Windows 10 Fall update 1709 Security Feature 4: Exploit Guard Attack Surface Reduction

Posted by Ahmed Nabil | 2 comments»
Another cool feature in the Exploit Guard Intrusion prevention tool offered starting Windows 10 1709 is the Attack Surface Reduction (ASR). ASR is key component in the Exploit Guard tools and as I mentioned earlier that Exploit Guard is key component in the Windows 10 defensive stack and its mainly concerned with Pre-breach phase and its main goal is to prevent the attack from occurring.

Most of the recent attacks especially Ransomware attacks came from malicious office files,  or mail that is sent to the user and when the user clicks it, the malicious payload is downloaded and run on the local computer or connect back to the command and control center (C&C) to download further files and the end result is infecting the computer or get it encrypted (ask for ransom)


Attack Surface Reduction is dealing mainly with the below rules to protect your entry points (Surface):


  1. Office Rules: Prevent Office apps from creating Executable content, launching child process or injecting into other process.........etc.                                                                                                             
  2. Script Rules: Block malicious scripts, obfuscated macro codes and others.                                            
  3. Mail Rules: Block running executable content from your mail client and web mail.

For more details please check this link



There are given set of rules in the ASR and each rule has a unique GUID, to enable these rules you simply enable them by the GUID (Check Below image)




So for example if you would like to block executable content from your mail client and web mail, you need to activate the rule with GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 (First rule)


How to implement ASR on Standalone Machine:

I would highly recommend to implement first ASR on standalone machine and test the rules and their effect on your application and daily work processes. Power shell (Admin elevated) will be used to enable ASR. For example let us enable the first rule (Blocking executable content form mail and web mail)

PowerShell Command

Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode


This will turn on the first rule of blocking executable content in mail in Audit Mode. You have three options when running this command which are Enabled, Disabled, AuditMode. I would recommend to turn it first in AuditMode so you can check your logs and event viewer for ASR blocking events without interrupting your business.

How to check the ASR events in Event Viewer:


  1. Download the exploit guard evaluation package and extract the ZIP file                                                                                                                                                                                                                   
                                                                                
  2. Open the event Viewer  - Import Custom View - Pick the asr-events                                                                                                                                                                                                                                          
                                                                                                                                                                                                      
  3. All events can be checked from this custom view, this is very beneficial especially in the AuditMode phase while ASR is under test.




How to Simulate and Demo the Attack Surface Reduction:

In the same Exploit Guard Evaluation Package, you can find a file named Exploit Guard ASR test tool (for 32 bit and 64 bit OS), Running this file will display the ASR rules and their status on your machine itcallswin (whether blocked, enabled or in AuditMode) and you can run a simulation to ensure its working. For example I will run the simulation for the first rule (Executable content in mail and web mail) which will try running notepad.exe and get it blocked. Its very cool test tool that you need to play around with it.



How to enable ASR for Enterprise/Domain computers:

After you are fully satisfied with the test results you can start rolling it out on all client computers using group policy. The location of the Group policy is as follows:

Computer Configuration - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Attack Surface Reduction










You need to add the Rule ID and value (0, 1 & 2). Its little bit confusing but O=Off (Nothing happen, rule disabled), 2=AuditMode and 1=Block (which means enabling the rule)



So another exciting feature and I would encourage everyone on Windows 10 1709 to give it a try.






2 Comments
Comments

2 comments:

dfghj Says:

Microsoft Customer Support Phone Number Our master professional does not take this issue as the official responsibility. been be However, some Gmail user has to put the problem cause of the compliant list at Gmail Technical Support team. Microsoft Professional Support Microsoft Number RESOLVING THE TECHNICAL ISSUES VIA CONVENIENT GMAIL CUSTOMER SUPPORT Microsoft Tech Support Number Microsoft Helpdesk Number The foundation time of this emailing service exist the longer than one decade back. Virtual communication is the indispensible part of this internet generation age. Contact Microsoft Our professional does not deny to their customer to their help in emergency time period. At the reasonable price, our tech specialist gives solution of problem very smartly. Microsoft Customer Service will OUTLOOK PHONE NUMBER FOR DEPENDABLE AND CUSTOMIZED CUSTOMER SUPPORT USING. With the addition of this emailing service, each person can take the full advantage of the online advertising service as well. Microsoft Online Support Microsoft Technical Support Phone Number Microsoft Technical Support Number Microsoft Support Number Through merging the update knowledge and core theory, we get empowerment to deal each technical complexity anywhere and anytime. might Microsoft Help To give the 100 percent removal of the problems, we are professional problem as the personal dispute. are Microsoft is one of the innovative resources to accomplish to accomplish the document and file attachment. Our professional is upgrading their theoretical and practical knowledge, so giving the perfect answer of their query is not challenging job. Microsoft Telephone Number have being Microsoft Customer Service Phone Number Each person is interested to do their work in the smarter way and they should have to take full advantage of technology. would Our expert is considering the most genuine approach to offer the most appropriate solution to the customer. Support Microsoft Taking the brief data via demographic, it is counted to have the approx. Microsoft Technical Support The prime necessity of the each person is to the informal conversation with the aid of email service. had So, these customers should not have to engage in the compromised effect of the Gmail interface anymore. Microsoft Contact Microsoft Helpline Number

Security Services Australia Says:

Security has now become an indispensable requirement in our day to day life and cannot be ignored even by an inch. So here it becomes very important for one to choose a security company on which one can trust and also falls under budget. Safehands Security Services is one such company in Australia that is ready to serve all your needs and also is available with many services such as crowd controlling, mobile patrolling etc. Visit us at www.safehandssecurityservices.com.au for more details.

Hire Security Guards | Security Guards Companies | Security Guards Services | Security Services Australia | Security Companies Australia | Event Security Services | Private Party Security | K9 Security Services | Mobile Patorls & Alarm Response Service | Crowd Control Services | Security Guards Agencies | Security Companies | Security Services | Security Agencies | Crowd Control Services

Post a Comment