« Previous 1 2 3 Next »
Reducing the Attack Surface in Windows
Strong Defense
Check Logfiles Regularly
Once you have finished with one ring, move on to the next and carry out the same steps until all the devices have appropriate rulesets in place. Operations only start at this point. In this phase, it is important to continue to pay attention to the rules and to reports in Defender. Even though rulesets can be considered to be established after some time, you still want to check the reports regularly and analyze outliers. In fact, Microsoft recommends doing this on a daily basis. It is also important to check regularly any exceptions that were created and remove them again if needed. If you are unsure about the effect of a rule, you can switch it back to audit mode at any time, of course. If you want to check the rules that have been set, you can use the Microsoft Defender Advanced Threat Protection (ATP) portal [2], which is the place to go for in-depth information on potential attacks and to pick up scripts or code snippets that simulate attacks, and determine the effects on your systems' attack surfaces.
Three Recommended Standard Rules
Knowing the rules for reducing the attack surface and investigating them for your own requirements is important. Table 1 is an overview of the current crop of 19 attack surface rules (ASRs). All existing rules are unlikely to make sense in every infrastructure or situation. Microsoft only lists three rules for standard protection that you will want to enable without further analysis.
Table 1
Attack Surface Reduction Rules
| ASR Rule | Recommended Standard Protection | GUID |
|---|---|---|
| Blocks abuse of exploited, vulnerable, signed drivers | Yes | 56a863a9-875e-4185-98a7 b882c64b5ce5 |
| Stops Adobe Reader from creating child processes | No | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c |
| Stops all Office applications from creating child processes | No | d4f940ab-401b-4efc-aadc-ad5f3c50688a |
Blocks credential theft from the local security authority subsystem (lsass.exe)
|
Yes | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Blocks executable content from email clients and web email | No | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 |
| Stops executable files executing unless they meet a distribution, age, or trusted list criterion | No | 01443614-cd74-433a-b99e-2ecdc07bfc25 |
| Blocks the execution of potentially obfuscated scripts | No | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
| Stops JavaScript and VBScript starting downloaded executable content | No | d3e037e1-3eb8-44c8-a917-57927947596d |
| Stops Office applications from creating executable content | No | 3b576869-a4ec-4529-8536-b80a7769e899 |
| Stops Office applications from inserting code into child processes | No | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 |
| Stops the Office communication application from creating child processes | No | 26190899-1602-49e8-8b27-eb1d0a1ce869 |
| Blocks persistence through WMI event subscription (Defender exceptions do not apply) | Yes | e6db77e5-3df2-4cf1-b95a-636979351e5b |
| Blocks the creation of processes by PSExec and WMI commands | No | d1e49aac-8f56-4280-b9ba-993a6d77406c |
| Blocks rebooting of the computer in safe mode (preview) | No | 33ddedf1-c6e0-47cb-833ede6133960387 |
| Blocks untrusted and unsigned processes executed by USB | No | b2b33d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
| Blocks the use of copied or imitated system tools (preview) | No | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb |
| Blocks web shell creation for servers | No | a8f5898e-1dc8-49a9-9878-85004b8a61e6 |
| Blocks Win32 API calls from Office macros | No | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b |
| Deploys advanced protection against ransomware | No | c1db55ab-c21a-4637-bb3fa12568109d35 |
The basic rules include blocking the theft of credentials from the local Windows security authority subsystem (lsass.exe), blocking the exploitation of vulnerable signed drivers, and preventing persistence mechanisms with WMI event subscription, which is primarily an option used by malware to hide itself by using the WMI repository and to execute repeatedly on the target system. Incidentally, the first of the three rules for securing login information can result in numerous log entries, because legitimate apps sometimes also access this type of user data.
The rules can be roughly divided into five categories:
- protection against exploits and exploitable vulnerabilities,
- preventing the spread of malware by email and the web,
- restrictions for Office applications that prevent the execution of malicious code,
- measures against the theft of login information, and
- blocking the execution of unsigned or untrusted processes.
Some of the rules use analysis results from Microsoft or other providers in the background. The rule that detects vulnerable signed drivers, for example, checks whether they have been recognized as dangerous elsewhere as soon as they are downloaded. If this is the case, the download is prevented. However, if a malicious driver is already running on a system, it can still be executed, and because these are signed drivers, no other protections are in place. If you would like to have a driver checked explicitly before using it, you can send it to Microsoft for analysis [3].
Hardening Office
Many of the rules relate to the use of Microsoft Office and the files or processes it creates. Time and time again, criminals use this software as a gateway for malware. You can deploy a rule to keep Office applications from creating executable content that allows malware to break out of the Office context and infect the system. Another Office rule keeps all Office applications from creating child processes. In concrete terms this means that processes cannot be started by Visual Basic for Applications (VBA) macros, for example, and stops malware that acts as a dropper from downloading custom code from the Internet and trying to execute it.
The rule for extended ransomware protection also draws on findings from the Microsoft cloud and the Microsoft Antimalware Protection Service (MAPS). To enable it, cloud protection must be active in Defender. This rule does not block files that have been identified as harmless online, have a valid signature, or are so widespread that they cannot be ransomware.
Another point of attack for malware can be shut down with the rule for blocking untrusted and unsigned processes that are executed over USB. This rule stops executable files (e.g., files with the extensions EXE, DLL, or SCR) launching from USB data carriers on a device, including files that users have copied from a connected USB data carrier to the device's hard drive. The rule is not as easy to work around as you might think at first glance.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Reducing the Windows 10 attack surface
Windows attack surface reduction policies make significant progress in protecting your entire IT infrastructure. - ZeroDay Vulnerability in MS Word
-
Reducing your attack surface
Windows Defender Application Control protects systems against threats that traditional virus scanners and signature-based mechanisms cannot detect by restricting applications in the user context and reducing the code allowed in the system kernel. -
Endpoint Security for Windows 10
Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option for delaying updates, the components and features of Microsoft Defender, and recommendations for hardening the operating system. -
Fight Windows ransomware with on-board tools
Ransomware defense involves two strategies: identifying attacks and slowing the attackers to mitigate their effects.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
