This chapter covers Attack Surface Reduction (ASR) rules, a key component of Microsoft Defender for Endpoint. ASR rules are a set of policies that block specific behaviors and techniques commonly used by malware, reducing the attack surface of Windows endpoints. For the SC-900 exam, ASR rules appear in approximately 5-10% of questions related to security solutions, particularly in the context of threat protection and vulnerability management. Understanding ASR rules—what they are, how they work, and how they are configured—is essential for demonstrating knowledge of Microsoft's defense-in-depth strategy.
Jump to a section
Imagine a large office building with a security guard at the main entrance. The guard has a list of prohibited behaviors: no throwing objects, no running, no shouting. These are like Attack Surface Reduction (ASR) rules. When someone tries to enter, the guard checks their behavior against the list. If someone attempts to run, the guard blocks them and logs the incident. However, the guard cannot see what people do once they are inside the building—that is the job of endpoint detection and response (EDR). ASR rules act at the entrance, preventing certain risky actions before they can cause harm. The rules are predefined by building management (Microsoft) but can be customized. They are not a complete security solution but a critical first layer that reduces the attack surface by blocking common malicious behaviors. Just as the guard's list is updated based on new threats, ASR rules receive regular updates from Microsoft to address emerging attack techniques.
What are Attack Surface Reduction (ASR) Rules?
Attack Surface Reduction (ASR) rules are a feature of Microsoft Defender for Endpoint (formerly Windows Defender ATP) that helps prevent common attack vectors by blocking specific behaviors and techniques used by malware. These rules are essentially policy-driven restrictions that govern how applications can interact with the operating system and other applications. They are designed to reduce the attack surface—the total set of vulnerabilities and entry points that an attacker can exploit—by restricting certain actions that are often abused.
ASR rules are part of the broader Microsoft Defender for Endpoint suite, which includes endpoint detection and response (EDR), antivirus, and vulnerability management. They are available on Windows 10 Pro, Enterprise, and Education editions (version 1709 or later) and Windows Server 2016 and later. For the exam, you need to know that ASR rules are not available on Windows 10 Home or earlier versions.
How ASR Rules Work Internally
ASR rules operate at the kernel level by monitoring system calls and process behaviors. When an application attempts to perform an action that matches an ASR rule (e.g., trying to execute a script from an email client), the rule intercepts the action before it is allowed. The rule then checks the action against its configuration and either blocks it, allows it, or audits it (logs the attempt without blocking). The decision is based on the rule's mode: - Block: The action is prevented, and an event is logged. - Audit: The action is allowed but logged for analysis. - Warn (only available via Intune): The user is prompted with a warning and can choose to allow or block the action. - Disabled: The rule is not enforced.
Internally, ASR rules use Windows Defender's cloud-delivered protection and machine learning to identify suspicious behaviors. They rely on the Microsoft Defender Antivirus engine and the Windows Security Center. When a rule blocks an action, the user sees a notification from Windows Security, and an event is recorded in the Microsoft 365 Defender portal.
Key Components and Default Values
ASR rules are identified by GUIDs (Globally Unique Identifiers). The exam expects you to recognize common rule names and their effects, but you do not need to memorize GUIDs. However, knowing that each rule has a specific GUID is important for configuration via PowerShell or Group Policy. There are currently over 15 ASR rules, but the exam focuses on a subset. Key rules include:
Block executable files from running unless they meet a prevalence, age, or trusted list criterion (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25): This rule blocks executables that are not widely known or trusted. It uses Microsoft's cloud intelligence to determine prevalence.
Block Office applications from creating child processes (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a): This prevents Office apps (Word, Excel, etc.) from spawning other processes like PowerShell, which is a common malware technique.
Block execution of potentially obfuscated scripts (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc): This detects and blocks scripts that are obfuscated to hide malicious intent.
Block credential stealing from the Windows local security authority subsystem (lsass.exe) (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2): This prevents tools like Mimikatz from accessing LSASS memory.
Block persistence through WMI event subscription (GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b): This blocks attackers from using WMI to maintain persistence.
Default values: ASR rules are not enabled by default. They must be explicitly configured via Group Policy, Intune, or Microsoft Endpoint Configuration Manager. The recommended mode for most rules is "Block" in production, but "Audit" is often used initially to measure impact.
