Security
Reader small image

You're reading from  Mastering Microsoft 365 Defender

Product typeBook
Published inJul 2023
PublisherPackt
ISBN-139781803241708
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Authors (2):
Ru Campbell
Ru Campbell
author image
Ru Campbell

Ruairidh (Ru) Campbell is a Microsoft Security MVP and leads Microsoft consultancy at Threatscape. At Threatscape, Ru develops, delivers, and manages offerings and professional services for cybersecurity, compliance, identity, and management. In the cybersecurity community, Ru runs the Microsoft 365 Security & Compliance user group and his blog (campbell.scot), regularly speaks at other user groups and conferences, and contributes to well-known industry publications such as Practical 365. Ru holds 14 Microsoft certifications and a B.Sc. (Distinction) in computer networking from the University of the West of Scotland. Away from cybersecurity, he is a petrolhead who enjoys heavy metal and hiking around Scotland with his wife.
Read more about Ru Campbell

Viktor Hedberg
Viktor Hedberg
author image
Viktor Hedberg

Viktor Hedberg is a Microsoft Security MVP and senior consultant at Truesec. At Truesec, Viktor works with proactive security measures within the Microsoft sphere of technologies, by delivering workshops on best practices and by his deep technical expertise in these areas. In the cybersecurity community, Viktor runs his blogs at Truesec (Experts – viktor-hedberg). Alongside this, he is one of the hosts of the Swedish Windows Security user group, as well as a co-host of the Swedish podcast The Nerd Herd. He is a frequent speaker at both conferences and user groups around the world, focusing on matters of Microsoft Security. Viktor holds numerous Microsoft certifications, as well as being a Microsoft Certified Trainer. Away from cybersecurity, Viktor is a family man, spending most of his time with his wife and three kids, as well as enjoying football, both as a practitioner and as a fan. Heavy metal has been part of his life since his early teens.
Read more about Viktor Hedberg

View More author details
Right arrow

Managing Attack Surface Reduction for Windows

Attack surface reduction (ASR) refers to a group of capabilities that (wait for it!) reduce the attack surface of your devices by limiting their known areas of weakness. ASR first made its way to Windows 10 with feature update 1709, branded as Exploit Guard. You will still see this term referenced in some UIs and literature. In general, the term ASR has superseded it.

In this chapter, we will cover ASR capabilities for Windows that MDE customers have available:

  • ASR rules
  • Controlled folder access
  • Exploit protection
  • Network protection, including SmartScreen and web protection

Combined, ASR capabilities minimize the risk your device faces against threats such as zero days, exploits, and unauthorized activity. As before, you will learn how to configure and deploy these in the context of Windows in the enterprise, using central management tools and monitoring.

Our exploration of ASR begins with the most notable...

Understanding ASR rules

ASR rules restrict system behaviors often used by attackers, whether the intent is malicious or not.

By taking the determination of intent out of the equation, you significantly harden the device, albeit with the potential for disruption if legacy activities are still performed. Fortunately, you can plan for that disruption by deploying ASR rules in Audit mode (2) to review the scale of the problem before applying the rules in Block mode (1) or Warn mode (6). Warn mode, available for most but not all ASR rules since Windows 10 1809, allows the user to override the block for 24 hours at a time.

As general guidance, these three modes for ASR rules combined make a deployment road map:

  • Start in Audit mode, leveraging the data that clients produce to understand what problems may present themselves when enabled
  • After mitigating problems identified in Audit mode, or accepting the risks, proceed to Warn mode so that users can proceed without breaking...

Controlled folder access

Primarily a defense against ransomware, controlled folder access (CFA) is another ASR capability. It works by limiting folder write access to allow-listed applications only. If an app isn’t trusted, it can’t modify or delete files in the controlled folders.

Trusted apps are a combination of the ones you specify, and the ones deemed prevalent in Microsoft’s massive telemetry data. Any other apps are forbidden from editing the contents of the folders. Thanks to the vastness of Microsoft’s reputation system, you may not even have to add custom apps. Regardless of the applications you choose to trust, the system will not trust script engines such as PowerShell, even if you add them as exclusions.

The folders are a combination of the ones you specify, and the ones listed by Microsoft by default (public and user profile Documents, Pictures, Videos, Music, and Favorites; including OneDrive redirected versions).

As with ASR rules...

Exploit protection

Exploit protection succeeded the Enhanced Mitigation Experience Toolkit (EMET) from Windows 10 1709 onwards as a collection of mitigations against potential OS and app exploits. Exploit protection includes mitigations such as Data Execution Prevention (DEP), block untrusted fonts and remote images, and code integrity guard.

