What is ASR (Attack Surface Reduction) and how to apply it

  • ASR is a set of Microsoft Defender rules that block high-risk behaviors to reduce the attack surface in Windows.
  • Rules can work in blocking, auditing, or warning mode and should always be deployed starting with auditing and adjusting exclusions.
  • Its configuration is managed through Intune, SCCM, MDM, GPO or PowerShell, and its effectiveness is supported by other capabilities such as WDAC, controlled folder access and network protection.
  • A comprehensive surface area reduction strategy combines ASR with best practices in asset management, system hardening, access control, and cloud security.
Lorena Figueredo

17 minutes

Attack Surface Reduction

An organization's attack surface has skyrocketed in recent yearsCloud computing, remote work, SaaS, mobile devices, USB, macros, APIs… Every new service, port, or application is a potential entry point for an attacker. That's why Microsoft has been incorporating a set of technologies into Windows 10 and Windows 11 aimed at limiting what software can do, even when it appears legitimate. To reduce these risks, see tips for Improve security in Windows 11.

Within that “defensive arsenal” one of the pillars is the Attack Surface Reduction Rules (ASR)Attack surface reduction rules are integrated into Microsoft Defender Antivirus and Defender for Endpoint. They are not simply a traditional antivirus, but a policy system that blocks dangerous behavior before malware even has a chance to execute its payload. A thorough understanding of what they are, how they work, and how to deploy them without breaking the environment is crucial for any administrator managing Windows in a company, large or small. Furthermore, it is advisable to complement them with... essential security software as part of the defensive strategy.

What is the attack surface and why does it need to be reduced?

The attack surface is the set of all points through which an attacker could interact with our systems to steal data, execute code, or move laterally. It includes physical, digital, and human elements.

On the physical planeServers, workstations, network devices, laptops, terminals, and any hardware with access to the corporate network or sensitive data all come into play. An unencrypted, forgotten computer or an unmonitored USB port can be a more effective entry vector than a remote exploit.

In the digital section We're talking about operating systems, business applications, web services, databases, endpoints, containers, cloud services, and APIs. Any unpatched vulnerability, misconfiguration, or exposed interface is part of that attack surface and can be exploited by an attacker. That's why it's crucial to maintain the security updates up to date.

The human factor Complete the picture: user accounts, permissions, configuration errors, and, of course, social engineering. Phishing, pretexting, and baiting campaigns exploit lapses in security awareness, not technical flaws. That's why training and a strong security culture are just as important as the technologies themselves, and should be complemented with identity solutions such as Windows Hello for Business.

Reducing the attack surface means trimming and hardening all those points of exposure.Uninstalling unused software, closing ports, limiting permissions, segmenting networks, reviewing APIs, securing the cloud, and implementing technical controls to prevent abuse of legitimate features are all part of this. This is precisely where ASR comes in, and it's also advisable to apply local policies. secpol.msc.

What is ASR (Attack Surface Reduction) in Microsoft Defender?

ASR Rules in Microsoft Defender

ASR (Attack Surface Reduction) is a set of Microsoft Defender rules that restrict software behaviors considered high-risk.even when they originate from "trusted" applications like Office, browsers, or email clients. The focus is not so much on malware signatures, but on preventing the abuse of legitimate functions to carry out attacks.

ASR rules target typical malware behavior patterns, such as:

  • Launching executables or scripts that download or run other filesoften from email, web, or USB.
  • Execution of obfuscated or suspicious scripts (PowerShell, JavaScript, VBScript), common in fileless attacks.
  • Actions that apps do not perform in normal use, such as Office creating child processes, stealing credentials, or touching sensitive areas of the system.

It is important to understand that some of these behaviors also appear in legitimate software.This is especially true for poorly designed or outdated line-of-business applications. That's why ASR offers several modes (blocking, auditing, warning) and supports specific exclusions by file, folder, or even rule.

ASR is part of Microsoft Defender Antivirus (engine integrated into Windows 10/11) It is managed in an advanced way through Defender for Endpoint and the Microsoft 365 ecosystem (Intune, Configuration Manager, MDM, GPO). It doesn't necessarily require an E5 license to function, but it is needed if you want the full layer of advanced management, reporting, and threat hunting.

The role of ASR in a Zero Trust model

The Zero Trust approach starts from a clear premise: “assume you are already committed”This necessitates limiting the impact of any incident by implementing layers of control at the network, identity, and endpoint levels. ASR rules fit into the endpoint layer as a preventative control engine.

Instead of waiting for a malicious binary to execute and be detectedASR blocks in advance the usual vectors used by attackers: Office macros launching PowerShell, unknown executables downloaded from email, obfuscated scripts, vulnerable drivers, processes launched from USB, etc.

In this way, ASR applies the principle of least privilege to what applications can do.not only to what users can do. Word will still be Word, but it will no longer be able to create arbitrary child processes, call certain Win32 APIs from macros, or run downloaded content without control.

Combined with network segmentation, MFA, application control, web protection, and patching best practicesASR helps to greatly "narrow" the effective attack surface on Windows workstations and servers, which remain the weak link in many incidents.

Types of attack surfaces and their relationship to ASR

Attack surfaces are usually divided into three main categories: digital, physical, and social engineering.Each one has specific measurements, but they all touch each other.

Digital attack surfaceThis includes websites, servers, databases, endpoints, SaaS, cloud services, APIs, and more. Software vulnerabilities, insecure configurations, and exposed services are all part of this. Organizations typically rely on External Attack Surface Management (EASM) tools to continuously monitor these assets.

Physical attack surfaceNetwork hardware, on-premises servers, user equipment, storage devices, etc. This is reduced with physical controls (access to data center, cameras, locks, rack shielding) and with clear policies on removable devices.

Surface of social engineeringPhishing, vishing, and smishing attacks exploit human weaknesses. Employee training, phishing simulations, and clear policies on credential and access management are key here.

ASR primarily attacks the digital surface at the endpointbut with effects on physics (for example, blocking executables from USB) and on the human vector (making it harder for a click on a malicious email to end in malware execution).

Most relevant ASR rules and what they block

Microsoft maintains a fairly extensive catalog of ASR rules, expanded with each version of Windows 10/11Some of the most critical ones focus on the vectors that are most exploited today:

Rules focused on Office and productivity applications:

  • Block Office applications from creating child processes (GUID D4F940AB-401B-4EFC-AADC-AD5F3C50688A): prevents Word, Excel, etc. from launching processes like cmd.exe or powershell.exe, which is very common in campaigns with macros.
  • Prevent Office communication applications from creating child processesfurther hardening Outlook and similar programs.
  • Prevent Adobe Reader from generating background processes, to close another common avenue of exploitation.

Specific rules for macros:

  • Block Win32 API calls from Office macros (GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B): It stops one of the most common macro malware patterns, which needs to invoke kernel functions or other libraries to complete the attack.
  • Block executable content from email or webmail: It nips in the bud many attacks that start with a malicious attachment or link.

Rules against malicious scripts:

  • Block the execution of obfuscated scripts, both in PowerShell and in languages ​​such as JavaScript or VBScript.
  • Prevent JavaScript/VBScript scripts from launching downloaded content, preventing infection chains that go unnoticed by the user.

Rules for lateral movement, drivers, and USB:

  • Block process creation from PsExec and WMI, two classic lateral movement techniques in Windows networks.
  • Block LSASS credential theftmitigating tools like Mimikatz.
  • Block abuse of certificates and driver signaturespreventing attackers from relying on legitimate but faulty drivers.
  • Block unsigned or untrusted processes launched from USB, very useful in environments where users frequently use removable drives.
  • Block persistence using WMI event subscriptions, a recurring trick to stay in the system without attracting too much attention.

It's important to keep in mind that not all rules are equally effective on their own.For example, the rule to "block Office from creating child processes" was limited against processes launched via WMI, and Microsoft had to incorporate additional specific rules to close that gap. Others, such as the one that blocks Win32 APIs in macros, are much more robust and difficult to circumvent today.

ASR Rules Operating Modes

What is ASR (Attack Surface Reduction) and how to apply it

Each ASR rule can be in one of four states that determine its behavior:

  • Not configured / DisabledThe rule does not act and does not generate data.
  • Block: active rule, prevents the action and records the event.
  • AuditIt doesn't block, but it records what there would be locked, ideal for testing.
  • Warning: blocks but allows the user to bypass the block for 24 hours, after which the rule is reapplied.

Audit mode is the cornerstone of a controlled implementationRunning all rules first in this mode allows you to see which business applications will be affected, how many events are generated, and where exclusions need to be introduced to avoid breaking critical processes.

The warning mode is intended as an intermediate step. For organizations that want to give end users leeway in exceptional cases. However, it's not supported for all rules or in all scenarios: for example, there are three rules that don't support warnings if configured from Intune (although they do via GPO), and in older versions of Windows, the "Warn" setting translates to "Block".

When an ASR rule is triggered, the user sees a dialog box indicating that the content has been blocked.And if the mode allows it, you can temporarily unlock it. This experience is customizable and is accompanied by events in the Windows log and, if using Defender for Endpoint, alerts in the portal.

Prerequisites and compatible operating systems

To take full advantage of ASR and the rest of the attack surface reduction capabilitiesThere are a number of requirements that should be clear:

Microsoft Defender Antivirus Requirements:

  • Defender should be your primary antivirus., it cannot be in passive or disabled mode.
  • Real-time protection must be active.
  • Cloud-Delivered Protection must be enabled and with internet connectivity, since some rules depend on it.
  • Minimum versions Recommended for warning mode and other advanced functions: platform 4.18.2008.9 and engine 1.1.17400.5 or higher.

At the operating system levelASR rules are supported in various editions of Windows 10 and Windows 11, in both professional and enterprise environments. A Windows E5 license is not strictly required for the rules to function, but it is required to have:

Advanced management and visibility features:

  • Centralized monitoring and detailed analysis from Defender for Endpoint.
  • Reports and advanced configuration from the Microsoft Defender XDR portal.
  • Deep integration with advanced search and hunting scenarios.

With Professional or E3 licenses ASR rules can still be used, but visibility is limited to local logs (Event Viewer, Defender logs) or solutions set up by the customer (e.g., forwarding events to their own SIEM).

How to evaluate ASR rules before deploying them

Activating all ASR rules in "Block" mode at once is a perfect recipe for breaking applications and infuriating users.Microsoft recommends and documents a phased approach based on prior assessment.

The ideal starting point is to use Microsoft Defender vulnerability management.where each ASR rule appears as a security recommendation. From the recommendation details panel, you can see the estimated impact on users and devices: the percentage of endpoints where the rule could be enabled in blocking mode without significantly compromising productivity.

The next step is to run the rules in audit modeIn this mode, events are logged for everything that would have been blocked, but without interfering with operations. This allows:

  • Identify line-of-business applications that are behaving “strangely” But they are necessary.
  • Measure how many events each rule generates and decide if it's manageable or if there's too much noise.
  • Design and test the exclusion strategy by file, folder, or process.

Many LOB apps are written with little attention to security. And they can use practices that closely resemble malware: obfuscated scripts, auxiliary executables, unusual drivers, etc. Audit mode allows these cases to be discovered without disrupting key processes.

Exclusions and combination of directives in ASR

Exclusions are essential to prevent ASR from becoming a headache.Most rules allow you to define paths or files that will not be evaluated, even if the behavior would normally be blocked.

Adding exclusions requires great care.:

  • Reduce them to the bare minimum.always be as specific as possible (a specific executable, not a whole large folder).
  • Clearly document the reason for each exclusion and review them periodically.
  • Avoid excluding typical malware locations such as user profiles, temp files, downloads, or email paths.

In environments with multiple policies applied (MDM, Intune, GPO, etc.) there is merging logic.For managed devices, a "superset" of rules can be built from several profiles: non-conflicting configurations are added together, while those that clash with each other are discarded from the combined policy.

If there are conflicting directives between MDM and Intune versus GPOGroup Policy usually takes precedence and is imposed. It is important to review the hierarchy and clearly decide which management system should "own" the Defender configuration in the organization.

ASR configuration and deployment methods

Microsoft offers several methods for configuring and distributing ASR rules.From the command line to advanced cloud portals, it's common practice in business to combine more than one.

Recommended enterprise management (Intune / Configuration Manager):

  • Intune – Endpoint Security PolicyThis is the preferred method in cloud environments. It allows you to create specific "Attack Surface Reduction Rule" profiles, set the status of each rule, add exclusions, and distribute policies to groups of users or devices.
  • Intune – Device Configuration Profiles (Endpoint Protection): alternative to manage ASR within a broader protection policy.
  • Intune – Custom OMA-URI Profiles: for advanced scenarios where you need to use Defender's CSP directly, specifying rule GUIDs and status values ​​(0 disable, 1 block, 2 audit, 6 warn).
  • Microsoft Configuration Manager (SCCM): allows you to create Windows Defender Exploit Guard – Attack Surface Reduction policies, choose rules to block or audit, and deploy them to collections of devices.

Other configuration options:

  • Generic MDM using the CSP ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules y AttackSurfaceReductionOnlyExclusions For exclusions, the GUIDs of the rules are encoded along with the status value.
  • Group Policy (GPO)This can be done through Administrative Templates > Windows Components > Microsoft Defender Antivirus > Vulnerability Protection > Attack Surface Reduction. It allows you to configure the status of each rule and a specific policy for exclusions.
  • PowerShell: with cmdlets like Set-MpPreference y Add-MpPreference You can enable, audit, warn, or disable rules, as well as manage exclusions. This is useful for scripts, one-off automation, or small environments.