Configuration and Verification
ASR rules can be configured using several methods:
1. Group Policy: Use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction. Each rule can be set to Block, Audit, or Disabled.
2. PowerShell: Use the Set-MpPreference cmdlet with the -AttackSurfaceReductionRules_Ids and -AttackSurfaceReductionRules_Actions parameters. Example:
Set-MpPreference -AttackSurfaceReductionRules_Ids "01443614-cd74-433a-b99e-2ecdc07bfc25","d4f940ab-401b-4efc-aadc-ad5f3c50688a" -AttackSurfaceReductionRules_Actions Enabled,EnabledIntune: In Endpoint Security > Attack Surface Reduction, you can create a policy and assign rules with Block, Audit, or Warn modes.
Microsoft Endpoint Configuration Manager: Under Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.
To verify which ASR rules are active, use PowerShell:
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_IdsThis returns the GUIDs of enabled rules. You can also check the Microsoft 365 Defender portal for events.
Interaction with Related Technologies
ASR rules work alongside other Defender for Endpoint features: - Microsoft Defender Antivirus: Provides real-time protection against malware. ASR rules block behaviors that might bypass antivirus. - Controlled Folder Access: Protects sensitive folders from unauthorized changes. ASR rules can block ransomware from modifying protected folders. - Exploit Protection: Mitigates exploit techniques like buffer overflows. ASR rules complement this by blocking specific attack methods. - Network Protection: Blocks outbound connections to malicious IPs/domains. ASR rules focus on local behaviors.
ASR rules are part of the "Reduce Attack Surface" area in the Microsoft 365 Defender portal. They are independent of Microsoft Defender for Cloud (formerly Azure Defender) but can be managed alongside it for hybrid environments.
Exam-Specific Details
For the SC-900 exam, you should know:
ASR rules are part of Microsoft Defender for Endpoint, not Defender for Office 365 or Defender for Identity.
They are available on Windows 10/11 Pro, Enterprise, and Education, and Windows Server.
Modes: Block, Audit, Warn (Intune only), Disabled.
Common rule names and their purposes (as listed above).
ASR rules do not replace antivirus; they add a layer of behavior-based prevention.
They are configured via Group Policy, Intune, PowerShell, or Configuration Manager.
The exam may present scenarios where you must choose the correct rule to block a specific attack (e.g., blocking credential theft from LSASS).
Trap Patterns on the Exam
Candidates often confuse ASR rules with other Defender features: - Trap: "ASR rules block all malware from running." Reality: ASR rules block specific behaviors, not all malware. Antivirus handles file-based malware. - Trap: "ASR rules are enabled by default." Reality: They are not; they must be configured. - Trap: "ASR rules are available on all Windows editions." Reality: Only Pro, Enterprise, and Education. - Trap: "ASR rules can be set to 'Allow' mode." Reality: There is no Allow mode; the options are Block, Audit, Warn (Intune only), and Disabled.
Step-by-Step: Enabling an ASR Rule via Group Policy
Open Group Policy Management Console: Launch gpmc.msc and edit a GPO that applies to target computers.
Navigate to ASR Settings: Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
Select a Rule: Double-click "Configure Attack Surface Reduction rules" and set it to Enabled. Then click "Show..." to add rule GUIDs and their action (1 = Block, 2 = Audit, 0 = Disabled).
Apply and Force Update: After closing the GPO, run gpupdate /force on target machines to apply the policy.
Verify: Use Get-MpPreference to confirm the rules are active. Check Event Viewer under Microsoft-Windows-Windows Defender/Operational for events with Event ID 1121 (block) or 1122 (audit).
Step-by-Step: Monitoring ASR Rule Events
Access Microsoft 365 Defender Portal: Go to security.microsoft.com and sign in with appropriate permissions.
Navigate to Incidents & Alerts: Under Endpoints, select "Incidents" or "Alerts" to review security events.
Filter by ASR Rules: Use the filter for "Attack surface reduction" to see events triggered by ASR rules.
Review Event Details: Each event shows the rule name, GUID, file involved, and action taken (Blocked or Audited).
Export for Analysis: Use the export feature to download events for further investigation or reporting.
Step-by-Step: Configuring ASR Rules via Intune
Sign in to Microsoft Endpoint Manager: Go to endpoint.microsoft.com.
Create a Profile: Navigate to Endpoint Security > Attack Surface Reduction > Create Policy. Platform: Windows 10 and later, Profile: Attack Surface Reduction Rules.
Add Rules: Under Configuration Settings, enable ASR rules and set each rule to Block, Audit, or Warn. Warn mode is only available via Intune.
Assign the Policy: Assign the policy to Azure AD groups containing target devices.
Monitor: In the Intune console, review the status of the policy under Device status. Check for conflicts or errors.
Step-by-Step: Testing ASR Rules in Audit Mode
Enable Audit Mode: Set the rule to Audit via Group Policy or Intune. This logs attempts without blocking.
Simulate an Attack: Use a test script or tool that triggers the rule (e.g., attempt to run PowerShell from Excel).
Check Logs: Look for Event ID 1122 in the Windows Defender operational log. The event shows the rule GUID and the action would have been blocked if set to Block.
Analyze Impact: Review audit events to determine if the rule would interfere with legitimate applications. If no issues, switch to Block mode.
Switch to Block: Change the rule mode to Block and verify that the same action is now blocked (Event ID 1121).
Identify Attack Vectors to Block
Begin by assessing common attack techniques relevant to your environment. For example, if your organization uses Office 365, consider enabling rules that block Office applications from creating child processes or executing scripts. Review threat intelligence reports to understand which behaviors are most exploited. This step involves collaboration between security teams to prioritize rules based on risk. For the exam, know that ASR rules target specific behaviors like credential theft, script obfuscation, and persistence methods.
Enable Rules in Audit Mode First
Before enforcing a rule, enable it in Audit mode to measure its impact on legitimate business applications. Audit mode logs every attempt that would have been blocked without actually blocking it. Use Event ID 1122 to review these events. This step is critical to avoid disrupting operations. For example, a rule blocking Office from creating child processes might break legitimate add-ins. The exam emphasizes that Audit mode is a best practice before switching to Block.
Analyze Audit Logs for False Positives
Collect audit events over a period (e.g., 30 days) and identify applications or processes that trigger the rule. Use the Microsoft 365 Defender portal to filter events by rule GUID. If a legitimate application is being audited, consider adding it to an exclusion list via the `-AttackSurfaceReductionOnlyExclusions` PowerShell parameter. For the exam, understand that exclusions can be defined per rule or globally, but they reduce security and should be used sparingly.
Switch Rules to Block Mode
After confirming no critical business impact, change the rule mode from Audit to Block. This can be done via Group Policy, Intune, or PowerShell. For example, using PowerShell: `Set-MpPreference -AttackSurfaceReductionRules_Ids "GUID" -AttackSurfaceReductionRules_Actions Enabled`. Monitor for any immediate issues and have a rollback plan. The exam tests that Block mode is the recommended state for production environments.
Monitor and Tune Regularly
ASR rules are not a set-and-forget configuration. Continuously monitor alerts in the Microsoft 365 Defender portal for blocked activities. Review new rules added by Microsoft via Windows Updates. Adjust exclusions as needed and consider enabling additional rules as your threat landscape evolves. For the exam, remember that ASR rules receive updates through Windows Defender signature updates, and new rules may be added automatically.
Enterprise Scenario 1: Preventing Credential Theft from LSASS
A large financial organization wanted to protect against credential theft attacks using tools like Mimikatz. They enabled the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" in Block mode across all Windows 10 Enterprise endpoints. The rule works by intercepting any process attempt to open LSASS with specific access rights (e.g., PROCESS_VM_READ). During deployment, they first used Audit mode for two weeks and discovered that a legacy IT management tool required access to LSASS for password rotation. They created an exclusion for that specific tool's executable hash. After switching to Block, they saw a 90% reduction in credential theft attempts logged. The rule has negligible performance impact since it only triggers on specific system calls. Misconfiguration could occur if exclusions are too broad (e.g., excluding all processes from a vendor), which would defeat the purpose.
