How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations

[Guest mahmoudmsft]

Disclaimer: Under normal circumstances ASR rules should only be deployed using the following methods mentioned in this document:

 

• Microsoft Intune
  
• Mobile Device Management (MDM)
  
• Microsoft Endpoint Configuration Manager
  
• Group Policy
  
• PowerShell
  

 

In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure Automation State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.

 

 

 

Example Scenario:

 

Let's assume there is a requirement to enable and deploy the ASR rule: Block execution of potentially obfuscated scripts (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc) Follow the steps below to accomplish this task.

 

 

 

Step 1: Create the MOF configuration file

 

 

The following is a sample state configuration script using the DSC Script resource.

 

 

 

 

$asr_rules=(Get-MpPreference).AttackSurfaceReductionRules_Ids

$test= $asr_rules.Contains("5beb7efe-fd9a-4556-801d-275e5ffc04cc")

 

Configuration ASRDSC

{

Import-DscResource -ModuleName 'PSDscResources'

Node localhost

{

Script ASRTest

{

SetScript = {

Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" -AttackSurfaceReductionRules_Actions AuditMode

}

 

TestScript ={

$using:test

 

}

 

 

GetScript = { @{ Result = “String" } }

}

}

}

 

 

 

 

Once the state configuration checks whether or not the ASR rule ID 5beb7efe-fd9a-4556-801d-275e5ffc04cc exists, it will run the Add-MpPreference command, setting the rule into an audit state on the local VM. ASR rules can also be set into enabled state using the same, Add-MpPreference, command.

 

This script can be compiled using the dot sourcing method.

 

 

 

Example:

 

 

 

. C:\Scripts\asrtest.ps1

asrtest

 

 

 

Once resolved, a file called localhost.mof should be created and found under the C:\Scripts\ASRTEST folder.

 

Step 2: Create the artifacts package

 

 

Now that we have the MOF file, we can create the package. Step-by-step instructions can be found here.

 

 

 

# Create a package

New-GuestConfigurationPackage `

-Name 'MyConfig' `

-Configuration './ASRTEST/localhost.mof' `

-path 'C:\scripts' `

-Type Audit `

-Force

 

 

 

Step 3: Publish the package

 

 

Now that the package is ready, we can publish (upload) the package to an Azure Storage account where it is ready to be consumed by Azure Policy. Step-by-step instructions can be found here.

 

 

 

Step 4: Create a policy definition

 

 

To start deploying this package to target VMs in a resource group, for example, a new Azure policy definition needs to be created. We want to create this policy definition by using the "guest configuration" category. Creating this new policy requires using the New-GuestConfigurationPolicy and New-AzPolicyDefinition commands to publish the policy to the Azure Policy portal. Step-by-step instructions can be found here.

 

 

 

Now we can deploy ASR rules centrally and have a compliance view right from Azure Policy.

 

 

 

Please note: This method for deploying ASR should only be used as a last resort due to the complex nature and knowledge necessary for using DSC powershell scripting and its limitation.

 

 

 

We hope that you found this article and the additional step-by-step resources helpful.

 

Continue reading...