Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

Intune Attack Surface Reduction Rules for Windows Server OS

by | Nov 13, 2023 | Alerts, Blog, Intune, Manuals, Microsoft Defender, Microsoft Entra ID, News, Security, Windows Server | 0 comments

Your organization’s attack surface includes all the places where an attacker could compromise your organization’s devices or networks. Reducing your attack surface means protecting your organization’s devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help with Intune ASR Rules for Windows Server OS.

Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don’t usually initiate during normal day-to-day work

Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they’re commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.

For a sequential, end-to-end process of how to manage attack surface reduction rules, see these Microsoft links:

You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in Microsoft Defender Vulnerability Management.

In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.

Audit mode

Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware.

When your policies are set in audit mode you can fine the logs for every single ASR policy in the Microsoft 365 Security Portal. Go to reports in the left column and click Attack Surface Reduction rules.

Change the 1st filter from Standard Protection to All.

Now on the Select Rules filter you can choose all different ASR rules.

Click any rule to see if there are audit logs available.

Please note that the Date filter can go back for a maximum of 1 month.

Warn mode

This is new!

Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.

Requirements for warn mode to work

Warn mode is supported on devices running the following versions of Windows:

  • Windows 10, version 1809 or later
  • Windows 11
  • Windows Server, version 1809 or later

Microsoft Defender Antivirus must be running with real-time protection in Active mode.

Also, make sure Microsoft Defender Antivirus and antimalware updates are installed.

  • Minimum platform release requirement: 4.18.2008.9
  • Minimum engine release requirement: 1.1.17400.5

Cases where warn mode isn’t supported

Warn mode isn’t supported for three attack surface reduction rules when you configure them in Microsoft Intune. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that don’t support warn mode when you configure them in Microsoft Intune are as follows:

Also, warn mode isn’t supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode runs in block mode.

Supported ASR Rules per OS

As described in the Microsoft article you can find the different ASR rules which are supported per OS.

ASR

There is however 1 important catch to all this. When there is 1 rule configured e.g. audit mode and this rule is set on an OS which is not supported on e.g Windows Server 2016 all other ASR rules will not work.

The solution to this catch is to create Dynamic Groups in Entra ID based on OS in combination with an ASR rule per OS.

I have also written an article on how to setup the ability to onboard servers in to Microsoft Defender, you can find this here.

 

 

 

SHARE THIS:

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading