Attack surface reduction rules (ASR) are optional features of Microsoft Defender Antivirus. These rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files.
- Running obfuscated or otherwise suspicious scripts.
- Performing behaviors that apps don't usually initiate during normal day-to-day work.
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they're commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.
ASR deployment through Active Directory Group Policies (GPO) can be tricky, as it requires the knowledge of rule identifiers:
The aim of this project is to greatly improve the user experience by providing a custom administrative template with a standalone setting for each ASR rule:
Just copy the ADMX and ADML files into the local or central ADMX store.
Due to the technical limitations of the Group Policy Editor, the policies can only be set to Enabled or Not Configured.
The ADMX template is based on the following official documents: