How to start working with Attack Surface Reduction rules like a boss
ฝัง
- เผยแพร่เมื่อ 8 ก.ค. 2024
- The modern IT Admin needs to accept that they will do more and more security related actions.
The modern world requires us to take part of defending our business against bad guys.
Kent and I discuss the new world using Microsoft Intune and Microsoft Defender for Endpoint together.
Why should we use Attack Surface reduction rules?
It sounds difficult to setup, but is it?
What kind of rules do we have available?
How do I get started?
How do I get ASR rolled out?
Don't be afraid. We got you covered!
Get much more info in this interview with Microsoft Regional Director Kent Agerlund.
Twitter:
/ agerlund
Linkedin:
/ kentagerlund
#MDE #msintune #AttackSurfaceReduction
![[REPLAY] Empowering Business with Generative AI: journey of a Media and a Law Firm 🚀](/img/n.gif)
Thank you both, excellent walkthrough.
You are most welcome!
Thanks to Kent for this presentation
Thanks for your comment Simon! Glad you liked it
@MSEndpointMgr Do we need to enable cloud block level as high to receive the toast notifications on the enduser device level for asr warn mode .Is this any prerequisiste ? Looking for assistance pls since im not receiving the notifications which allow me to bypass despite configuring warn mode
@MSEndpointMgr
Do we need to enable cloud block level as high to receive the toast notifications on the enduser device level for asr warn mode .Is this any prerequisiste ? Looking for assistance pls since im not receiving the notifications which allow me to bypass despite configuring warn mode
Good question. Yes you need cloud block level set to high otherwise you will be shown nothing. Also your rules might need to be in block mode, but some will also show a toast notification even in audit. You can see the full picture here:
learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#per-asr-rule-alert-and-notification-details
@@MSEndpointMgr could provide were to find the option to enable cloud block level? Thanks
Hi, thank you for the informative video. I have a question that wasn't answered by Microsoft either. Sometimes, certain executable files that attempt to access LSASS are blocked on some devices, even though these files can run without issues on other devices. What could be the reason behind this if the file isn't malicious?
Hi Milad
That is a very good question, that I have asked myself. Programs with access to LSASS should be considered as threats. I am no security expert, but LSASS is there to help windows with credentials and not 3rd party apps.
If the program gets access and dump the LSASS credentials an attacker would easily be able to move laterally across the network with tools like psexec og WMI. So blocking the access to LSASS would be my default until I see stuff break because of this.
@@MSEndpointMgr Hi, thank you for your feedback. The problem is that certain files or applications require access to LSASS, and it is not clear why these specific files are able to access LSASS on one device without raising suspicion from Microsoft. However, the same file or application may be blocked on another device, and it is unclear what has caused this. In such cases, it is uncertain whether the file should be excluded from this ASR rule or not.
@@Rahgozar633 I see your point. I guess the only way to find out will be to ask the vendor of the software that tries to access LSASS if this really is needed
It always amazes me how much MSFT is NOT aligned in regards to best practices. The speaker advice goes like this "don't play around with ring1, ring2 deploy to all". At the same time offical ASR docs state the opposite O_o.
It all depends on the scenario. I know such a borring answer. But a ring rollout method is always a good thing to prevent large scale bummers.