Enterprise Scenario 2: Blocking Office Application Exploits
A healthcare organization was targeted by phishing emails containing malicious Office documents that launched PowerShell to download ransomware. They enabled the rule "Block Office applications from creating child processes" in Block mode. This rule prevents Word, Excel, PowerPoint, and Outlook from spawning other executables like cmd.exe or powershell.exe. Initially, in Audit mode, they found that a legitimate finance add-in for Excel needed to launch a helper process. They worked with the vendor to update the add-in to use a different architecture, then enabled the rule. After deployment, the number of ransomware incidents dropped significantly. A common misconfiguration is setting the rule to Audit and never reviewing logs, leaving a gap. Performance is negligible because the check is lightweight.
Enterprise Scenario 3: Obfuscated Script Blocking
A tech company with many developers faced threats from obfuscated JavaScript and VBScript used in drive-by downloads. They enabled "Block execution of potentially obfuscated scripts" to detect and block scripts that use techniques like base64 encoding or excessive string concatenation. In Audit mode, they discovered that some internal build scripts were flagged because they used obfuscation to protect intellectual property. They added those scripts to a trusted list via the -AttackSurfaceReductionOnlyExclusions parameter. After switching to Block, they blocked thousands of malicious script attempts monthly. The rule uses machine learning to evaluate script complexity; it does not block all scripts, only those that appear suspicious. Misconfiguration can occur if exclusions are set too broadly (e.g., excluding all scripts from a network share), which could allow attackers to bypass the rule.
What SC-900 Tests on ASR Rules
SC-900 objective 3.3 covers "Describe the capabilities of Microsoft Defender for Endpoint," which includes attack surface reduction. Specifically, you need to know:
ASR rules are part of Defender for Endpoint.
They block specific behaviors, not all malware.
Modes: Block, Audit, Warn (Intune only), Disabled.
Common rules: Block credential theft from LSASS, Block Office apps from creating child processes, Block obfuscated scripts, etc.
They are configured via Group Policy, Intune, PowerShell, or Configuration Manager.
They are not enabled by default.
Available on Windows 10/11 Pro, Enterprise, Education, and Windows Server.
Common Wrong Answers and Why Candidates Choose Them
"ASR rules block all malware from executing." This is wrong because ASR rules target specific behaviors, not all malware. Antivirus handles file-based malware. Candidates confuse ASR with real-time protection.
"ASR rules are enabled by default on Windows 10." Wrong. They must be configured. Candidates may assume that because Defender Antivirus is on by default, ASR rules are too.
"ASR rules can be set to 'Allow' mode." No. The modes are Block, Audit, Warn, Disabled. There is no Allow. Candidates might think of firewall rules where Allow exists.
"ASR rules are available on all Windows editions." Only Pro, Enterprise, Education. Not Home. Candidates forget the edition requirement.
Specific Numbers, Values, and Terms on the Exam
GUIDs are not required, but rule names are.
Event IDs: 1121 (blocked), 1122 (audited).
Default mode: Disabled.
Warn mode is only via Intune.
ASR rules are part of Exploit Guard, which also includes Controlled Folder Access, Network Protection, and Exploit Protection.
Edge Cases and Exceptions
Warn mode: Only available when deploying via Intune. On exam, if a question asks about a mode that prompts the user, the answer is Warn (Intune-only).
Exclusions: You can exclude files, folders, or processes from ASR rules using -AttackSurfaceReductionOnlyExclusions. Exclusions apply to all rules, not individual ones.
Server support: ASR rules on Windows Server require the Microsoft Defender for Endpoint server license and are not available on Server Core installations.
New rule additions: Microsoft may add new ASR rules via Windows Update; they are not automatically enabled.
How to Eliminate Wrong Answers
If the question mentions blocking a specific behavior (e.g., credential theft), look for the ASR rule that matches that behavior.
If the question says "enabled by default," it's likely wrong unless specified otherwise.
If the question mentions "all malware," it's probably not ASR rules.
If the question says "Warn mode," remember it's only via Intune.
ASR rules are part of Microsoft Defender for Endpoint and help reduce the attack surface by blocking specific malicious behaviors.
They are not enabled by default; must be configured via Group Policy, Intune, PowerShell, or Configuration Manager.
