Attack Surface Reduction (ASR): a very familiar scenario
So, you’re deep into project planning and you need to assess which Attack Surface Reduction (ASR) rules to action. Most of all, you re hesitant to even look into implementing ASR because you are not sure about the productivity impact.
At the same time, the option of using audit mode to evaluate the impact doesn’t “cut it”, since monitoring is great for gaining insight, but it doesn’t minimise the risk. And the audit data requires a specialist to monitor the data for an extensive period before a safe conclusion can be reached.
This would result in a long-winded two-phase approach, a lot of meetings to reassure stakeholders on the impact, and even more rounds of user communication before you can reach consensus on when it’s okay to move forward.
Not great at all.
However, Microsoft just takes that scenario and provides a solution with a feature that empowers us all to do more, better – Warn Mode.
Why Warn Mode?
As Microsoft mentions on Microsoft Docs, we have a new “gun” available in our armoury called Warn Mode.
This is a relatively new feature which has been around since March 2021, but in my opinion it’s one of those pieces that needs to be advertised more as it’s a hands down winner from a Solutions Architecture / Consulting perspective.
Unlike AUDIT, which relies on monitoring and analysis to identify potential risks, and the blanket BLOCK mode which often has a productivity impact, Warn Mode does exactly what we need it to do – it warns the user and offers them the option to unblock the content for a 24-hour period.
This is genius since it makes it a no-brainer to go for this quick win, as apart from the relative inconvenience of the user having to authorise an unblock once per day, we no longer have to follow a “take it or leave it” approach. Nor do we have to incorporate all this thought process in the planning phase.
With the exception of the 3 rules that do not support Warn Mode, I would always recommend implementing a WARN policy on all ASR rules that support it as the baseline stance on any design. The final ruleset which can also be downloaded in a spreadsheet form from GitHub would look like the table below:
Consider ASR and Warn Mode as methods of protection for your business
The 848 Group has a team of specialists with the knowledge and skills in cyber security and secure modern workplace solutions. We can provide your business with a future-proof security practice to support you. We can help you with evaluating security choices and choosing the right option for your business systems.
Kay is senior solutions architect specialising in cybersecurity, information protection and governance, identity and access management and zero-trust architecture. He has a long list of accreditations and over 15 years of experience in designing, securing, and scaling cloud-first solutions. In his free time, he uses his knowledge to share information that supports stronger security practices.