Attack surface reduction (ASR) refers to a group of capabilities that (wait for it!) reduce the attack surface of your devices by limiting their known areas of weakness. ASR first made its way to Windows 10 with feature update 1709, branded as Exploit Guard. You will still see this term referenced in some UIs and literature. In general, the term ASR has superseded it.

In this chapter, we will cover ASR capabilities for Windows that MDE customers have available:

• ASR rules
• Controlled folder access
• Exploit protection
• Network protection, including SmartScreen and web protection

Combined, ASR capabilities minimize the risk your device faces against threats such as zero days, exploits, and unauthorized activity. As before, you will learn how to configure and deploy these in the context of Windows in the enterprise, using central management tools and monitoring.

Our exploration of ASR begins with the most notable...

ASR rules restrict system behaviors often used by attackers, whether the intent is malicious or not.

By taking the determination of intent out of the equation, you significantly harden the device, albeit with the potential for disruption if legacy activities are still performed. Fortunately, you can plan for that disruption by deploying ASR rules in Audit mode (2) to review the scale of the problem before applying the rules in Block mode (1) or Warn mode (6). Warn mode, available for most but not all ASR rules since Windows 10 1809, allows the user to override the block for 24 hours at a time.

As general guidance, these three modes for ASR rules combined make a deployment road map:

• Start in Audit mode, leveraging the data that clients produce to understand what problems may present themselves when enabled
• After mitigating problems identified in Audit mode, or accepting the risks, proceed to Warn mode so that users can proceed without breaking...

Primarily a defense against ransomware, controlled folder access (CFA) is another ASR capability. It works by limiting folder write access to allow-listed applications only. If an app isn’t trusted, it can’t modify or delete files in the controlled folders.

Trusted apps are a combination of the ones you specify, and the ones deemed prevalent in Microsoft’s massive telemetry data. Any other apps are forbidden from editing the contents of the folders. Thanks to the vastness of Microsoft’s reputation system, you may not even have to add custom apps. Regardless of the applications you choose to trust, the system will not trust script engines such as PowerShell, even if you add them as exclusions.

The folders are a combination of the ones you specify, and the ones listed by Microsoft by default (public and user profile Documents, Pictures, Videos, Music, and Favorites; including OneDrive redirected versions).

As with ASR rules...

Exploit protection succeeded the Enhanced Mitigation Experience Toolkit (EMET) from Windows 10 1709 onwards as a collection of mitigations against potential OS and app exploits. Exploit protection includes mitigations such as Data Execution Prevention (DEP), block untrusted fonts and remote images, and code integrity guard.

You can also configure system settings and program settings. System settings apply across the operating system, while program settings are scoped to specific executables. By default, exploit protection is already turned on system-wide for system settings except for Force randomization for images (Mandatory ASLR). Each system setting can be overridden at the executable level to work around problems they may cause.

Exploit protection has many protections enabled by out-of-the-box settings, but you can customize it to address specific concerns. To reduce the risk if you do want to make changes, exploit protection can be evaluated by using audit...

In this section, you’ll learn about Microsoft Defender SmartScreen, the closely related network protection (which is the last of our ASR features to discuss), and web protection.

SmartScreen

Available to both consumers and MDE customers, SmartScreen protects risky websites and applications before Microsoft Defender Antivirus needs to step in. Using a combination of suspicious indicators, user reports, and popularity telemetry, SmartScreen can either warn or block access to websites and applications it identifies as potentially malicious. For example, SmartScreen can identify unsafe advertising frames in websites and prevent them from loading. Or, if a user downloads an application with a low or poor reputation, it can prevent it from executing.

SmartScreen’s scope is limited to content that originates from the internet. For example, it can block the execution of a rarely seen application from a download website, but if this file was copied...

In this chapter, we dove into ASR, and you found out how to lower the likelihood of exploits and risk of vulnerabilities. You learned about how ASR, originally branded Exploit Guard, is comprised of four core features: ASR rules, controlled folder access, exploit protection, and network protection.

To recap, ASR rules are individually defined options that audit or prohibit (including the option to override) certain types of operations, such as Office applications creating child processes or running obfuscated scripts. CFA is primarily a ransomware protection feature that protects user folders from malicious applications of all kinds. Exploit protection lives on from the EMET to defend against potential OS and app exploits. Last of the four ASR features, network protection, guards the network layer against low reputation, C2, and exploitation. It powers the ability of MDE to block web content and sits alongside SmartScreen as a defense against low-reputation resources.

The following questions will let you test your knowledge of ASR for Windows. The answers can be found toward the end of this book:

1. You are testing web content filtering on a Windows Server 2022 server, but you find it is not blocking any websites. Which of the following may be a reason why? Choose all that may apply.
   1. The AllowNetworkProtectionDownLevel value is not configured
   2. Microsoft Defender Antivirus is in passive mode
   3. Network protection is only available for client devices
   4. Web content filtering has not been enabled for the tenant
2. Which of the following actions can you include in an advanced hunting query to review events involving a network protection block?
   1. ExploitGuardNetworkProtectionAudited
   2. ExpoitProtectionNetworkAccessBlocked
   3. ExploitGuardNetworkProtectionBlocked
   4. NetworkProtectionExploitBlocked
3. Web content filtering has been configured to block social media websites, but you have one website in this category that all employees are allowed to access. How should...

To go into even further detail about some of the ASR topics in this chapter, you can refer to the following online material:

• Read Microsoft’s announcement of (what was once called) Windows Defender Exploit Guard: microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware.
• Rudy Ooms MVP has some great insights into using Intune to harden Windows devices. You can read his article on CFA here, including a look under the hood at things such as events and registry entries: call4cloud.nl/2021/06/married-with-controlled-folder-accesscfa.
• For some insight into a wide-scale enterprise deployment approach for ASR rules, you can read about Palantir’s journey and insights: blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8.
• Jonathan Gregson has a great example of an exploit protection XML on GitHub, which combines Microsoft recommendations...