Attack surface reduction (ASR) rules deployment overview

Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Your organization's attack surfaces includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to attack. Configuring attack surface reduction (ASR) rules — one of many security features found in Microsoft Defender for Endpoint — can help.

ASR rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Behaviors that apps don't usually occur during normal day-to-day work

By reducing the different attack surfaces, you can help prevent attacks from happening in the first place.

Before you begin

During your initial preparation, it's vital that you understand the capabilities of the systems that you'll put in place. Understanding the capabilities will help you determine which ASR rules are most important for protecting your organization. Additionally, there are several prerequisites which you must attend to in preparation of your ASR deployment.

Important

This guide provides images and examples to help you decide how to configure ASR rules; these images and examples might not reflect the best configuration options for your environment.

Before you start, review Overview of attack surface reduction, and Demystifying attack surface reduction rules - Part 1 for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of ASR rules; see Attack surface reduction rules reference. While you are familiarizing yourself with the ASR rules set, take note of the per-rule GUID mappings; see: ASR rule to GUID matrix.

ASR rules are only one capability of the attack surface reduction capabilities within Microsoft Defender for Endpoint. This document will go into more detail on deploying ASR rules effectively to stop advanced threats like human-operated ransomware and other threats.

Rules by category

As outlined in Use attack surface reduction rules to prevent malware infection, there are multiple attack surface reduction rules within MDE that you can enable to protect your organization. Following are the rules broken out by category:


Polymorphic threats Lateral movement & credential theft Productivity apps rules Email rules Script rules Misc rules
Block executable files from running unless they meet a prevalence (1000 machines), age (24 hrs), or trusted list criteria Block process creations originating from PSExec and WMI commands Block Office apps from creating executable content Block executable content from email client and webmail Block obfuscated JS/VBS/PS/macro code Block abuse of exploited vulnerable signed drivers [1]
Block untrusted and unsigned processes that run from USB Block credential stealing from the Windows local security authority subsystem (lsass.exe)[2] Block Office apps from creating child processes Block only Office communication applications from creating child processes Block JS/VBS from launching downloaded executable content
Use advanced protection against ransomware Block persistence through WMI event subscription Block Office apps from injecting code into other processes Block Office communication apps from creating child processes
Block Adobe Reader from creating child processes

(1) Block abuse of exploited vulnerable signed drivers isn't currently available in MEM Endpoint security. You can configure this rule using MEM OMA-URI.

(2) Some ASR rules generate considerable noise, but won't block functionality. For example, if you're updating Chrome; Chrome will access lsass.exe; passwords are stored in lsass on the device. However, Chrome should not be accessing local device lsass.exe. If you enable the rule to block access to lsass, it will generate a lot of events. Those events are good events because the software update process should not access lsass.exe. Enabling this rule will block Chrome updates from accessing lsass, but will not block Chrome from updating; this is also true of other applications that make unnecessary calls to lsass.exe. The block access to lsass rule will block unnecessary calls to lsass, but won't block the application from running.

Infrastructure requirements

Although multiple methods of implementing ASR rules are possible, this guide is based on an infrastructure consisting of:

  • Azure Active Directory
  • Microsoft Endpoint Management (MEM)
  • Windows 10 and Windows 11 devices
  • Microsoft Defender for Endpoint E5 or Windows E5 licenses

To take full advantage of ASR rules and reporting, we recommend using a Microsoft 365 Defender E5 or Windows E5 license, and A5. Learn more: Minimum requirements for Microsoft Defender for Endpoint.

Note

There are multiple methods to configure ASR rules. ASR rules can be configured using: Microsoft Endpoint Manager (MEM), PowerShell, Group Policy, Microsoft System Center Configuration Manager (SCCM), MEM OMA-URI. If you are using a different infrastructure configuration than what is listed for Infrastructure requirements (above), you can learn more about deploying attack surface reduction rules using other configurations here: Enable attack surface reduction rules.

ASR rules dependencies

Microsoft Defender Antivirus must be enabled and configured as primary anti-virus solution, and must be in the following mode:

  • Primary antivirus/antimalware solution
  • State: Active mode

Microsoft Defender Antivirus must not be in any of the following modes:

  • Passive
  • Passive Mode with Endpoint detection and response (EDR) in Block Mode
  • Limited periodic scanning (LPS)
  • Off

See: Cloud-delivered protection and Microsoft Defender Antivirus.

Cloud Protection (MAPS) must be enabled

Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, arguably providing the best antivirus defense. Cloud protection is critical to preventing breaches from malware and a critical component of ASR rules. Turn on cloud-delivered protection in Microsoft Defender Antivirus.

Microsoft Defender Antivirus components must be current versions

The following Microsoft Defender Antivirus component versions must be no more than two versions older than the most-currently-available version:

  • Microsoft Defender Antivirus Platform update version - Microsoft Defender Antivirus platform is updated monthly.
  • Microsoft Defender Antivirus engine version - Microsoft Defender Antivirus engine is updated monthly.
  • Microsoft Defender Antivirus security intelligence - Microsoft continually updates Microsoft Defender security intelligence (also known as, definition and signature) to address the latest threats, and to refine detection logic.

Keeping Microsoft Defender Antivirus versions current helps reduce ASR rules false positive results and improves Microsoft Defender Antivirus detection capabilities. For more details on the current versions and how to update the different Microsoft Defender Antivirus components visit Microsoft Defender Antivirus platform support.

Caveat

Some rules don't work well if un-signed, internally developed application and scripts are in high usage. It is more difficult to deploy ASR rules if code signing is not enforced.

ASR rules deployment steps

As with any new, wide-scale implementation which could potentially impact your line-of-business operations, it is important to be methodical in your planning and implementation. Because of the powerful capabilities of ASR rules in preventing malware, careful planning and deployment of these rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize ASR rules carefully.

Note

For Customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules: Microsoft advises customers to run their HIPS solution side-by-side with their ASR rules deployment until the moment you shift from Audit to Block mode. Keep in mind that you must reach out to your 3rd-party antivirus vendor for exclusion recommendations.

Additional topics in this deployment collection

Test attack surface reduction (ASR) rules

Enable attack surface reduction (ASR) rules

Operationalize attack surface reduction (ASR) rules

Attack surface reduction (ASR) rules reference

Reference

Blogs

Demystifying attack surface reduction rules - Part 1

Demystifying attack surface reduction rules - Part 2

Demystifying attack surface reduction rules - Part 3

Demystifying attack surface reduction rules - Part 4

ASR collection

Overview of attack surface reduction

Use attack surface reduction rules to prevent malware infection

Enable attack surface reduction rules - alternate configurations

Attack surface reduction rules reference

Attack surface reduction FAQ

Microsoft Defender

Address false positives/negatives in Microsoft Defender for Endpoint

Cloud-delivered protection and Microsoft Defender Antivirus

Turn on cloud-delivered protection in Microsoft Defender Antivirus

Configure and validate exclusions based on extension, name, or location

Microsoft Defender Antivirus platform support

Overview of inventory in the Microsoft 365 Apps admin center

Create a deployment plan for Windows

Use role-based access control (RBAC) and scope tags for distributed IT in Intune

Assign device profiles in Microsoft Intune

Management sites

Microsoft Endpoint Manager admin center

Attack surface reduction

ASR rules Configurations

ASR rules Exclusions