Attack Surface Reduction Configuration with Microsoft Defender

Posted on Imoh Etuk By Imoh Etuk No Comments on Attack Surface Reduction Configuration with Microsoft Defender
Attack Surface Reduction Configuration with Microsoft Defender

In this articele, we wil discuss Attack Surface Reduction Configuration with Microsoft Defender. Microsoft Defender is a free, built-in antivirus for Windows. Until May 10th, 2020, it was known as Windows Defender, and in the most recent versions of Windows 10. Please see How to install and debug logs with the CMTrace Tool, and Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption.

Windows Defender is also referred to as Windows Security. It contains several security features aimed at protecting devices and the internet from malware such as spyware, adware, ransomware, and other threats. It is an easy-to-use antivirus program for Windows users.

Windows devices have broad appeal due to the pre-installed and free availability of Windows Defender, the antivirus program. In addition to the features mentioned above, other security features are also available with Microsoft Defender. These include lowering the attack surface, which hardens software like Adobe Reader, Office, and browsers.

In this write-up, I show you how to configure Microsoft Defender using PowerShell. The feature is not turned on by default. Malicious code thrives in email attachments—scripts, executables, or tainted Office macros. Web browsers and products like Adobe Reader pose vulnerabilities. Defender enhances security beyond app-specific efforts, adding a layer against attacks.

For instance, group policies can significantly control office macros. Attack Surface Reduction (ASR) rules further enclose them. For instance, you can stop Office from producing executable content, injecting code into other processes, or establishing new processes. For example, you might also need to require the latter for Adobe Reader. Defender can stop executable content from entering the computer through a mail client.

Configure ASR in Microsoft Defender Using PowerShell

It’s also intriguing to observe the configuration of advanced ransomware prevention. The system collects data on suspicious files via Microsoft Cloud, verifying common ransomware or known harmlessness. Enabling cloud-based protection is necessary for the function to work.

Here I show you how to configure Attack Surface Reduction in Microsoft Defender via PowerShell. But before we do that, if you need to ascertain the current status of the ASR rules, use the PowerShell Cmdlet below to do so:

Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
No Rules have been configured
Status of ASR Rules

The above command displays the configured rules and their status. The output screen shows that no rules have been configured yet.

Invoke the Set-MpPreference to specify directories and files that are excluded as follows:

Configure exclusions for ASR rules with PowerShell
Configure exclusions for ASR rules with PowerShell

Then use the Get-MpPreference query the status of this property as shown on the above screenshot.

Take a look at the following related articles to learn more: How to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor, and

Configure ASR rules using group policies

Another method for enabling or configuring ASR rules is through Group Policy. In the Group Policy, two settings are available for the central management of ASR: one for enabling/disabling rules and the other for defining exclusions.

To access the ASR, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction by searching for and opening Group Policy on your PC’s search menu.

In configuring the GUID for Attack Surface Reduction, the values 0, 1, 2, and 6 specify the status (“Actions”). 0 stands for deactivated, 1 for activated, 2 for audit mode and 6 for warning, where users receive a notification about the possible danger but can bypass the blocking. Configure this folder’s other property to create directories and file exclusions.

Configuring Attack Surface Reduction via Group Policy
Configuring Attack Surface Reduction via Group Policy

As shown above, we also enter the Value names in a table in this case, and we always set the field in the right-hand column to 0. Enter the GUID for an ASR rule and the value for the action Disable 0 Block 1 Audit 2 Warn 6 in the GPO setting

Configure Attack Surface Reduction rules

You can utilize a standard configuration for all of the rules rather than just turning on a different option for each one (“Configure Attack Surface Reduction rules“). There, you input the action’s numerical value and the aforementioned GUID into a table. For instance, here we want to

Configure for all

Here are some more guides you may want to read: How to turn on Windows 10 Tamper Protection for Microsoft Defender, and how to manage Microsoft Defender Antivirus with Group Policy and Microsoft Malware Protection from the Command Line.

I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.

5/5 - (1 vote)
Scripts, Security | Vulnerability Scans and Assessment, Windows, Windows Server Tags:, , , , , , , , ,

Related Posts

More Related Articles

How to Completely Uninstall Norton Security How to remove Norton from Mac using the RemoveNortonMacFiles tool Anti-Virus Solution
Configure AD LDAPs Generate a self-signed SSL certificate: Enable LDAP over SSL Windows Server
MBAM The web application “Administration Portal” cannot be enabled because one or more software dependencies are not met Windows
Manage OU Delete or Rename and Create a Protected Organisation Unit in AD Windows Server
Group Policy Error How to Fix Failed to open the Group Policy Object on this Computer Windows
ssl 600x315 1 1 Components needed to create a certificate signing request Windows Server

Leave a Reply