How to Configure Attack Surface Reduction (ASR) Rules using MEM

In this section, I would like to discuss one of MDE’s important set of settings and how to set these up. Namely ASRs rules or Attarck Surface Reduction rules. As the name implies, it helps closes any security holes in the device.

Some notes on ASR rules to keep in handy

Device COmpatibility

  • Windows 10 Pro, version 1709 or later
  • Windows 10 Enterprise, version 1709 or later
  • Windows Server, version 1803 (Semi-Annual Channel) or later
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2022

To use the entire set of rules, you require below

  • Windows Defender Antivirus as primary AV (real-time protection on)
  • Cloud-Delivery Protection on (some rules require that)
  • Windows 10 Enterprise E5 or E3 License

Key settings of an ASR rule

  • Not configured | Disabled: Disable the ASR rule
  • Block: Enable the ASR rule
  • Audit: Evaluate how the ASR rule would impact your organization if enabled
  • Warn: Enable the ASR rule but allow the end user to bypass the block

Warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM)

policy Conflict

In a policy between MDM and Group Policy, MDM will take precedence

Although there are few ways to setup ASR rules, I will look at how to configure the rules using Microsoft Endpoint Manager (MEM)

Note

It is advisable to enable the ASR rules in the audit mode first so you will not run in to issues. You can understand the behavior and what gets blocked and whether they are legitimate data or an action of a bad actor. Once you have a better view, then go ahead and enable them to be active rules.


How to configure ASR rules from MEM’s Endpoint Security node?

While you have many options to setup ASR rules within Intune and MEM, I would like to expore the Endpoint Security node in the MEM.

For this method to work, the devices should be Hybrid AAD or AAD Joined and must be enrolled in Intune.

Attarck Surface Reduction rules can be found under Manage section in Endpoint Security

From here go to Create Policy and Select Windoes 10 and later as the Platform and Attarck Surface Reduction Rules as the Profile and hit Create

From there give a meaningful name and select Next

Now you will see all the ASR rules in one place.

If you hover your mouse over the rules little information sign, you can know more about that individual rule

Set your rules as required

You will be presented with all 4 key settings for the rule that we saw above.

Set to Audit to test the rule and set the required rules and press Next

Add Scope Tags if required

In the next step, set the device asignment with the relavent Device Groups

When you are done, press Next and Create to complete the steps.

How to Audit ASR rules

Go to https://security.microsoft.com and Hunting > Advanced Hunting > run the below KQL command to see the alerts

DeviceEvents
| where ActionType startswith ‘Asr’

If there are any results, they will list down in the Results tab.

Also you can go to Reports in the same Defender portal and select Attarck Surface Reduction Rules and check under Detections a summary graph

And if you go to the Configueration tab, you will see the device based settings and what has ben captured with the rules

What is the Warn mode?

With this mode a “toast notification” will appear on the desktop if an ASR rule blocks a malicious activity or a file. However the user can still Unblock and start performing the same activity and further actions to perform

Final words

ASR rules can basically be your best pal or your greatest enemy as this can be a powerful tool to close security holes or for a poor user experience. Audit, test 1st and when you 100% aware of the behavior of each rule, enable it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.