Implement Windows 10 Security Enhancements

By Ashwin Venugopal -

 



Understand Attack Surface Reduction

Attack Surface Reduction is all about hardening the places where a threat is likely to attack and whenever you are performing alert investigations, you should also know the events generated by the Attack Surface Reduction on the host, which might provide forensics evidence.

The following is a list of the Attack Surface Reduction components:

Solution

Description

Attack Surface Reduction

Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that helps stop malware.(Requires Microsoft Defender Antivirus).

Hardware-based isolation

Protect and maintain the integrity of a system as it starts and while it’s running, validate system integrity through local as well as remote attestation, and use container isolation for Microsoft Edge to help guard against malicious websites.  

Application control

Use application control so that your applications must earn trust in order to run.

Exploit protection

Help protect the operating systems and apps your organization uses from being exploited. It also works with third-party antivirus solutions.

Network protection

Extend protection to your network traffic and connectivity on your organization’s devices. (Requires Microsoft Defender Antivirus).

Web protection

Secure your devices against web threats and helps you regulate the unwanted content.

Control folder access

Helps prevent malicious and suspicious apps from making changes to the files in your key system folders. (Requires Microsoft Defender Antivirus).

Network firewall

Prevent unauthorized traffic from flowing to or from your organization’s devices with the two-way network traffic filtering.

 

Enable attack surface reduction rules

Reducing your attack surface means protecting your organization's devices and network, which leaves the attackers with fewer ways to perform attacks. Attack Surface Reduction rules target certain software behaviors that are often abused by the attackers, such as:

  • Launching executable files and scripts that attempt to download or run files.
  • Running obfuscated or otherwise suspicious scripts.
  • Performing behaviors that apps don't usually initiate during normal day-to-day work. 

Such software behavior are sometimes seen in the legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware, but the Attack Surface Reduction rules can constrain risky behaviors and help keep your organization safe. 

Each Attack Surface Reduction rule contains one of the three settings:

  • Not configured- Disable the attack surface reduction rule.
  • Block- Enable the attack surface reduction rule.
  • Audit- Evaluate how the attack surface reduction rule would impact your organization if enabled.

Attack surface reduction rules

Attack Surface Reduction rules currently supports all of the rules below: 
  • Block executable content from email client and webmail.
  • Block all Office applications from creating child processes.
  • Block Office applications from creating executable content.
  • Block JavaScript and VBScript from launching downloaded executable content.
  • Block execution of potentially obfuscated scripts.
  • Block Win32 API calls from Office macro.
  • Use advanced protection against ransomware.
  • Block credential stealing from Windows local security authority subsystem (Isass.exe).
  • Block process creations originating from PSExec and WMI commands.
  • Block untrusted and unsigned processes that run from USB.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
  • Block Office communication applications from creating child processes.
  • Block Adobe Reader from creating child processes.
  • Block persistence through WMI event subscription. 

Exclude files and folders from the attack surface reduction rules

It specify that even if an attack surface reduction rule determines a particular file or folder contains malicious behavior, it will not block the file from running, which means that the potentially unsafe files are allowed to run and infect your devices.

You can easily specify individual files or folders, but you can't specify which rules the exclusion apply to. An exclusion is applied only when the excluded application or service starts. 

Audit mode for evaluation

You can use an audit mode to evaluate how the attack surface reduction rules would impact your organization if they were enabled. It's the best practice to run all the rules in the audit mode first so you can easily understand their impact on your line-of-business applications and by monitoring the audit data and adding exclusions for the necessary applications, you can deploy attack surface reduction rules without impacting productivity.

Configure attack service reduction rules

You can set these rules for the devices running any of the following editions and versions of Windows:

  • Windows 10 Pro, version 1709 or later
  • Windows 10 Enterprise, version 1709 or later
  • Windows Server, version 1803 (semi-annual channel) or later
  • Windows Server 2019

You can enable attack surface reduction rules by using any of these methods:

  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell 

Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended that can overwrite any conflicting Group Policy or PowerShell settings on startup. 




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more