As our company generally deploys CIS Benchmark controls to customers as a baseline or Essential 8 (ACSC), as part of CIS baselines we also deploy Attack Surface Reduction Rules.

What is Attack Surface Reduction Rules?

Attack surfaces are all the places where your organization is vulnerable to cyber threats and attacks. An attacker could compromise your organization’s devices or networks. To minimize the risk that an attacker could compromise your device, you must implement security measures e.g., Attack Surface Reduction rules, Network protection, application control, etc. See Microsoft documentation for all the security measures.

There are five ways of deploying Attack Surface Reduction Rules:

1) Attack Surface Reduction Rules via Endpoint protection

Endpoint protection configuration profile can be used to control the security of Windows devices. The category Microsoft Defender Exploit Guard contains an Attack Surface Reduction group and contains nearly all currently available ASR rules.

2) Attack Surface Reduction Rules via custom configuration profile A custom configuration profile can be used to configure settings that are available in Configuration Service Provider (CSP). CSP also includes all ASR rules. ASR rules and exclusions need to be set via custom OMA-URI’s.

3) Attack Surface Reduction Rules via MDM Security Baseline

Security baselines are Microsoft-recommended configuration settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. A security baseline includes a group of Microsoft Defender settings. The Security Baseline contains nearly all currently available ASR rules.

4) Attack Surface Reduction Rules via Endpoint Security Attack Surface Reduction rules

The Attack Surface Reduction rules profile can be used to configure the Attack Surface Reduction rules and contains nearly all currently available ASR rules.

5) Attack Surface Reduction Rules via PowerShell script

PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. We can use a PowerShell script to set all the available ASR rules.

How to create OMA-URI Profile for ASR Rules?

Today we will create a rule using OMA-URI which is the 2nd option listed above. Navigate to https://intune.microsoft.com/ > Devices > Configuration > Create > New Policy > Platform: Windows 10 and later > Profile type: Templates > Custom

Under Basics, enter Name of Profile: ASR Rules

Under Configuration Settings > select Add

Name: ASR Rules

Description: All ASR Rules Enabled

OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules

Data Type: String

Value:

Under Review + Create, review the settings then select Create.

How to create OMA-URI Profile for ASR Exclusion?

Navigate to https://intune.microsoft.com/ > Devices > Configuration > Create > New Policy > Platform: Windows 10 and later > Profile type: Templates > Custom

Under Basics, enter Name of Profile: ASR Rules Exclusion

Under Configuration Settings > select Add

Name: ASR Rules Exclusion

Description: Exclusions

OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions

Data Type: String

Value:

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Program Files (x86)\Zoiper5\Uninstall.exe

Under Review + create, review the settings and select Create.

To test your ASR rules, navigate to Event Viewer then DeviceManagement-Enteprise-Diagnostics-Provide -> Admin

(147) Microsoft Intune - Configure Available Attack Surface Reduction Rules with Exceptions

Recent Posts

Comments