Available on Windows 10/11 Pro, Enterprise, Education, and Windows Server (not Home).
Modes: Block (enforce), Audit (log only), Warn (prompt user, Intune only), Disabled.
Common rules include blocking credential theft from LSASS, Office apps from creating child processes, and obfuscated scripts.
Always test rules in Audit mode before switching to Block to avoid disrupting legitimate applications.
Event IDs 1121 (blocked) and 1122 (audited) are used for logging.
ASR rules are part of Exploit Guard, which also includes Controlled Folder Access, Network Protection, and Exploit Protection.
These come up on the exam all the time. Here's how to tell them apart.
Attack Surface Reduction (ASR) Rules
Blocks specific behaviors like script execution, credential theft, and child process creation.
Uses machine learning and cloud intelligence to evaluate actions.
Configured via Group Policy, Intune, PowerShell, or Configuration Manager.
Modes: Block, Audit, Warn (Intune only), Disabled.
Part of Microsoft Defender for Endpoint Exploit Guard.
Controlled Folder Access (CFA)
Protects specific folders (e.g., Documents, Pictures) from unauthorized changes by untrusted applications.
Uses a whitelist of trusted applications to allow modifications.
Configured via Group Policy, Intune, or Windows Security app.
Modes: Block, Audit, Disabled (no Warn mode).
Also part of Microsoft Defender for Endpoint Exploit Guard.
Mistake
ASR rules are the same as antivirus protection.
Correct
ASR rules block specific behaviors (e.g., Office creating child processes), while antivirus detects and removes malware files. They complement each other but are different.
Mistake
ASR rules are enabled by default on Windows 10.
Correct
ASR rules are not enabled by default. They must be configured via Group Policy, Intune, or other management tools.
Mistake
ASR rules can be set to 'Allow' mode to permit specific applications.
Correct
There is no 'Allow' mode. The options are Block, Audit, Warn (Intune only), and Disabled. To permit an application, you create an exclusion.
Mistake
ASR rules work on all Windows editions including Home.
Correct
ASR rules are available only on Windows 10/11 Pro, Enterprise, Education, and Windows Server. Windows Home does not support them.
Mistake
Once enabled, ASR rules cannot be bypassed by administrators.
Correct
Administrators can bypass ASR rules by disabling them or adding exclusions. However, standard users cannot bypass rules.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
ASR rules are policies that block specific behaviors commonly used by malware, such as credential theft, script execution, and Office applications creating child processes. They are part of Microsoft Defender for Endpoint's Exploit Guard and help reduce the attack surface of Windows endpoints. Rules can be set to Block, Audit, Warn (Intune only), or Disabled. They are not enabled by default and must be configured via Group Policy, Intune, or PowerShell.
You can enable ASR rules via Group Policy (Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction), PowerShell (Set-MpPreference with -AttackSurfaceReductionRules_Ids and -AttackSurfaceReductionRules_Actions), Intune (Endpoint Security > Attack Surface Reduction), or Microsoft Endpoint Configuration Manager. Always test in Audit mode first.
ASR rules block specific behaviors (e.g., running scripts from email) rather than detecting malware files. Antivirus (Microsoft Defender Antivirus) scans files and processes for known malware signatures and suspicious behavior. ASR rules complement antivirus by preventing exploitation techniques that might bypass file-based detection.
Standard users cannot bypass ASR rules. Administrators can bypass them by disabling the rule or adding exclusions for specific files or processes. Exclusions are configured via PowerShell or Group Policy using the -AttackSurfaceReductionOnlyExclusions parameter. However, exclusions reduce security and should be used sparingly.
ASR rules are disabled by default. They must be explicitly enabled and configured. There is no default mode; you choose Block, Audit, Warn (Intune only), or Disabled per rule.
Yes, ASR rules are available on Windows Server 2016 and later, but they require a Microsoft Defender for Endpoint server license. They are not supported on Server Core installations. The same configuration methods (Group Policy, Intune, etc.) apply.
Event ID 1121 is logged when an ASR rule blocks an action. Event ID 1122 is logged when a rule audits an action (i.e., would have blocked but is set to Audit). These events are found in the Windows Defender operational log (Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational).
You've just covered Attack Surface Reduction Rules — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?