPreference query the status of this property as shown on the above screenshot.

Configure ASR rules using group policies

Another method for enabling or configuring ASR rules is through Group Policy. In the Group Policy, two settings are available for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

To access the ASR, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction by searching for and opening Group Policy on your PC’s search menu.

In configuring the GUID for Attack Surface Reduction, the values 0, 1, 2, and 6 specify the status (“Actions”). 0 stands for deactivated, 1 for activated, 2 for audit mode and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking. Configure this folder’s other property to create directories and file exclusions.

Configuring Attack Surface Reduction via Group Policy
Configuring Attack Surface Reduction via Group Policy

As shown above, we also enter the Value names in a table in this case, and we always set the field in the right-hand column to 0. Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

You can utilize a standard configuration for all of the rules rather than just turning on a different option for each one (“Configure Attack Surface Reduction rules“). There, you input the action’s numerical value and the aforementioned GUID into a table. For instance, here we want to

Configure for all

I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x