4 mins read

Configuring attack surface reduction in Windows 10

Attack surface reduction is a new Windows Defender Exploit Guard security feature in Windows 10 that Microsoft introduced in the Fall Creators Update.

Attack surface reduction can prevent common actions of malicious software running on Windows 10 devices that have the feature enabled.

The feature is rules-based and designed to focus on typical malware actions and behaviors. You can enable rules that block the execution of obfuscated scripts, executable content in mail or Office clients to prevent child processes from spawning.

Attack surface reduction is only available if you enable real-time protection in Windows Defender Antivirus.

Attack Surface Reduction Rules

The following rules are available in the Windows 10 Fall Creators Update:

  1. Block execution of (potentially) obfuscated scripts (5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
    )
  2. Block executable content in email and webmail clients (BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550)
  3. Block Office applications from child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
  4. Block creation of executables in Office applications (3B576869-A4EC-4529-8536-B80A7769E899)
  5. Block Office applications from injecting data into other processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84)
  6. Block Win32 imports from Macro code in Office (92E97FA1-2EDF-4476-BDDD6-9DD0B4DDDC7B)
  7. Prevent JavaScript and VBScript from launching executables (D3E037E1-3EB8-44C8-A917-5792794794757596D)

Attack Surface Reduction Settings

Attack Surface Reduction protection can be configured in three different ways:

  1. Using Group Policy.
  2. Using PowerShell.
  3. Using MDM CSP.

Configuring rules using policies

To get started, you need to launch the Group Policy editor. Please note that the Group Policy Editor is not available in Windows 10 Home editions.

Home users can check out Policy Plus, which brings policy editing to Windows 10 edition.

  1. Tap on the Windows key, type gpedit.msc and press the Enter key to launch the Group Policy editor in Windows 10.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Reducing Attack Surface
  3. Double-click the “Configure attack surface reduction rules” policy.
  4. Set the policy to enabled.
  5. If the policy is activated, the “Show” button is activated. Click Show to load the “Show Contents” window.

Display content is a table that accepts one Attack Surface Reduction rule per row. The value name is the ID that is listed under the rules above in parentheses.

The value accepts the following input:

  • 0 = disabled. The rule is not active.
  • 1 = enabled. The rule is active and blocking mode is activated.
  • 2 = audit mode. The events will be logged, but the actual rule is not applied.

Configuring rules using PowerShell

You can use PowerShell to configure rules.

  1. Press the Windows key, type PowerShell, hold down the Shift key and the Ctrl key, and load the PowerShell entry with one click.

Use the following command to add a blocking mode rule:

Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled

Use the following command to add an audit mode rule:

Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode

Use the following command to set a rule to disabled:

Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled

You can combine multiple rules in a single communication

Attack on Titan 2: SamaGame analysis of the new Attack on Titan game

How CISOs can gain a better understanding of their cybersecurity attack surface

Microsoft Surface Attack Analyzer – tests for vulnerability

Setting up Windows Defender attack protection in Windows 10

Attack on Titan: the trailer for the final episode of the anime has been released

Marvel’s Spider-Man 2: players attack a developer for the new model of MJ

Sys flood TCP/IP attack

OAuth and OpenID vulnerable to “Timing Attack”

Don’t click on that! How to detect a phishing attack that pretends to be from a coworker

For just $10, a hacker can attack your business via RDP: Here’s how to stay safe