Attack surface reduction

[ParaXY]

Last week I upgraded Windows 10 Enterprise from 1703 to 1709. So far so good. I just came across these two articles for Windows Defender Exploit Guard:

Enable ASR rules individually to protect your organization
https://docs.microsoft.com/en-us/wi...exploit-guard/enable-attack-surface-reduction
Use Attack surface reduction rules to prevent malware infection
https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard
I ended up enabling all 7 of the rules and setting them to the value of "1" (ie: enabling them) using the Group Policy Editor:

Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Has anyone else tried this who has upgraded to 1709? I'm keen to see if this change is of any value locking my machine down even further!

I also imported the custom view into Event Viewer and after enabling these rules so that I can monitor the results.

 

[Deleted member 65228]

If they are enabled and are working correctly then you can be more secure. That doesn't mean you'll be invincible though! If you read the features, you should be able to get an idea of what will be locked down more more or less.

Macros must be hard enough to use for malware let alone bypass those restrictions... Must be pretty brutal compared to before. Those restrictions for Office applications are a huge slap in the face from Microsoft.

If you work with JavaScript, VBScript and Office applications (e.g. macros) and use executable content downloaded from email, then the settings above can cause issues unless you understand how to work them properly. Don't blindly enable them or issues can occur and you won't understand why/how to resolve... understand how they work and why you will be enabling them beforehand!

 

[ParaXY]

If they are enabled and are working correctly then you can be more secure. That doesn't mean you'll be invincible though! If you read the features, you should be able to get an idea of what will be locked down more more or less.

Macros must be hard enough to use for malware let alone bypass those restrictions... Must be pretty brutal compared to before. Those restrictions for Office applications are a huge slap in the face from Microsoft.

If you work with JavaScript, VBScript and Office applications (e.g. macros) and use executable content downloaded from email, then the settings above can cause issues unless you understand how to work them properly. Don't blindly enable them or issues can occur and you won't understand why/how to resolve... understand how they work and why you will be enabling them beforehand!

Thanks! I don't use macros and had them disabled before using GPO so I think I'll be ok with the changes. I also use AppGuard in locked down mode.

I wonder if there are some tests you can do to test each rule to verify that it is working correctly?

 

[509322]

Instead you can just not use Microsoft Office programs.

Those policies were created for organizations that use Office programs heavily. Most home users do not need Office and would be better served by one of the alternatives.

Nowadays, given that Office is targeted more heavily than ever before, Microsoft has had to respond to the increasing complaints about Office - hence the GPO stuff.

Even if you enable all the policies, with Office programs running Guarded, I'd be surprised if you run into any major problems.

That is the awesomeness of software restriction policy based protection.