Secure Your Business with Microsoft Defender ASR Techniques


Endpoints are always very vulnerable to attacks, and there are constant efforts by adversaries to find new ways into these nodes. It is crucial to minimise the attack surfaces, watch over events and test the effectiveness of defences regularly. This proactive approach also ensures the readiness against emerging threats in the cyber realm.

Microsoft Defender Attack Surface Reduction (ASR) is a critical first line of defence in the cybersecurity arsenal. Defender ASR helps to minimise the attack surface for Windows systems, such as Windows 11, 10 Pro, Enterprise version 1709, Windows Server 1803, and Server 2019. As for ASR, it has proactive protection against malicious scripts, ransomware and also untrusted processes. Defender ASR provides vital security benefits to an organisation by adding rules that limit many risky behaviours and actions on the devices. As a part of the Microsoft Defender suite, its integration ensures a complete layered defence strategy is essential for countering cyber threats. Essentially, Microsoft Defender ASR is not even a tool. It is an element that reduces the attack surface enough so that the defenders gain the advantage.

We can help you deploy ASR to strengthen your security posture.

What is Microsoft Defender ASR?

ASR is one of the components of Windows Defender Exploit Guard, which is a feature. This suite of security controls audits or blocks both behaviours and artefact attributes. Defender ASR detects and blocks potentially malicious actions before they can occur. It results in a proactive prevention of the system vulnerabilities being exploited.

ASR is a valuable addition to a security team's arsenal.

Our recommendations for security controls include attack surface reduction (ASR) rules such as:

  • Block all the Office applications from generating any child processes.
  • Disable JavaScript or VBScript from running the downloaded executable content.
  • Prevent the misuse of signed drivers for the exploited vulnerable blocks.
  • Disable the executable content from the email client and also the webmail.
  • Disallow the Office applications from injecting code into other processes.
  • Block the execution of any obfuscated scripts.
  • Block the Win32 API calls from the Office macro.
  • Use advanced protection against ransomware.
  • Block the credentials theft from the local Windows security authority subsystem (lsass.exe).
  • Block the process creations initiated through PSExec and WMI commands, and block the untrusted and unsigned processes that run on the USBs.
  • Block executable files from running unless they pass a prevalence, age, or any trusted list specification.
  • Prevent communication applications from creating any child processes on the Block Office.
  • Prevent the Adobe Reader from spawning any child processes.
  • WMI event subscription for the block persistence

The office is a common entry point for attackers into networks, and analysing the ASR rules will help you protect yourself from Office access points. ASR rules play another crucial role in ransomware prevention. For instance, such a rule as blocking all Office applications from creating the child processes should be applied immediately.

Deploying ASR

Although ASR does not directly need a Defender for the Endpoint, it makes the deployment of ASR much easier and auditing may be more straightforward. Otherwise, ASR is present in Windows 11, 10 Pro and Enterprise edition version 1709, Windows Server 1803, and Server 2019 and later versions. ASR policy can be deployed either via:

GPO: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus (or Microsoft Defender Exploit Guard) > Attack Surface Reduction Rules.

InTune: Endpoint Security >attack surface reduction

That would depend on your organisation and strategy, placing into Audit mode may be the best way to generate events, monitor, tune and add exclusions. It will be a cyclical process until an environment is reached where block (or enabled) is the default. In addition, depending on your organisation, you may have the option to use InTune or Windows Group Policy to deploy ASR.

Microsoft Defender ASR Modes

Microsoft Defender ASR uses three key settings – Block (enabled), Warn, and Audit – each fulfils a different role.

ASR can be enabled in either block, warn or audit modes.

•Block: The First Line of Defense

The most aggressive action taken by the Defender ASR is the ‘Block’ feature. It completely prevents any operations or all processes that may cause harm from running. For illustration, whenever Defender ASR blocks illegal operations or hazardous network connections, it actively prevents these threats on the spot, providing instant protection against known dangers. The blocking action is essential where an immediate response is needed to avert potential security breaches.

•Warn: Balancing Security with User Autonomy

The ‘Warn’ feature warns the users of a potentially risky activity but also provides an option of continuing. This method is beneficial in environments where discretion from the user’s end is significant. It enables the users to choose what is right about the situation, with some warning on the risks involved. The warning mechanism provides a proportion between security severity and operational flexibility as it enables the users to overrule some decisions if they are necessary.

•Audit: Keeping a Watchful Eye

In Defender ASR, the Audit mode records the events and operations that occur. It does not block or warn but logs the activities to be later reviewed and analysed.Audit logs are priceless for post-mortem evaluations as they allow the security teams to understand the nature of attempted operations and find recurring patterns that may indicate an upcoming threat.


Finally, ASR combination with 8-Bit Egg provides a very unique advantage in the cybersecurity realm. In our blog, we have described how ASR rules within 8-Bit Egg can dramatically improve an organisation’s security position. We have provided a guide that enables the defenders to address advanced cyber threats. Combining all these insights with the formidable monitoring abilities of 8-Bit Egg produces a dynamic, proactive defence shield. The merger not only reinforces the security process but also gives cybersecurity experts the knowledge and tools to win in an environment that is always changing. These practices are not just a ploy but are your way to strengthen your digital castles against the many enemies of tomorrow.

Leverage ASR to prevent key vulnerabilities in Windows from being exploited.

By Greg Figuiere

Greg Figuiere is a former Microsoft FastTrack Engineer and has had a diverse IT career, spanning 8 years and counting. His experiences range from IT operations to pre-sales and most recently in a leadership role with 8-Bit Egg. As a Microsoft evangelist, Greg can be found driving the Modern workplace and cloud adoption strategies, finding great joy in empowering customers with the latest features from their subscriptions. 

Leave a Reply

Your email address will not be published. Required fields are marked *