Table of Contents
How do I create an attack surface reduction (ASR) profile?
For “Platform”, select Windows 10 and later and for “Profile”, select Attack Surface Reduction Rules and click “Create” at the bottom. This will bring you to the creation of the profile for ASR.
How do I create an ASR rule policy?
This will bring you into the main policy dashboard to create the new ASR rule policy. First you will select “Attack Surface Reduction” under the “Manage” tab. Select “create policy” at the top, and then a window will open to pick the operating system “Platform” and “Profile”.
Do I need to know the GUIDs for ASR rules?
As for Intune and Configuration Manager, both platforms already have a built-in list of ASR rules; therefore, you don’t need to know the GUIDs, nor what each action value represents. It’s as simple as choosing which actions you want to set for the rule you want to enable. Here is a screenshot of the ASR rules list available in Intune.
Should I test ASR rules in audit or enforce mode?
It’s recommended to test in Audit mode before you decide and enable any of the ASR rules in enforce mode. Microsoft recommends a balanced and pragmatic approach focused on reducing the overall attack surface. Implementing ASR rules is a great place to start.
https://www.youtube.com/channel/UCYkzVi2EHRHTKIe1yyPU6QQ
What are the ASR rules for cybersecurity?
ASR rules can constrain these kinds of risky behaviors and improve your organization’s defensive posture to decrease your risk considerably from being attacked with Ransomware, various other types of malware, and other attack vectors.
https://www.youtube.com/watch?v=8bWbXKXwPtM
What are the different ASR rules?
ASR rules fall into specific categories which are Microsoft Office, email based, Windows Management Interface (WMI) based, executable and script based, 3 rd party application based, Windows credentials based, and device control based.
What settings are available for ASR rules in Endpoint Manager?
Each ASR rule contains one of four settings: Currently, warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM). To learn more, see Cases where warn mode is not supported.
What is the GUID for ASR rule 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84?
This ASR rule is controlled via the following GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Not configured ( default) – The setting returns to the Windows default, which is off. Block – Office applications are blocked from injecting code into other processes. Audit mode – Windows events are raised instead of blocking.
How do I configure custom ASR rules using Microsoft Endpoint Manager (Mem)?
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rules. The following procedure uses the rule Block abuse of exploited vulnerable signed drivers for the example. Open the Microsoft Endpoint Manager (MEM) admin center. In the Home menu, click Devices, select Configuration profile, and then click Create profile.