Part 2:  Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Exploit Guard & SmartScreen


In my previous blog I highlighted the Security Analytics Dashboard of the Windows Defender Advanced Threat Protection and how to improve your organizations security excellence covering two improvement area’s: Windows Defender Antivirus and Windows Defender Application Guard.

In this blog I’ll cover two other improvement areas: Windows Defender Exploit Guard and SmartScreen

Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.

 

There are four features in Windows Defender Exploit Guard:

  • Exploit Protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
  • Attack Surface Reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
  • Network Protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization’s devices
  • Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware

The score of Windows Defender Exploit Guard is measured against the below improvement areas including cloud-based protection.

The configuration of Windows Defender Exploit Guard is currently documented for using PowerShell and Group Policies. However there is a Windows 10 Configuration Service Provider (CSP) for Windows Defender Exploit Guard which make it’s possible to configure Exploit Guard using Microsoft Intune (or other MDM solutions).

Note: At time of writing there is no Windows Defender Exploit Guard profile available neither in Configuration Manager & Microsoft Intune. I expect this  will become available soon as Windows 10 Fall Creators Update is general available now. Windows Defender Exploit Guard will work with Windows 10 Fall Creators Update (1709) and Windows Defender Antivirus real-time protection must be enabled.

Attack Surface Rules (ASR)

Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

  • Executable files and scripts used in Office apps or web mail that attempt to download or run files
  • Scripts that are obfuscated or otherwise suspicious
  • Behaviors that apps undertake that are not usually initiated during normal day-to-day work

The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:

Rule name GUIDs
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

The Exploit Guard Attack Surface Rules are configured by using the Defender node of the Policy CSP.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules

CSP Node Description Value
Defender/AttackSurfaceReductionRules This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off).

 

The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. Value type is integer.

{ASR GUID}=<0,1,2>|{ASR GUID}=<0,1,2>

Controlled Folder Access

Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware.

The protected folders include common system folders, and you can add additional folders. You can also allow or whitelist apps to give them access to the protected folders.

CSP Node Description Value
Defender/EnableControlledFolderAccess This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 – 2. 0 (default) – Disabled

1 – Enabled

2 – Audit Mode

Defender/ControlledFolderAccessProtectedFolders This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. <folder>|<folder>
Defender/ControlledFolderAccessAllowedApplications This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode as the substring separator. <folder\application>|<folder\application>

Network Protection

Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

CSP Node Description Value
Defender/EnableNetworkProtection This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. 0 (default) – Disabled

1 – Enabled (block mode)

2 – Enabled (audit mode)

In order to enable Windows Defender Exploit Guard using Microsoft Intune, we created a custom profile which contains the required settings to improve our organization security score.

Remark! In order to reflect your improvement of your security score from in Windows Defender ATP Security Analytics dashboard take into account the following:

  • You have to configure all Exploit Guard feature in block mode (1) in order to improve your security score;
  • You have to configure all Attack Surface Rules in order to improve your security score;

Note: The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.

SmartScreen

Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.

SmartScreen determines whether a site is potentially malicious by:

  • Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
  • Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:

  • Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
  • Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.

You can take the following actions to increase the overall security score of your organization:

  • Set Check app and files to Warn or Block
  • Set SmartScreen for Microsoft Edge to Warn or Block
  • Set SmartScreen for Microsoft store apps to Warn or Off

SmartScreen can be configured using the Microsoft Intune UI or by configuring a custom profile (OMA-URI).  The SmartScreen UI section is split in a browser part and a system part.

Windows 10 Device Restrictions\Windows Defender SmartScreen

Endpoint protection\Windows Defender SmartScreen

If you manage your policies using Microsoft Intune, you’ll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.

Setting Supported versions Details
AllowSmartScreen Windows 10
    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
    • Data type. Integer
    • Allowed values:
      • 0 . Turns off Windows Defender SmartScreen.
      • 1. Turns on Windows Defender SmartScreen.
EnableAppInstallControl Windows 10, version 1703
    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • Data type. Integer
    • Allowed values:
      • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
EnableSmartScreenInShell Windows 10, version 1703
    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
    • Data type. Integer
    • Allowed values:
      • 0 . Turns off SmartScreen in Windows.
      • 1. Turns on SmartScreen in Windows.
PreventOverrideForFilesInShell Windows 10, version 1703
    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
    • Data type. Integer
    • Allowed values:
      • 0 . Employees can ignore SmartScreen warnings and run malicious files.
      • 1. Employees can’t ignore SmartScreen warnings and run malicious files.
PreventSmartScreenPromptOverride Windows 10, Version 1511 and later
    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
    • Data type. Integer
    • Allowed values:
      • 0 . Employees can ignore SmartScreen warnings.
      • 1. Employees can’t ignore SmartScreen warnings.
PreventSmartScreenPromptOverrideForFiles Windows 10, Version 1511 and later
    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
    • Data type. Integer
    • Allowed values:
      • 0 . Employees can ignore SmartScreen warnings for files.
      • 1. Employees can’t ignore SmartScreen warnings for fil

The Results…

Now we configured the device restriction profiles in Microsoft Intune for both Windows Defender Exploit Guard and Windows Defender SmartScreen let’s have a look at the improvements areas.

Now we configured and enabled Exploit Guard in block mode we do see a significant improvement over time for this improvement area.

In my previous blog we’d reported a score of 35,8 for Exploit Guard, after applying the security baseline configuration we’ve a new score of 66,7 which is almost doubling the score.

Recap

The Security Analytics dashboard provide organizations valuable insights of their endpoint security and enables to easily enhances and maximize their security potential. Where Windows Defender Advanced Threat Protection provides organization continues valuable insides of their current security operations- and analytics performance, Microsoft Intune enables you to translate the useful insights into enforceable measures. Special thanks to Ran Mitelman (MSFT) for providing valuable insights.

Sources

Reduce attack surfaces with Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection

Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

Protect your network with Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard

 

Reduce attack surfaces with Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

Protect important folders with Controlled Folder Access

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard

Windows Defender SmartScreen

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s