Attack Surface Reduction is a new security feature of Windows Defender Exploit Guard on Windows 10 that Microsoft introduced in the Fall Creators Update.
Attack Surface Reduction may prevent common actions of malicious software that is run on Windows 10 devices that have the feature enabled.
The feature is rules based, and designed to target actions and behavior that is typically of malware. You may enable rules that block the execution of obfuscated scripts, executable content in mail clients, or Office from spawning child processes.
Attack Surface Reduction is only available if you enable real-time protection in Windows Defender Antivirus.
The following rules are available in the Windows 10 Fall Creators Update:
The Attack Surface Reduction protection can be configured in three different ways:
You need to launch the Group Policy editor to get started. Note that the Group Policy editor is not available on Home editions of Windows 10.
Home users may check out Policy Plus which brings policy editing to the edition of Windows 10.
Show contents is a table that accepts one Attack Surface Reduction rule per row. Value name is the ID that is listed under rules above in the brackets.
Value accepts the following input:
You may use PowerShell to configure rules.
Use the following command to add a blocking mode rule:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
Use the following command to add an audit mode rule:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
Use the following command to set a rule to disabled:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
You can combine multiple rules in a single command by separating each rule with a comma, and by listing states individually for each rule. Example:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>, <rule ID 2>, <rule ID 3> -AttackSurfaceReductionRules_Actions Disabled, Enabled, Enabled
Note: you can use Set-MpPreference or Add-MpPreference. The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.
You can display the set of rules using the Get-MpPreference command.
Log entries are created whenever you change rules, and when events fire rules in audit mode or in block mode.
The new view is listed under Custom Views afterwards that shows the following events:
You can exclude files or folders so that the excluded items are not evaluated by Attack Surface Reduction rules.
Check out the following resources on Microsoft's website for additional information on Attack Surface Reduction:
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
I don’t understand why Microsoft doesn’t make system hardening the default in Windows. Most people won’t comprehend how to change settings in Defender.
With just two exceptions (gaming and education) MS seems to be turning its focus to enterprise and away from the consumer market. KB4046355 on Win10 v.1709 made Media Player an on-demand feature. I believe that’s to mitigate any vulnerability in Win10 that might threaten enterprise installations (i.e. system hardening). System hardening may become the default.
see Martin’s…
Beware: Update KB4046355 removes Windows Media Player
https://www.ghacks.net/2017/10/09/beware-update-kb4046355-removes-windows-media-player/
MS’s 2018 Q1 financial report is due 26 Oct. It will be an interesting read.
Your work on this appears to be outstanding, but how many Home users will spend the time to implement this, and risk troubleshooting the consequence of an implementation error that might not show up for days or weeks later? This process may be better than using the old EMET, but needs an automation and rollback process to make changes controllable and incrementally reversible.
The rules, for me, to consider are:
– Impede JavaScript and VBScript to launch executables.
– Block execution of (potentially) obfuscated scripts
Another chapter for your book, Martin. :)
Maybe for a security book ;)
Does Attack Surface Reduction require Windows Defender Antivirus.
I mean does Attack Surface Reduction work with third party security software.
Do new security features introduced in the Fall Creators Update require Windows Defender Antivirus.
Thanks
Windows Defender and Real-Time Protection needs to be enabled. It won’t work otherwise.
Awesome article, thanks a lot Martin !
This is the biggest problem:
“Attack Surface Reduction is only available if you enable real-time protection in Windows Defender Antivirus.”
Will there be any resources left for other software You want to run ?
Tried Defender in 8.1 and it sucked out resources, even with a new computer at that time…..
Excellent review, thank you !