18.10.42.6.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured

Information

This policy setting sets the Attack Surface Reduction rules.

The recommended state for this setting is:

26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes)

3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content)

56a863a9-875e-4185-98a7-b882c64b5ce5 - 1 (Block abuse of exploited vulnerable signed drivers)

5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts)

75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes)

7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes)

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe))

b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB)

be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)

d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes)

Note: More information on ASR rules can be found at the following link:

Use Attack surface reduction rules to prevent malware infection | Microsoft Docs

Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Solution

To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869 3b576869-a4ec-4529-8536-b80a7769e899 56a863a9-875e-4185-98a7-b882c64b5ce5 5beb7efe-fd9a-4556-801d-275e5ffc04cc 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1 :

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

When a rule is triggered, a notification will be displayed from the Action Center.

Note: The following rules apply to Windows Server 2019 and 2022, but do not apply to Windows Server 2012 R2 and 2016: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (Block Win32 API calls from Office macro), d3e037e1-3eb8-44c8-a917-57927947596d (Block JavaScript or VBScript from launching downloaded executable content), and e6db77e5-3df2-4cf1-b95a-636979351e5b (Block persistence through WMI event subscription).

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: a2246ba9b1f41a6a6140d05fad14db4b1823dc1ba28cdf6fd396850a1564a767