Windows 10: Windows Defender Device Guard: Attack Surface Reduction

SE_GB · Feb 19, 2020

Dear community,

I am experiencing a relatively strange behavior using Attack Surface Reduction from the Defender Device Guard.

As recommended in the baseline security 1809, I did activate the recommended ASR rules; one of them being "Block untrusted and unsigned processes that run from USB" - elaboratedhere.

I did create an unsigned application using Visual studio and C#. Runs fine on the build machine.

Starting it from a USB drive, Defender Application Guard blocks the application Code 1121, ID b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4. Intended and expected behavior.

Copying the previously started and blocked application to the local disk and trying to start it from there, it gets blocked again. Not so expected behavior.

Renaming this executable on the local disk to "xyz_.exe" it is not blocked. Renaming it to its once blocked at USB name, it gets blocked again.

Does anybody have an idea, if the names of the blocked application are cached in some way or why this behavior occurs?

Kind regards

SE_GB

:)

Brink · Feb 19, 2020

Windows Defender Application Guard extensions for Chrome and Firefox

The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.

To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

Ensure devices meet requirements.

Windows Defender Application Guard.
[*]Define the network isolation settings to ensure a set of enterprise sites is in place.
[*]Install the new Windows Defender Application Guard companion application from the Microsoft Store.
[*]Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
[*]Restart the device.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.

If there are any problems with the configuration, users will get instructions for resolving any configuration errors.

Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Commitment to keep enterprise users and data safe

Hardware-based isolation is one of the innovations that enhance platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.

Rona Song
Windows platform security team

Click to expand...

Source: https://www.microsoft.com/security/b...sed-isolation/

Brink · Feb 19, 2020

Windows Defender Application Guard extensions for Chrome and Firefox

The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.

To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

Ensure devices meet requirements.

Windows Defender Application Guard.
[*]Define the network isolation settings to ensure a set of enterprise sites is in place.
[*]Install the new Windows Defender Application Guard companion application from the Microsoft Store.
[*]Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
[*]Restart the device.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.

If there are any problems with the configuration, users will get instructions for resolving any configuration errors.

Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Commitment to keep enterprise users and data safe

Hardware-based isolation is one of the innovations that enhance platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.

Rona Song
Windows platform security team

Click to expand...

Source: https://www.microsoft.com/security/b...sed-isolation/

Rob Koch · Feb 19, 2020

WD ASR : Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

These forums are for consumers, so your question about an Attack Surface Reduction rule that's typically managed via Windows Defender Advanced Threat Protection (Windows Defender ATP) is out of scope here. You should be asking this in the appropriate TechNet
forums related to that product.

That said, I assume you found the following document that provides what little information seems to exist in the public domain? I assume you'd need to know how to manage the prevalence, age, trusted list or exclusion list items within either WD ATP or enterprise
policies in order to configure them for the rule to work.

Rob

Use attack surface reduction rules to prevent malware infection Microsoft
Docs

Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria

This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:

Executable files (such as .exe, .dll, or .scr)

Note

You must
enable cloud-delivered protection to use this rule.

Windows 10: Windows Defender Device Guard: Attack Surface Reduction

Windows Defender Device Guard: Attack Surface Reduction

Windows Defender Device Guard: Attack Surface Reduction

Windows Defender Device Guard: Attack Surface Reduction

Windows Defender Device Guard: Attack Surface Reduction - Similar Threads - Defender Device Guard

Attack Surface Reduction

Attack Surface Reduction

Windows Defender: Attack Surface Reduction - No Events in EventLog for some blocked actions

Does Microsoft Defender Exploit Guard Attack Surface Reduction Rules ASR still function...

CCleaner Update Triggers Attack Surface Reduction Rule

Windows Defender Application Guard

Windows Defender Application Guard

Windows Defender Application Guard

Windows Defender Application Guard?