You can also configure system settings and program settings. System settings apply across the operating system, while program settings are scoped to specific executables. By default, exploit protection is already turned on system-wide for system settings except for Force randomization for images (Mandatory ASLR). Each system setting can be overridden at the executable level to work around problems they may cause.

Exploit protection has many protections enabled by out-of-the-box settings, but you can customize it to address specific concerns. To reduce the risk if you do want to make changes, exploit protection can be evaluated by using audit...

ASR at the network layer

In this section, you’ll learn about Microsoft Defender SmartScreen, the closely related network protection (which is the last of our ASR features to discuss), and web protection.

SmartScreen

Available to both consumers and MDE customers, SmartScreen protects risky websites and applications before Microsoft Defender Antivirus needs to step in. Using a combination of suspicious indicators, user reports, and popularity telemetry, SmartScreen can either warn or block access to websites and applications it identifies as potentially malicious. For example, SmartScreen can identify unsafe advertising frames in websites and prevent them from loading. Or, if a user downloads an application with a low or poor reputation, it can prevent it from executing.

SmartScreen’s scope is limited to content that originates from the internet. For example, it can block the execution of a rarely seen application from a download website, but if this file was copied...

Summary

In this chapter, we dove into ASR, and you found out how to lower the likelihood of exploits and risk of vulnerabilities. You learned about how ASR, originally branded Exploit Guard, is comprised of four core features: ASR rules, controlled folder access, exploit protection, and network protection.

To recap, ASR rules are individually defined options that audit or prohibit (including the option to override) certain types of operations, such as Office applications creating child processes or running obfuscated scripts. CFA is primarily a ransomware protection feature that protects user folders from malicious applications of all kinds. Exploit protection lives on from the EMET to defend against potential OS and app exploits. Last of the four ASR features, network protection, guards the network layer against low reputation, C2, and exploitation. It powers the ability of MDE to block web content and sits alongside SmartScreen as a defense against low-reputation resources.

...

Questions

The following questions will let you test your knowledge of ASR for Windows. The answers can be found toward the end of this book:

  1. You are testing web content filtering on a Windows Server 2022 server, but you find it is not blocking any websites. Which of the following may be a reason why? Choose all that may apply.
    1. The AllowNetworkProtectionDownLevel value is not configured
    2. Microsoft Defender Antivirus is in passive mode
    3. Network protection is only available for client devices
    4. Web content filtering has not been enabled for the tenant
  2. Which of the following actions can you include in an advanced hunting query to review events involving a network protection block?
    1. ExploitGuardNetworkProtectionAudited
    2. ExpoitProtectionNetworkAccessBlocked
    3. ExploitGuardNetworkProtectionBlocked
    4. NetworkProtectionExploitBlocked
  3. Web content filtering has been configured to block social media websites, but you have one website in this category that all employees are allowed to access. How should...

Further reading

To go into even further detail about some of the ASR topics in this chapter, you can refer to the following online material:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 10 of 33
Next Chapter
You have been reading a chapter from
Mastering Microsoft 365 Defender
Published in: Jul 2023Publisher: PacktISBN-13: 9781803241708
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at £13.99/month. Cancel anytime

Authors (2)

author image
Ru Campbell

Ruairidh (Ru) Campbell is a Microsoft Security MVP and leads Microsoft consultancy at Threatscape. At Threatscape, Ru develops, delivers, and manages offerings and professional services for cybersecurity, compliance, identity, and management. In the cybersecurity community, Ru runs the Microsoft 365 Security & Compliance user group and his blog (campbell.scot), regularly speaks at other user groups and conferences, and contributes to well-known industry publications such as Practical 365. Ru holds 14 Microsoft certifications and a B.Sc. (Distinction) in computer networking from the University of the West of Scotland. Away from cybersecurity, he is a petrolhead who enjoys heavy metal and hiking around Scotland with his wife.
Read more about Ru Campbell

author image
Viktor Hedberg

Viktor Hedberg is a Microsoft Security MVP and senior consultant at Truesec. At Truesec, Viktor works with proactive security measures within the Microsoft sphere of technologies, by delivering workshops on best practices and by his deep technical expertise in these areas. In the cybersecurity community, Viktor runs his blogs at Truesec (Experts – viktor-hedberg). Alongside this, he is one of the hosts of the Swedish Windows Security user group, as well as a co-host of the Swedish podcast The Nerd Herd. He is a frequent speaker at both conferences and user groups around the world, focusing on matters of Microsoft Security. Viktor holds numerous Microsoft certifications, as well as being a Microsoft Certified Trainer. Away from cybersecurity, Viktor is a family man, spending most of his time with his wife and three kids, as well as enjoying football, both as a practitioner and as a fan. Heavy metal has been part of his life since his early teens.
Read more about Viktor Hedberg

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages