Who is this article for?

Mail Manager Administrators making config changes to Mail Manager.

Access to edit User Preferences is required.

Attack Surface Reduction (ASR) is a security feature provided by Microsoft as part of its Windows Defender Exploit Guard. It is designed to help prevent and mitigate various types of cyberattacks by reducing the potential attack surface on Windows operating systems.

The attack surface of a system refers to the potential points of entry or vulnerabilities that an attacker can exploit to gain unauthorized access or compromise the system. By minimizing the attack surface, organizations can enhance their security posture and reduce the risk of successful cyberattacks.

This article outlines the steps to configure Attack Surface Reduction (ASR) and is split into the following sections:

Managing your computers with an MDM solution? Be aware that tools such as Intune, Configuration Manager, or other enterprise-level management platforms will overwrite any conflicting Group Policy settings on startup.

1. What is Microsoft Attack Surface Reduction (ASR)?

Microsoft's Attack Surface Reduction employs a set of rules and policies to restrict or block certain types of potentially malicious behavior on a Windows system. These rules are based on various attack vectors commonly used by malware and exploit techniques. Some of the techniques employed by ASR include:

1. Blocking executable files from running from specific locations: ASR can prevent executables from running in certain folders that are commonly used by attackers to execute their malicious code.
2. Blocking Office applications from creating executable content: This helps prevent the misuse of Office applications to deliver malicious payloads.
3. Blocking script files from running from email and web-based locations: Malware often uses scripts delivered via email or web links to infect systems, and ASR can help prevent their execution.
4. Disabling script interpreters: ASR can disable certain script interpreters like PowerShell and JavaScript in specific scenarios where they are more likely to be abused.
5. Blocking executable files from running from archive attachments: ASR can block the execution of executable files that are disguised within archive files like ZIP or RAR.

By implementing these and other restrictions, Attack Surface Reduction aims to limit the avenues through which malware can compromise a Windows system, making it more difficult for attackers to achieve their objectives.

ASR is part of the broader set of security features provided by Windows Defender Exploit Guard and Windows Defender Antivirus, contributing to a multi-layered defense against various types of threats and attacks. It is commonly used in enterprise environments to enhance the security of Windows-based systems.

2. How to test the if Outlook is blocked from launching MM on an individual's computer

This is just one possible ASR rule here but the symptoms, in this example, are that the user may get a message "Unable to run Mail Manager module: MailManager.Startup". To test the fix for this, follow these steps:

1. Open Settings and go to Privacy & Security > Windows Settings > Open Windows Security

2. Select Protection History and see if any 'Risky actions blocked' actions are showing. Click on these if they don't show information. You will need Administrator access to see these.

3. It if talks about blocking Outlook loading MailManager.Startup.exe then this would suggest the ASR rule for “Block Office communication application from creating child processes" could be preventing this.

4. To test this further, you can run the following PowerShell commands. If you get a True message from the second command, that indicates this is blocking:

$AsrSetting = Get-MpPreference
$AsrSetting.AttackSurfaceReductionRules_Ids -contains "d4f940ab-401b-4efc-aadc-ad5f3c50688a"

5. To disable this Outlook being blocked from running all child processes, for that instance, you can run: the following PowerShell command:

Set-MpPreference -AttackSurfaceReductionRules_Ids "d4f940ab-401b-4efc-aadc-ad5f3c50688a" -AttackSurfaceReductionRules_Actions @("Disabled")

6. Close and reopen Outlook and see if Mail Manager then loads. If it doesn't it may need to be re-enabled in the Com Add-ins section of the options. If you can get it to load though then this proves that this setting was blocking this.

7. If this is configured in group policy, this setting may revert at a later time, when the policy updates itself again or when the user reboots, for example. To ensure this doesn't get overridden this should be configured, as per the next section, and it would be the Block Office communication application from creating child processes rule you would be looking to update.

3. How to Configure Attack Surface Reduction (ASR) in Group Policy

Notes:

• To perform these actions, you'll need administrative privileges on your Windows machine.
• Do not use quotes as they are not supported for either the Value name column or the Value column. The rule ID should not have any leading or trailing spaces.

1. Log on to your Group Policy management system.
2. Open the Group Policy Management Console
3. Right-click the Group Policy Object you want to configure and click Edit.
4. In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
5. Expand the tree to Windows components for Microsoft Defender Antivirus, then Microsoft Defender Exploit Guard, and then Attack Surface Reduction.

6. Select Configure Attack surface reduction rules and select Enabled. You can then set the individual state for each rule in the options section. Select Show... and enter the rule ID in the Value name column and your chosen state in the Value column as follows:

• • • 0: Disable (Disable the ASR rule)
    • 1: Block (Enable the ASR rule)
    • 2: Audit (Evaluate how the ASR rule would impact your organization if enabled)
    • 6: Warn (Enable the ASR rule but allow the end-user to bypass the block)

7. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface reduction rules setting and set the option to Enabled.
8. Select Show and enter each file or folder in the Value name column. Enter 0 in the Value column for each item.

Looking for more details? Visit Microsoft.com for more information on Attack Surface Reduction.