How to Set Up Attack Surface Reduction Rules on Windows Server 2019

Introduction to Attack Surface Reduction Rules

Attack Surface Reduction (ASR) rules are a set of targeted security policies in Windows Defender on Windows Server 2019 that block specific behaviors commonly used by malware and attackers—without requiring signature-based detection. ASR rules target abuse of Office macros, script execution techniques, credential theft from LSASS, exploitation of email attachments, lateral movement via SMB and WMI, and persistence mechanisms. Unlike broad security controls, each ASR rule is narrowly targeted at a specific attack technique, making them highly effective with minimal false positives when properly tuned. This tutorial covers enabling, configuring, and monitoring all ASR rules on Windows Server 2019.

Requirements for ASR Rules

Attack Surface Reduction rules require: Windows Server 2019 with Windows Defender Antivirus enabled and running in active mode (not just passive), Windows Defender real-time protection enabled, and the Microsoft Defender Antivirus feature installed. ASR rules work independently of Exploit Protection and Credential Guard but complement them. Verify prerequisites before enabling.

# Check Windows Defender status
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, 
    AntivirusEnabled, RealTimeProtectionEnabled, NISEnabled

ASR Rule GUIDs and Their Purposes

Each ASR rule is identified by a GUID. The key rules for Windows Server 2019 include: Block credential stealing from LSASS (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0), Block process creations from PSExec and WMI commands (d1e49aac-8f56-4280-b9ba-993a6d77406c), Block untrusted and unsigned processes from USB (b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4), Block persistence through WMI event subscription (e6db77e5-3df2-4cf1-b95a-636979351e5b), Block Office applications from injecting code into other processes (75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84), Block JavaScript and VBScript from launching downloaded content (d3e037e1-3eb8-44c8-a917-57927947596d), Block execution of potentially obfuscated scripts (5beb7efe-fd9a-4556-801d-275e5ffc04cc).

Enabling ASR Rules in Audit Mode

Enable ASR rules in audit mode first to identify false positives before enforcement. In audit mode, violations are logged as events but not blocked. Use the Add-MpPreference cmdlet with value 2 for audit mode.

# Enable all key ASR rules in AUDIT MODE (value 2 = audit)
$auditMode = "2"

# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0" `
    -AttackSurfaceReductionRules_Actions $auditMode

# Block process creations from PSExec and WMI
Add-MpPreference -AttackSurfaceReductionRules_Ids "d1e49aac-8f56-4280-b9ba-993a6d77406c" `
    -AttackSurfaceReductionRules_Actions $auditMode

# Block persistence via WMI event subscription
Add-MpPreference -AttackSurfaceReductionRules_Ids "e6db77e5-3df2-4cf1-b95a-636979351e5b" `
    -AttackSurfaceReductionRules_Actions $auditMode

# Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Add-MpPreference -AttackSurfaceReductionRules_Ids "01443614-cd74-433a-b99e-2ecdc07bfc25" `
    -AttackSurfaceReductionRules_Actions $auditMode

# Block obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" `
    -AttackSurfaceReductionRules_Actions $auditMode

# Block JavaScript and VBScript from launching downloaded content
Add-MpPreference -AttackSurfaceReductionRules_Ids "d3e037e1-3eb8-44c8-a917-57927947596d" `
    -AttackSurfaceReductionRules_Actions $auditMode

Enabling Additional Office and Email ASR Rules

If Microsoft Office is installed on the server (not recommended on servers but common on some desktop-use servers), enable the Office-related ASR rules to block macro abuse and process injection.

# Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids "3b576869-a4ec-4529-8536-b80a7769e899" `
    -AttackSurfaceReductionRules_Actions 2

# Block Office applications from injecting into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" `
    -AttackSurfaceReductionRules_Actions 2

# Block Win32 API calls from Office macros
Add-MpPreference -AttackSurfaceReductionRules_Ids "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" `
    -AttackSurfaceReductionRules_Actions 2

# Block Office communication apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids "26190899-1602-49e8-8b27-eb1d0a1ce869" `
    -AttackSurfaceReductionRules_Actions 2

Reviewing Audit Mode Events

After running in audit mode for 1-2 weeks, review the event log for triggered ASR rules. Event ID 1121 is enforcement mode block, Event ID 1122 is audit mode log.

Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Windows Defender/Operational'
    Id = @(1121, 1122)
    StartTime = (Get-Date).AddDays(-14)
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        ID = if ($_.Id -eq 1121) {"BLOCKED"} else {"AUDIT"}
        RuleID = $xml.Event.EventData.Data | Where-Object Name -eq 'ID' | 
                 Select-Object -ExpandProperty '#text'
        File = $xml.Event.EventData.Data | Where-Object Name -eq 'Path' | 
               Select-Object -ExpandProperty '#text'
        Process = $xml.Event.EventData.Data | Where-Object Name -eq 'ProcessName' | 
                  Select-Object -ExpandProperty '#text'
    }
} | Sort-Object RuleID | Format-Table

Switching to Enforcement Mode

After reviewing audit events and confirming there are no false positives (or adding exclusions for legitimate use cases), switch each rule from audit mode (2) to block mode (1). Rules can be switched individually—move the highest-value, lowest-false-positive rules to enforcement first.

# Switch LSASS protection to BLOCK mode (value 1)
Add-MpPreference -AttackSurfaceReductionRules_Ids "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0" `
    -AttackSurfaceReductionRules_Actions 1

# Switch WMI persistence rule to BLOCK mode
Add-MpPreference -AttackSurfaceReductionRules_Ids "e6db77e5-3df2-4cf1-b95a-636979351e5b" `
    -AttackSurfaceReductionRules_Actions 1

# Switch obfuscated script rule to BLOCK mode
Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" `
    -AttackSurfaceReductionRules_Actions 1

Adding ASR Exclusions

If a legitimate application triggers an ASR rule, add a file or folder exclusion. Exclusions apply to all ASR rules—there is no per-rule exclusion support via PowerShell. Keep exclusions minimal and document why each one exists.

# Add an exclusion for a specific file path
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:LegacyAppscanner.exe"

# View current exclusions
(Get-MpPreference).AttackSurfaceReductionOnlyExclusions

Deploying ASR Rules via Group Policy

Deploy ASR rules across the domain using Group Policy. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction. Enable “Configure Attack Surface Reduction rules” and add each rule GUID with its enforcement value.

gpmc.msc

Verify the policy applied correctly using Get-MpPreference on a client computer after Group Policy refresh:

gpupdate /force
(Get-MpPreference).AttackSurfaceReductionRules_Ids
(Get-MpPreference).AttackSurfaceReductionRules_Actions

Verifying ASR Rule Status

Check the current status of all configured ASR rules, showing each rule’s GUID and its action (0=off, 1=block, 2=audit).

$prefs = Get-MpPreference
$rules = $prefs.AttackSurfaceReductionRules_Ids
$actions = $prefs.AttackSurfaceReductionRules_Actions

for ($i = 0; $i -lt $rules.Count; $i++) {
    $action = switch ($actions[$i]) {
        0 {"DISABLED"}
        1 {"BLOCK"}
        2 {"AUDIT"}
        default {"UNKNOWN"}
    }
    [PSCustomObject]@{
        RuleGUID = $rules[$i]
        Action = $action
    }
} | Format-Table

Conclusion

Attack Surface Reduction rules on Windows Server 2019 provide behavior-based blocking of attack techniques without requiring malware signatures. The most critical rules for servers are those protecting LSASS from credential dumping, blocking WMI persistence mechanisms, blocking untrusted executables, and blocking obfuscated scripts—these directly counter tools and techniques used in the majority of ransomware and APT attacks. Following the audit-then-enforce methodology minimizes false positives while building toward comprehensive ASR coverage. Combined with Exploit Protection, Credential Guard, WDAC, and AppLocker, ASR rules form an overlapping set of defenses that dramatically raise the cost of successful attacks on Windows Server 2019.