How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations

Disclaimer: Under normal circumstances ASR rules should only be deployed using the following methods mentioned in this document:

• Microsoft Intune
• Mobile Device Management (MDM)
• Microsoft Endpoint Configuration Manager
• Group Policy
• PowerShell

In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure Automation State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.

Example Scenario:

Let's assume there is a requirement to enable and deploy the ASR rule: Block execution of potentially obfuscated scripts (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc) Follow the steps below to accomplish this task.

Step 1: Create the MOF configuration file

The following is a sample state configuration script using the DSC Script resource.

 
$asr_rules=(Get-MpPreference).AttackSurfaceReductionRules_Ids
$test= $asr_rules.Contains("5beb7efe-fd9a-4556-801d-275e5ffc04cc")

 Configuration ASRDSC
{
    Import-DscResource -ModuleName 'PSDscResources'
    Node localhost
    {
        Script ASRTest
        {
          SetScript = { 
                 Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" -AttackSurfaceReductionRules_Actions AuditMode
                          }

          TestScript ={ 
                       $using:test
                          
                          }
                        

          GetScript = { @{ Result = “String" } }
        }
    }
}

Once the state configuration checks whether or not the ASR rule ID 5beb7efe-fd9a-4556-801d-275e5ffc04cc exists, it will run the Add-MpPreference command, setting the rule into an audit state on the local VM. ASR rules can also be set into enabled state using the same, Add-MpPreference, command.

This script can be compiled using the dot sourcing method. 

Example:

. C:\Scripts\asrtest.ps1
asrtest

Once resolved, a file called localhost.mof should be created and found under the C:\Scripts\ASRTEST folder.

Step 2: Create the artifacts package

Now that we have the MOF file, we can create the package. Step-by-step instructions can be found here. 

# Create a package 
New-GuestConfigurationPackage `
  -Name 'MyConfig' `
  -Configuration './ASRTEST/localhost.mof' `
  -path 'C:\scripts' `
  -Type Audit `
  -Force

Step 3: Publish the package

Now that the package is ready, we can publish (upload) the package to an Azure Storage account where it is ready to be consumed by Azure Policy. Step-by-step instructions can be found here.

Step 4: Create a policy definition

To start deploying this package to target VMs in a resource group, for example, a new Azure policy definition needs to be created. We want to create this policy definition by using the "guest configuration" category. Creating this new policy requires using the New-GuestConfigurationPolicy and New-AzPolicyDefinition commands to publish the policy to the Azure Policy portal. Step-by-step instructions can be found here.

Now we can deploy ASR rules centrally and have a compliance view right from Azure Policy.

Please note: This method for deploying ASR should only be used as a last resort due to the complex nature and knowledge necessary for using DSC powershell scripting and its limitation.

We hope that you found this article and the additional step-by-step resources helpful.