Skip to content Skip to bottom

ASR: How To Implement Attack Surface Reduction

Blogs and insights

Attack Surface Reduction (ASR): a very familiar scenario

So, you’re deep into project planning and you need to assess which Attack Surface Reduction (ASR) rules to action. Most of all, you re hesitant to even look into implementing ASR because you are not sure about the productivity impact. 

At the same time, the option of using audit mode to evaluate the impact doesn’t “cut it”, since monitoring is great for gaining insight, but it doesn’t minimise the risk. And the audit data requires a specialist to monitor the data for an extensive period before a safe conclusion can be reached. 

This would result in a long-winded two-phase approach, a lot of meetings to reassure stakeholders on the impact, and even more rounds of user communication before you can reach consensus on when it’s okay to move forward.  

Not great at all. 

However, Microsoft just takes that scenario and provides a solution with a feature that empowers us all to do more, better – Warn Mode

Why Warn Mode? 

As Microsoft mentions on Microsoft Docs, we have a new “gun” available in our armoury called Warn Mode. 

This is a relatively new feature which has been around since March 2021, but in my opinion it’s one of those pieces that needs to be advertised more as it’s a hands down winner from a Solutions Architecture / Consulting perspective. 

Unlike AUDIT, which relies on monitoring and analysis to identify potential risks, and the blanket BLOCK mode which often has a productivity impact, Warn Mode does exactly what we need it to do – it warns the user and offers them the option to unblock the content for a 24-hour period. 

Windows Security alert

This is genius since it makes it a no-brainer to go for this quick win, as apart from the relative inconvenience of the user having to authorise an unblock once per day, we no longer have to follow a “take it or leave it” approach. Nor do we have to incorporate all this thought process in the planning phase. 

My recommendation 

With the exception of the 3 rules that do not support Warn Mode, I would always recommend implementing a WARN policy on all ASR rules that support it as the baseline stance on any design. The final ruleset which can also be downloaded in a spreadsheet form from GitHub would look like the table below: 

Spreadsheet form from GitHub

Consider ASR and Warn Mode as methods of protection for your business

The 848 Group has a team of specialists with the knowledge and skills in cyber security and secure modern workplace solutions. We can provide your business with a future-proof security practice to support you. We can help you with evaluating security choices and choosing the right option for your business systems.