In small businesses without Intune, GPOs and PowerShell remain the primary approach.Although there is no "magic button" in the Defender for Endpoint portal to push ASR rules, you can use central GPOs in Active Directory or logon scripts with PowerShell to maintain a consistent configuration.

Other attack surface reduction capabilities in Defender

ASR is not alone: ​​it is part of a broader set of attack surface reduction controls integrated into Microsoft Defender for Endpoint.

Main complementary capabilities:

  • Application Control (WDAC)It forces applications to gain trust before they can run. It's the next level of hardness after ASR, as it defines which binaries can run, not just what they can do.
  • Controlled folder access: protects key directories (documents, desktop, etc.) against unauthorized modifications, especially useful against ransomware.
  • Device control: manages the use of USB and other removable media to prevent data leakage and malware from external drives.
  • Exploit Protection: applies system and process-level mitigations against known exploitation techniques, independent of the primary antivirus.
  • Hardware-based isolation: protects system integrity through secure boot, VBS, HVCI and browser containers (e.g., Edge isolation).
  • Network protection and web protectionThey extend controls to outbound traffic, malicious domains, and website categories, integrating with Defender SmartScreen and web policies.

Implementing these capabilities together allows for a drastic reduction in the attack surface.But always with the same approach: start in audit mode, adjust, introduce well-thought-out exclusions, and only then move to blocking.

ASR event monitoring and advanced search

Monitoring what ASR rules are doing is just as important as setting them up.The associated events are recorded at various levels.

On the endpoint itselfThe key events are located in:

  • Microsoft-Windows-Windows Defender/Operational, with IDs such as 1121 (rule in blocking mode), 1122 (rule in audit mode) and 5007 (configuration changes).
  • Other specific records for network protection, controlled folder access, vulnerability protection, etc., each with its own set of relevant IDs.

To facilitate review, Microsoft provides custom views in XML format. These filters only show events relevant to ASR, network protection, controlled folder access, or security mitigations. They can be imported into the Event Viewer or the XML query can be copied directly.

In environments with Defender for Endpoint, Advanced Hunting is a great allyWith queries on tables like DeviceEvents For example, all ASR rule triggers can be located using queries like:

Query example: DeviceEvents | where ActionType startswith "Asr"

This search is optimized to reduce noise by showing only unique processes per hour.If the same event occurs on multiple devices between 14:15 and 14:45, only one entry will be displayed with the timestamp of the first instance, making analysis easier without being buried under thousands of repeated rows.

Good practices and challenges in reducing the attack surface

Reducing the attack surface is a marathon, not a sprint, and it clashes head-on with some ingrained business practices.There are obvious challenges and best practices that help bring it to fruition.

Main challenges:

  • Complex dependenciesLegacy applications and systems that rely on outdated or insecure components, difficult to touch without breaking something.
  • Legacy systems integration that do not support new security measures or require ill-advised configurations.
  • Speed ​​of technological changeNew platforms and services bring new vectors, forcing a constant review of the strategy.
  • resource limitations: lack of staff, tools or budget to cover all fronts.
  • Impact on business processesMore safety often means more friction, and you have to find the right balance.

Cross-cutting good practices:

  • Rigorous asset management, with updated inventories of hardware, software and data, labeled by criticality and owner.
  • Network security based on segmentation and visibilitywith clear rules on what can be discussed with whom, and traffic monitoring.
  • Strengthening of systemsUninstall unnecessary software, disable default features and accounts, apply patches promptly, and regularly review security settings. harden the system's telemetry.
  • Strict access controlFollowing the principle of least privilege, with MFA, periodic reviews of permissions and agile revocation when someone changes role or leaves.
  • Configuration Management supported by tools that detect unauthorized changes, alert and, if possible, automatically revert them.

In cloud environments, special attention must also be paid to storage configurations, identities, APIs, and encryption.because a permissions error or a misconfigured bucket can expose data to the internet without anyone noticing until it's too late.

In day-to-day operations, ASR rules, combined with the rest of Defender's capabilities, help to drastically reduce the chances of a successful attack.Even if a user clicks where they shouldn't or a system isn't fully patched, properly configured and implemented in block mode after a thorough audit and tuning phase, they become a highly effective and relatively transparent layer for the end user.

Although this whole network of rules, GUIDs, modes, and tools may seem esoteric at firstWith a structured strategy (assess, audit, meticulously eliminate vulnerabilities, and only then block them), it's perfectly manageable even for small teams. And the benefit is clear: less surface area to monitor, fewer points to protect, and less room for an isolated failure to escalate into a serious breach.

Advanced management of driver certificates and signatures in Windows
Related article:
Advanced management of driver certificates and signatures in Windows