Implement Windows 10 Security Enhancements

By Ashwin Venugopal -

 



Understand Attack Surface Reduction

Attack Surface Reduction is all about hardening the places where a threat is likely to attack and whenever you are performing alert investigations, you should also know the events generated by the Attack Surface Reduction on the host, which might provide forensics evidence.

The following is a list of the Attack Surface Reduction components:

Solution

Description

Attack Surface Reduction

Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that helps stop malware.(Requires Microsoft Defender Antivirus).

Hardware-based isolation

Protect and maintain the integrity of a system as it starts and while it’s running, validate system integrity through local as well as remote attestation, and use container isolation for Microsoft Edge to help guard against malicious websites.  

Application control

Use application control so that your applications must earn trust in order to run.

Exploit protection

Help protect the operating systems and apps your organization uses from being exploited. It also works with third-party antivirus solutions.

Network protection

Extend protection to your network traffic and connectivity on your organization’s devices. (Requires Microsoft Defender Antivirus).

Web protection

Secure your devices against web threats and helps you regulate the unwanted content.

Control folder access

Helps prevent malicious and suspicious apps from making changes to the files in your key system folders. (Requires Microsoft Defender Antivirus).

Network firewall

Prevent unauthorized traffic from flowing to or from your organization’s devices with the two-way network traffic filtering.

 

Enable attack surface reduction rules

Reducing your attack surface means protecting your organization's devices and network, which leaves the attackers with fewer ways to perform attacks. Attack Surface Reduction rules target certain software behaviors that are often abused by the attackers, such as:

  • Launching executable files and scripts that attempt to download or run files.
  • Running obfuscated or otherwise suspicious scripts.
  • Performing behaviors that apps don't usually initiate during normal day-to-day work. 

Such software behavior are sometimes seen in the legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware, but the Attack Surface Reduction rules can constrain risky behaviors and help keep your organization safe. 

Each Attack Surface Reduction rule contains one of the three settings:

  • Not configured- Disable the attack surface reduction rule.
  • Block- Enable the attack surface reduction rule.
  • Audit- Evaluate how the attack surface reduction rule would impact your organization if enabled.

Attack surface reduction rules

Attack Surface Reduction rules currently supports all of the rules below: 
  • Block executable content from email client and webmail.
  • Block all Office applications from creating child processes.
  • Block Office applications from creating executable content.
  • Block JavaScript and VBScript from launching downloaded executable content.
  • Block execution of potentially obfuscated scripts.
  • Block Win32 API calls from Office macro.
  • Use advanced protection against ransomware.
  • Block credential stealing from Windows local security authority subsystem (Isass.exe).
  • Block process creations originating from PSExec and WMI commands.
  • Block untrusted and unsigned processes that run from USB.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
  • Block Office communication applications from creating child processes.
  • Block Adobe Reader from creating child processes.
  • Block persistence through WMI event subscription. 

Exclude files and folders from the attack surface reduction rules

It specify that even if an attack surface reduction rule determines a particular file or folder contains malicious behavior, it will not block the file from running, which means that the potentially unsafe files are allowed to run and infect your devices.

You can easily specify individual files or folders, but you can't specify which rules the exclusion apply to. An exclusion is applied only when the excluded application or service starts. 

Audit mode for evaluation

You can use an audit mode to evaluate how the attack surface reduction rules would impact your organization if they were enabled. It's the best practice to run all the rules in the audit mode first so you can easily understand their impact on your line-of-business applications and by monitoring the audit data and adding exclusions for the necessary applications, you can deploy attack surface reduction rules without impacting productivity.

Configure attack service reduction rules

You can set these rules for the devices running any of the following editions and versions of Windows:

  • Windows 10 Pro, version 1709 or later
  • Windows 10 Enterprise, version 1709 or later
  • Windows Server, version 1803 (semi-annual channel) or later
  • Windows Server 2019

You can enable attack surface reduction rules by using any of these methods:

  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell 

Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended that can overwrite any conflicting Group Policy or PowerShell settings on startup. 




Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more