18.9.77.13.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting controls the state for the Attack Surface Reduction (ASR) rules.

The recommended state for this setting is: Enabled.

Rationale:

Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

When a rule is triggered, a notification will be displayed from the Action Center.

Default Value:

Disabled. (No ASR rules will be configured.)

See Also

https://workbench.cisecurity.org/files/2646