Configure Attack Surface Reduction in Windows 10

Martin Brinkmann
Oct 23, 2017
Windows, Windows 10
|
13

Attack Surface Reduction is a new security feature of Windows Defender Exploit Guard on Windows 10 that Microsoft introduced in the Fall Creators Update.

Attack Surface Reduction may prevent common actions of malicious software that is run on Windows 10 devices that have the feature enabled.

The feature is rules based, and designed to target actions and behavior that is typically of malware. You may enable rules that block the execution of obfuscated scripts, executable content in mail clients, or Office from spawning child processes.

Attack Surface Reduction is only available if you enable real-time protection in Windows Defender Antivirus.

Attack Surface Reduction rules

The following rules are available in the Windows 10 Fall Creators Update:

  1. Block execution of (potentially) obfuscated scripts (5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
    )
  2. Block executable content in email clients and web mail (BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550)
  3. Block Office apps from spawning child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
  4. Block Office applications from creating executables (3B576869-A4EC-4529-8536-B80A7769E899)
  5. Block Office applications from injecting data into other processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84)
  6. Block Win32 imports from Macro code in Office (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B)
  7. Impede JavaScript and VBScript to launch executables (D3E037E1-3EB8-44C8-A917-57927947596D)

Configuring Attack Surface Reduction

The Attack Surface Reduction protection can be configured in three different ways:

  1. Using Group Policy.
  2. Using PowerShell.
  3. Using MDM CSP.

Configuring rules using policies

attack surface reduction policy

You need to launch the Group Policy editor to get started. Note that the Group Policy editor is not available on Home editions of Windows 10.

Home users may check out Policy Plus which brings policy editing to the edition of Windows 10.

  1. Tap on the Windows-key, type gpedit.msc and hit the Enter-key to start the Group Policy editor on Windows 10.
  2. Navigate to Computer Configuration > Administrative Templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction
  3. Double-click on the policy "Configure Attack surface reduction rules".
  4. Set the policy to enabled.
  5. Setting the policy to enabled activates the "show" button. Click on show to load the "show contents" window.

Show contents is a table that accepts one Attack Surface Reduction rule per row.  Value name is the ID that is listed under rules above in the brackets.

Value accepts the following input:

  • 0 = disabled. The rule is not active.
  • 1 = enabled. The rule is active, and block mode is activated.
  • 2 = audit mode. Events will be recorded, but the actual rule is not enforced.

Configuring rules using PowerShell

You may use PowerShell to configure rules.

  1. Tap on the Windows-key, type PowerShell, hold down the Shift-key and the Ctrl-key, and load the PowerShell entry with a click.

Use the following command to add a blocking mode rule:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled

Use the following command to add an audit mode rule:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode

Use the following command to set a rule to disabled:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled

You can combine multiple rules in a single command by separating each rule with a comma, and by listing states individually for each rule. Example:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>, <rule ID 2>, <rule ID 3> -AttackSurfaceReductionRules_Actions Disabled, Enabled, Enabled

Note: you can use Set-MpPreference or Add-MpPreference. The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.

You can display the set of rules using the Get-MpPreference command.

Attack Surface Reduction Events

attack surface reduction events

Log entries are created whenever you change rules, and when events fire rules in audit mode or in block mode.

  1. Download the Exploit Guard Evaluation Package from Microsoft.
  2. Extract the content of the archive to the local system so that asr-events.xml is accessible on the system.
  3. Tap on the Windows-key, type Event Viewer and select the item from the list of suggestions to load the Event Viewer interface.
  4. Select Action > Import custom view when the interface is open.
  5. Select the asr-events.xml file that you extracted previously.
  6. Select ok when the "import custom view file" window opens. You may add a description if you want.

The new view is listed under Custom Views afterwards that shows the following events:

  • Event ID 1121 -- blocking mode events
  • Event ID 1122 -- audit mode events
  • Event ID 5007 -- changing settings events.

Excluding files and folders

attack surface reduction exclusion

You can exclude files or folders so that the excluded items are not evaluated by Attack Surface Reduction rules.

  • Group Policy: Go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction > Exclude files and paths from Attack surface reduction Rules. Set the policy to enabled, click on the show button, and add files or folders (folder path or resource, e.g. c:\Windows in the value name, and 0 in the value field of each column.
  • PowerShell: Use the command Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>" to add files or folders to the exclusions list.

Microsoft Resources

Check out the following resources on Microsoft's website for additional information on Attack Surface Reduction:

Summary
Configure Attack Surface Reduction in Windows 10
Article Name
Configure Attack Surface Reduction in Windows 10
Description
Attack Surface Reduction is a new security feature of Windows Defender Exploit Guard on Windows 10 that Microsoft introduced in the Fall Creators Update.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. zack said on November 18, 2021 at 7:44 pm
    Reply

    No No No No No… Show an example of the table with values for the GPO… Don’t just show a blank table… that’s useless.

  2. Franck said on November 24, 2017 at 11:58 pm
    Reply

    Excellent review, thank you !

  3. Stefan said on October 24, 2017 at 3:15 am
    Reply

    Will there be any resources left for other software You want to run ?

    Tried Defender in 8.1 and it sucked out resources, even with a new computer at that time…..

  4. Thomas said on October 23, 2017 at 7:37 pm
    Reply

    This is the biggest problem:
    “Attack Surface Reduction is only available if you enable real-time protection in Windows Defender Antivirus.”

  5. Franck said on October 23, 2017 at 7:06 pm
    Reply

    Awesome article, thanks a lot Martin !

  6. bjm said on October 23, 2017 at 6:51 pm
    Reply

    Does Attack Surface Reduction require Windows Defender Antivirus.
    I mean does Attack Surface Reduction work with third party security software.
    Do new security features introduced in the Fall Creators Update require Windows Defender Antivirus.

    Thanks

    1. Martin Brinkmann said on October 23, 2017 at 6:54 pm
      Reply

      Windows Defender and Real-Time Protection needs to be enabled. It won’t work otherwise.

  7. T J said on October 23, 2017 at 5:52 pm
    Reply

    Another chapter for your book, Martin. :)

    1. Martin Brinkmann said on October 23, 2017 at 6:02 pm
      Reply

      Maybe for a security book ;)

  8. Sampei Nihira said on October 23, 2017 at 5:08 pm
    Reply

    The rules, for me, to consider are:

    – Impede JavaScript and VBScript to launch executables.
    – Block execution of (potentially) obfuscated scripts

  9. chesscanoe said on October 23, 2017 at 4:32 pm
    Reply

    Your work on this appears to be outstanding, but how many Home users will spend the time to implement this, and risk troubleshooting the consequence of an implementation error that might not show up for days or weeks later? This process may be better than using the old EMET, but needs an automation and rollback process to make changes controllable and incrementally reversible.

  10. seeprime said on October 23, 2017 at 4:31 pm
    Reply

    I don’t understand why Microsoft doesn’t make system hardening the default in Windows. Most people won’t comprehend how to change settings in Defender.

    1. jern said on October 24, 2017 at 3:31 am
      Reply

      With just two exceptions (gaming and education) MS seems to be turning its focus to enterprise and away from the consumer market. KB4046355 on Win10 v.1709 made Media Player an on-demand feature. I believe that’s to mitigate any vulnerability in Win10 that might threaten enterprise installations (i.e. system hardening). System hardening may become the default.

      see Martin’s…
      Beware: Update KB4046355 removes Windows Media Player
      https://www.ghacks.net/2017/10/09/beware-update-kb4046355-removes-windows-media-player/

      MS’s 2018 Q1 financial report is due 26 Oct. It will be an interesting read.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.