Reducing Windows 10 Attack Surface with Intune

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

IntuneFor years I have spoken on the positive security implications of reducing your attack surface. For the most part, I have discussed it in the context of removing the graphical user interface (GUI) from servers, but the benefits are true wherever there is extra code. With Microsoft Intune there is a very simple set of rules that help to do reduce it on the managed Windows 10 systems in your environment.

We are going to create a number of policies here aimed at making it harder to attack and compromise your desktop environment.

Navigate to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). In the navigation bar click Endpoint security. In the Endpoint security | overview navigation bar, under Manage click Attack surface reduction.

Application Guard

In the Endpoint Security | Attack surface reduction screen click + Create Policy. In the Create a profile sidebar that appears, select Windows 10 and later from the Platform dropdown menu, and then in the Profile dropdown menu (which will appear) select App and browser isolation. This will initiate the Microsoft Defender Application Guard, which is designed to help prevent old (and new) attacks to help keep your computer safe. It enables a unique hardware isolation approach with the goal to destroy the playbook that attackers use by making current attack methods obsolete. Of course, current methods evolve… so does Application Guard.  Click Create.

In the Basic tab on the Create profile screen, give your profile a name (and description if you’d like) and then click next.

In the Configuration settings tab, we are going to configure several options:

  • Turn on Application Guard: Enabled for Edge AND isolated Windows environments.
    • Clipboard behaviour: Allow copy and paste between PC and browser. (For more secure environments, and especially for BYOD (Bring Your Own Device) and COPE (Choose Your Own Device) environments, you might consider a more restrictive setting)
    • Allow camera and microphone access (Microsoft Edge only): Yes
  • Block external content from non-enterprise approved sites (Microsoft Edge only): Not configured
  • Collect logs for events that occur within an Application Guard session: Yes (Because what we really want and need in our life is more logs!)
  • Allow user-generated browser data to be saved (Microsoft Edge only): Yes
  • Enable hardware graphics acceleration (Microsoft Edge only): Yes
  • Application Guard allow use of Root Certificate Authorities from the user’s device: Not configured.
  • Application Guard allow print to local printers: Yes
  • Application Guard allow print to network printers: Yes
  • Application Guard allow print to PDF:  Yes
  • Application Guard allow print to XPS:  Not configured
  • Windows network isolation policy:  Not configured**

** If you did want to configure the Windows network isolation policy, you could configure what IP ranges to allow, what network domains to allow, proxy servers (internal and external), as well as neutral resources.

Click Next.

On the Scope Tags tab, configure any tags you want to apply and click Next.

On the Assignments tab, you can either include (or exclude) specific groups, or you can add all users or all devices. Click Next.

image

On the Review + create tab, verify your selections and then click Create.

Device Control

In the Endpoint Security | Attack surface reduction screen click + Create Policy. In the Create a profile sidebar that appears, select Windows 10 and later from the Platform dropdown menu, and then in the Profile dropdown menu (which will appear) select Device control. This will let Microsoft Defender for Endpoint to provide a layered approach to secure removable media, preventing threats in unauthorized peripherals from compromising your devices. Click Create.

In the Basic tab on the Create profile screen, give your profile a name (and description if you’d like) and then click next.

In the Configuration settings tab, we are going to configure several options:

  • Allow hardware device installation by device identifiers: Not configured.
  • Block hardware device installation by device identifiers: Not configured.
  • Allow hardware device installation by setup class: Not configured.
  • Block hardware device installation by setup class: Not configured.
  • Allow hardware device installation by device instance identifiers: Not configured.
  • Block hardware device installation by device instance identifiers: Not configured.

These settings allow you to create allow lists or deny lists based on Plug and Play hardware IDs, or specific device allow lists (and deny lists). It allows us to secure the environment based on specific hardware allowed to connect… even if you do have your end-users configured as local administrators.

  • Scan removable drives during full scan: Yes
  • Block direct memory access: Not configured
  • Enumeration of external devices incompatible with Kernal DMA Protection: Not configured
  • Block removable storage: Not configured
  • Block write access to removable storage: Yes
  • Block Bluetooth connections: No
  • Block Bluetooth discoverability: Yes
  • Block Bluetooth pre-pairing: Yes
  • Block Bluetooth advertising: Yes
  • Block Bluetooth proximal connections:  Yes
  • Bluetooth allowed services: 0 items

All of this allows us to control what devices to allow to connect to our computers. We can, for example, allow external USB storage to connect… as read only. We can allow specific Bluetooth devices, as we see fit.

Click Next.

On the Scope Tags tab, configure any tags you want to apply and click Next.

On the Assignments tab, you can either include (or exclude) specific groups, or you can add all users or all devices. Click Next.

image

On the Review + create tab, verify your selections and then click Create.

Attack Surface Reduction

In the Endpoint Security | Attack surface reduction screen click + Create Policy. In the Create a profile sidebar that appears, select Windows 10 and later from the Platform dropdown menu, and then in the Profile dropdown menu (which will appear) select Attack surface reduction rules. This will target behaviours that malware and malicious apps use to infect computers, such as suspicious executable files and scripts in Office apps or web mail that try to infect your device. Click Create.

In the Basic tab on the Create profile screen, give your profile a name (and description if you’d like) and then click next.

In the Configuration settings tab, we are going to configure several options:

  • Block persistence through WMI event subscription: Not configured
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe): Audit mode
  • Block Adobe Reader from creating child processes: Enable
  • Block Office applications from injecting code into other processes: Block
  • Block Office applications from creating executable content: Block
  • Block all Office applications from creating child processes: Warn
  • Block Win32 API calls from Office macro: Block
  • Block Office communication apps from creating child processes: Enable
  • Block execution of potentially obfuscated scripts (js/vbs/ps): Block
  • Block JavaScript or VBScript from launching downloaded executable content: Block
  • Block process creations originating from PSExec and WMI commands: Warn
  • Block untrusted and unsigned processes that run from USB: Block
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria: Not configured
  • Block executable content download from email and webmail clients: Block
  • Use advanced protection against ransomware: Enabled
  • Enable folder protection: Audit disk modification
  • List of additional folders that need to be protected (0 items)
  • List of apps that have access to protected folders (0 items)
  • Exclude files and paths from attack surface reduction rules (0 items)

As you see, we have a lot of ways we can protect our computers from being compromised, and I have been pretty lenient in some ways in my selections.

Click Next.

On the Scope Tags tab, configure any tags you want to apply and click Next.

On the Assignments tab, you can either include (or exclude) specific groups, or you can add all users or all devices. Click Next.

image

On the Review + create tab, verify your selections and then click Create.

Other Options

In addition to these, we also have the ability to create profiles for Exploit Protection, Web protection (for Microsoft Edge Legacy), and Application Control. All of these will give us the ability to properly protect our systems from exploits.

There are myriad ways the hackers are able to exploit our systems. Endpoint Security from Microsoft Intune offers us many different ways to thwart these attackers, keeping our computers – and more importantly, our data – secure. Attack Surface Reduction is only one of these ways; over the course of the next few articles, I will cover several other methods that will help you keep your systems safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s