Detections
Analytics

1.6.1.17 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'c1db55ab-c21a-4637-bb3f-a12568109d35:2' or higher

Information

This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule doesn't block files that have one or more of the following characteristics:

 - The file has already been found to be unharmful in the Microsoft cloud.
 - The file is a valid signed file.
 - The file is prevalent enough to not be considered as ransomware.
 - The rule tends to err on the side of caution to prevent ransomware.

Rule ID and name:

 - c1db55ab-c21a-4637-bb3f-a12568109d35 (Use advanced protection against ransomware)

The recommended state for this setting is: c1db55ab-c21a-4637-bb3f-a12568109d35:2 (Audit) or higher. Configuring this setting to c1db55ab-c21a-4637-bb3f-a12568109d35:1 (Block) also conforms to the benchmark.

Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

This ASR rule can help an organization enhance its protection against ransomware by using both cloud and local heuristics.

Solution

To establish the recommended configuration via GP, set the following UI path to c1db55ab-c21a-4637-bb3f-a12568109d35 with a value of 2 or 1 :

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

When a rule is triggered, a notification will be displayed from the Action Center. To parse audit logs effectively an organization may need to implement a SIEM solution.

Implementing this recommendation could impact certain workflows, making it unsuitable for universal enforcement across the organization without first adding exceptions.

Note: Cloud-delivered protection must be enabled to use this rule.

Warning: Prior to configuring this rule in Block mode, it should be enabled in Audit mode to verify that it does not introduce issues, especially for Microsoft Outlook. This rule will block legitimate programs.

See Also

https://workbench.cisecurity.org/benchmarks/25919

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: bee4aba01a4de655da669db2ecf86365b225d3eaf3e4d835e5182c66633dcdc2