SOLVED

Explot Guard - Attack Surface Reduction Rules not reporting as Enabled in WDATP console

%3CLINGO-SUB%20id%3D%22lingo-sub-500309%22%20slang%3D%22en-US%22%3EExplot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500309%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20rolled%20out%20Attack%20Surface%20Reduction%20rules%20via%20GPO%20(including%20newst%20rule%20in%20v1809%20so%2014%2F14%20rules).%26nbsp%3B%20We%20have%20some%20in%20audit%20mode%20and%20some%20applying.%26nbsp%3B%20I%20can%20verify%20systems%20have%20the%20policy%20via%20Get-MpPreference.%26nbsp%3B%20But%20the%20WD%20ATP%20console%20does%20not%20report%20them%20as%20applying%20as%20it%20shows%20all%20systems%20need%20to%20%22Turn%20on%20Attack%20Surface%20Reduction%20rules%22.%26nbsp%3B%20What%20is%20the%20logic%20used%20for%20that%3F%26nbsp%3B%20For%20Controlled%20Folder%20Access%2C%20we%20have%20it%20in%20audit%20mode%20and%20that%20adds%20points.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20the%20ASR%20one%20not%20count%20%3CEM%3Eany%3C%2FEM%3E%20points%20unless%20ALL%20rules%20are%20in%20Enabled%20mode%3F%26nbsp%3B%20If%20so%2C%20is%20there%20a%20way%20to%20change%20this%20behaviour%20as%20I%20do%20not%20feel%200%20points%20is%20an%20accurate%20reflection%20of%20our%20position%20given%20over%20half%20the%20rules%20are%20in%20Enabled%20state%2C%20and%20it%20makes%20using%20the%20console%20to%20remediate%20machines%20with%20issues%20such%20as%20the%20GPO%20not%20applying%20useless.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-506705%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-506705%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171996%22%20target%3D%22_blank%22%3E%40Doug%20Howell%3C%2FA%3E%26nbsp%3Bhi%20Doug%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Edid%20you%20also%20run%20the%20new%20baseline%201809%20script%2C%20this%20will%20turn%20on%20more%20sensors%20and%20some%20you%20might%20missed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%20lang%3D%22en-us%22%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2018%2F11%2F20%2Fsecurity-baseline-final-for-windows-10-v1809-and-windows-server-2019%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2018%2F11%2F20%2Fsecurity-baseline-final-for-windows-10-v1809-and-windows-server-2019%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Menlo%3B%20font-size%3A%209.75pt%3B%20color%3A%20%23333333%3B%22%20lang%3D%22en-us%22%3E%3CSPAN%20style%3D%22background%3A%20whitesmoke%3B%22%3E.%5CBaselineLocalInstall.ps1%20-Win10DomainJoined%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20for%20Windows%2010%20v1809%2C%20domain-joined%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%200pt%3B%20margin-bottom%3A%207pt%3B%20font-family%3A%20Menlo%3B%20font-size%3A%209.75pt%3B%20color%3A%20%23333333%3B%22%20lang%3D%22en-us%22%3E%3CSPAN%20style%3D%22background%3A%20whitesmoke%3B%22%3E.%5CBaselineLocalInstall.ps1%20-Win10NonDomainJoined%26nbsp%3B%26nbsp%3B%20-%20for%20Windows%2010%20v1809%2C%20non-domain-joined%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-508573%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-508573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176309%22%20target%3D%22_blank%22%3E%40Jacques%20van%20Zijl%3C%2FA%3E%26nbsp%3BI%20am%20not%20clear%20what%20connection%20the%20v1809%20baselines%20(or%20any%20other%20version)%20have%20to%20my%20question.%26nbsp%3B%20The%20clients%20are%20fully%20reporting%20into%20Defender%20ATP%20including%20Controlled%20Folder%20Access%20status%20which%20is%20another%20Exploit%20Guard%20feature%2C%20and%20I%20can%20verify%20on%20the%20systems%20the%20ASR%20rules%20are%20applied%20via%20GPO%20both%20by%20using%20GPResult%20and%20Get-MpPreference.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-509205%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-509205%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171996%22%20target%3D%22_blank%22%3E%40Doug%20Howell%3C%2FA%3E%26nbsp%3Bmy%20apologies%2C%20i%20thought%20you%20where%20referring%20to%20the%20ATP%20Score%20Card%20point%2C%20sometimes%20a%20miss%20configuration%20could%20lead%20not%20to%20add%20points%20in%20the%20Score%20Card.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-753063%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753063%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176309%22%20target%3D%22_blank%22%3E%40Jacques%20van%20Zijl%3C%2FA%3E%26nbsp%3BDo%20you%20have%20any%20comment%20on%20the%20Attack%20Surface%20Reduction%20Rules%3F%26nbsp%3B%20As%20all%20our%20machines%20move%20to%20v1903%20the%20behavior%20remains%20the%20same.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123192i9B1B07C76231EAEA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EExploit%20Guard%20missing%20points%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123193iB30176F62DB29475%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EASR%20rules%20in%20GPO%3C%2FSPAN%3E%3C%2FSPAN%3EWe%20know%20the%20GPO%20is%20applied%20to%20the%20machines%2C%20with%20a%20mix%20of%20enforced%20and%20audit%20for%20the%20various%20rules.%26nbsp%3B%20Why%20do%20we%20get%20NO%20points%20and%20100%25%20machines%20report%20there%20is%20an%20issue%20when%20we%20have%20actually%20hardened%20the%20machines%20significantly%20via%20the%20use%20of%20many%20of%20the%20rules%20(just%20not%20%3CEM%3Eall%3C%2FEM%3Eof%20them)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754375%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171996%22%20target%3D%22_blank%22%3E%40Doug%20Howell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20are%20correct%20in%20your%20assumption.%3C%2FP%3E%0A%3CP%3EWe%20are%20currently%20in%20the%20process%20of%20changing%20this%20behavior%20and%20we%20will%20indicate%20the%20status%20for%20every%20Attack%20Surface%20Reduction%20rule%20separately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1084711%22%20slang%3D%22en-US%22%3ERe%3A%20Explot%20Guard%20-%20Attack%20Surface%20Reduction%20Rules%20not%20reporting%20as%20Enabled%20in%20WDATP%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1084711%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373383%22%20target%3D%22_blank%22%3E%40yaakov_iyun%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20timeline%20on%20this%20change%3F%26nbsp%3B%20Lots%20has%20changed%20in%20the%20console%20but%20still%20it%20is%20all%20or%20none%20for%20evaluating%20and%20scoring%20ASR%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have rolled out Attack Surface Reduction rules via GPO (including newst rule in v1809 so 14/14 rules).  We have some in audit mode and some applying.  I can verify systems have the policy via Get-MpPreference.  But the WD ATP console does not report them as applying as it shows all systems need to "Turn on Attack Surface Reduction rules".  What is the logic used for that?  For Controlled Folder Access, we have it in audit mode and that adds points.

 

Does the ASR one not count any points unless ALL rules are in Enabled mode?  If so, is there a way to change this behaviour as I do not feel 0 points is an accurate reflection of our position given over half the rules are in Enabled state, and it makes using the console to remediate machines with issues such as the GPO not applying useless.

6 Replies
Highlighted

@Doug Howell hi Doug,

 

did you also run the new baseline 1809 script, this will turn on more sensors and some you might missed.

 

https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809...

 

.\BaselineLocalInstall.ps1 -Win10DomainJoined      - for Windows 10 v1809, domain-joined

.\BaselineLocalInstall.ps1 -Win10NonDomainJoined   - for Windows 10 v1809, non-domain-joined

Highlighted

@Jacques van Zijl I am not clear what connection the v1809 baselines (or any other version) have to my question.  The clients are fully reporting into Defender ATP including Controlled Folder Access status which is another Exploit Guard feature, and I can verify on the systems the ASR rules are applied via GPO both by using GPResult and Get-MpPreference.

Highlighted

@Doug Howell my apologies, i thought you where referring to the ATP Score Card point, sometimes a miss configuration could lead not to add points in the Score Card.

Highlighted

@Jacques van Zijl Do you have any comment on the Attack Surface Reduction Rules?  As all our machines move to v1903 the behavior remains the same.

Exploit Guard missing pointsExploit Guard missing pointsASR rules in GPOASR rules in GPOWe know the GPO is applied to the machines, with a mix of enforced and audit for the various rules.  Why do we get NO points and 100% machines report there is an issue when we have actually hardened the machines significantly via the use of many of the rules (just not all of them)?

Highlighted
Best Response confirmed by Doug Howell (Occasional Contributor)
Solution

@Doug Howell 

Hi, 

You are correct in your assumption.

We are currently in the process of changing this behavior and we will indicate the status for every Attack Surface Reduction rule separately.

Highlighted

@yaakov_iyun 

 

What is the timeline on this change?  Lots has changed in the console but still it is all or none for evaluating and scoring ASR rules.