Configuration by PowerShell and Tools

You will normally want to use the graphical tool to configure the rulesets on the Defender portal. The rules and evaluations are available side by side, and issues can be found quickly with an advanced search. If the portal is not available, the rules can be enabled and disabled with PowerShell, but you must use the GUIDs listed in the table. To enable a rule, open PowerShell in administrator mode. If you want to set the rule Block executable content from email client and webmail to audit mode; you would need to run the cmdlet:

Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions AuditMode

Instead of AuditMode, you can define the other variants by stipulating Warn or Block as an argument. To disable a rule, use the Disable argument. If you want to use PowerShell to enable exceptions for folders, files, or processes, run the cmdlet:

Add-MpPreference -AttackSurfaceReductionOnly Exclusions<parth or resource>

To execute your actions for all existing rules, you can write a small script that first queries the existing GUIDs with

(Get-MpPreference).AttackSurfaceReductionRules_Ids

and then works its way through this list. If you do not have the option of setting the ASR rules by group policies and the configuration by PowerShell is too complicated for you, two free tools can help: the zero-installation ConfigureDefender [4] by Andrzej Pluta and DefenderUI [5] by VoodooShield.

Both tools let you set all ASR rules in a clear-cut interface, and you can customize the properties of Microsoft Defender, for example, by defining the sensitivity level for the scanner in its response to suspicious files, how long Defender will wait for a response from the Microsoft cloud before waving a file through, or how much compute power malware protection can harness for its own needs.

Both tools come with various predefined security levels that you can activate with a click of the mouse, if necessary, and include, for example, recommended settings (High for ConfigureDefender and Recommended for DefenderUI), an interactive level with more frequent queries, and a maximum security level that basically enables all rules. If you misconfigure something and don't know which setting is causing problems all of a sudden, both programs also let you revert to the Windows default settings at the push of a button. All the settings configured in the GUI can be set by the PowerShell Set-MpPreference cmdlet, and its Get counterpart queries the settings.

Conclusions

Windows offers more in terms of security than meets the eye. A number of rules under the hood reduce the attack surface. In this article, I looked into the basic aspects of attack surface reduction. The 19 rules might seem fairly simple, but they do address a number of popular attack gateways, so you should consider using them to protect your infrastructure. What's more, these built-in resources do not have any third-party code. Under normal circumstances, you will experience no, or hardly any, restrictions in your daily work, although you have slammed the door in the face of many attackers.