Hello guest, if you read this it means you are not registered. Click here to register in a few simple steps, you will enjoy all features of our Forum.
Rules have been updated! Here

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

windows hardening ms

Hardening MS Windows
Thumbs Up 
Attack Surface Reduction
Attack Surface Reduction (ASR), a security feature of Microsoft Windows 10, forms part of Microsoft Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers a number of attack surface reduction rules, these include:
  • Block executable content from email client and webmail
  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands
  • Block untrusted and unsigned processes that run from USB
  • Block Office communication application from creating child processes
  • Block Adobe Reader from creating child processes
  • Block persistence through WMI event subscription
Early Launch Antimalware
Another key security feature of Trusted Boot, supported by Microsoft Windows 10 and motherboards with an Unified Extensible Firmware Interface (UEFI), is Early Launch Antimalware (ELAM). Used in conjunction with Secure Boot, an ELAM driver can be registered as the first non-Microsoft driver that will be initialised on a workstation as part of the boot process, thus allowing it to verify all subsequent drivers before they are initialised. The ELAM driver is capable of allowing only known good drivers to initialise; known good and unknown drivers to initialise; known good, unknown and bad but critical drivers to initialise; or all drivers to initialise. To reduce the risk of malicious drivers, only known good and unknown drivers should be allowed to be initialised during the boot process.
The following Group Policy setting can be implemented to ensure only known good and unknown drivers will be initialised at boot time.
Can MS Defender Antivirus replace security bundles products like Norton 360? Or it just work as an antivirus? Does anybody knows if it can block cryptomining powershell scripts loaded in memory?

Forum Jump:

Users browsing this thread: 1 Guest(s)