Chii chinonzi ASR (Attack Surface Reduction) uye mashandisirwo ayo

  • ASR ibumbiro remitemo yeMicrosoft Defender inovhara maitiro ane njodzi huru kuderedza nzvimbo yekurwiswa muWindows.
  • Mitemo inogona kushanda mukudzivirira, kuongorora, kana kunyevera uye inofanira kugara ichishandiswa kutanga nekuongorora nekugadzirisa zvinhu zvisingabatanidzwe.
  • Kurongeka kwayo kunotarisirwa kuburikidza neIntune, SCCM, MDM, GPO kana PowerShell, uye kushanda kwayo kunotsigirwa nezvimwe zvinhu zvakaita seWDAC, kupinda kwemafolda anodzorwa uye dziviriro yenetwork.
  • Nzira yakazara yekuderedza nzvimbo inoonekwa inobatanidza ASR nemaitiro akanakisa mukutarisira midziyo, kuomesa masisitimu, kudzora mukana wekupinda, uye kuchengetedzwa kwegore.
Lorena Figueredo

17 maminitsi

Attack Surface Reduction

Nzvimbo yekurwiswa kwesangano yakawedzera zvakanyanya mumakore achangopfuuraCloud computing, remote work, SaaS, mobile devices, USB, macros, APIs… Sevhisi itsva yega yega, port, kana application inogona kupinda mukurwisa. Ndosaka Microsoft yave ichiisa matekinoroji muWindows 10 neWindows 11 nechinangwa chekuganhurira zvinogona kuitwa nesoftware, kunyangwe kana zvichiita sezviri pamutemo. Kuti uderedze njodzi idzi, ona mazano e Kuvandudza kuchengeteka mukati Windows 11.

Mukati me "zvombo zvekudzivirira" chimwe chezvigadziko izvi chiri muAttack Surface Reduction Rules (ASR)Mitemo yekuderedza nzvimbo yekurwiswa yakabatanidzwa muMicrosoft Defender Antivirus neDefender for Endpoint. Haisi antivirus yechinyakare chete, asi sisitimu yemutemo inovhara maitiro ane njodzi malware isati yatombowana mukana wekuita basa rayo. Kunzwisisa zvakakwana kuti chii, mashandiro ayo, uye maitiro ekuashandisa pasina kukanganisa nharaunda kwakakosha kune chero maneja anotarisira Windows mukambani, hombe kana diki. Uyezve, zvinokurudzirwa kuti uvawedzere ne... yakakosha kuchengetedza software sechikamu chehurongwa hwekudzivirira.

Chii chinonzi nzvimbo yekurwiswa uye nei ichifanira kuderedzwa?

Nzvimbo yekurwiswa ndiyo nzvimbo dzese dzinogona kushandiswa nemurwisi nehurongwa hwedu. kuba data, kushandisa kodhi, kana kufamba-famba. Izvi zvinosanganisira zvinhu zvepanyama, zvedhijitari, uye zvevanhu.

Panyika chaiyoMaSeva, nzvimbo dzekushandira, zvishandiso zvenetwork, malaptop, materminal, nechero hardware ine mukana wekuwana network yemakambani kana data rakakosha zvese zvinoshanda. Kombiyuta isina kunyorwa, yakakanganikwa kana USB port isina kutariswa inogona kuva vector yekupinda inoshanda kupfuura remote exploit.

Muchikamu chedhijitari Tiri kutaura nezvema operating systems, business applications, web services, databases, endpoints, containers, cloud services, uye APIs. Chero dambudziko risina kugadziriswa, kusagadziriswa zvakanaka, kana exposed interface chikamu chenzvimbo iyoyo yekurwisa uye inogona kushandiswa neanorwisa. Ndosaka zvakakosha kuchengetedza kuchengetedzwa kwekuchengetedzwa kusvika pari zvino.

Chinhu chevanhu Pedzisa mufananidzo: maakaundi evashandisi, mvumo, zvikanganiso zvekugadzirisa, uye, zvechokwadi, mainjiniya emagariro evanhu. Kutsvaga ruzivo rwenhema, kunyepedzera, uye kushambadzira zvinoshandisa zvikanganiso mukuziva nezvekuchengetedza, kwete zvikanganiso zvehunyanzvi. Ndosaka kudzidziswa uye tsika yakasimba yekuchengetedza zvakakosha sematekinoroji pachawo, uye zvinofanirwa kuwedzerwa nemhinduro dzekuzivikanwa dzakadai se Windows Hello for Business.

Kuderedza nzvimbo yekurwiswa zvinoreva kuchekerera nekuomesa nzvimbo dzese dzekusangana nadzo.Kubvisa software isina kushandiswa, kuvhara maports, kuganhurira mvumo, kupatsanura network, kuongorora maAPI, kuchengetedza cloud, uye kushandisa tekinoroji kudzivirira kushandiswa zvisina kunaka kwemabasa epamutemo zvese izvi. Apa ndipo panopinda ASR, uye zvinokurudzirwawo kushandisa mitemo yemuno. secpol.msc.

Chii chinonzi ASR (Attack Surface Reduction) muMicrosoft Defender?

ASR Mitemo muMicrosoft Defender

ASR (Attack Surface Reduction) ibumbiro remitemo yeMicrosoft Defender inorambidza maitiro esoftware anoonekwa seane njodzi huru.kunyangwe kana zvichibva kumapurogiramu "anovimbwa" akadai seOffice, browsers, kana email clients. Chinangwa hachisi chekunyanya kuisa malware signatures, asi kudzivirira kushandiswa zvisina kunaka kwemabasa epamutemo kuti arwise.

Mitemo yeASR inotarisa maitiro akajairika ehunhu hwemalware, sei:

  • Kutanga ma executables kana scripts anodhawunirodha kana kumhanyisa mamwe mafairakazhinji kubva paemail, pawebhu kana paUSB.
  • Kuitwa kwemagwaro asina kujeka kana kuti anofungirwa (PowerShell, JavaScript, VBScript), inowanzoonekwa mukurwiswa kusina mafaira.
  • Zviito zvisingaitwe nemapurogiramu pakushandisa kwakajairika, zvakaita seOffice kugadzira maitiro evana, kuba zvitupa, kana kubata nzvimbo dzakavanzika dzesystem.

Zvakakosha kunzwisisa kuti mamwe maitiro aya anowanikwawo musoftware yepamutemo.Izvi zvinonyanya kuitika kune mapurogiramu ebhizinesi asina kugadzirwa zvakanaka kana kuti ekare. Ndosaka ASR ichipa nzira dzakasiyana-siyana (kuvharira, kuongorora, kunyevera) uye inotsigira zvimwe zvinhu zvisingabatanidzwe nefaira, folda, kana mutemo.

ASR chikamu cheMicrosoft Defender Antivirus (injini yakabatanidzwa muWindows 10/11) Inotungamirwa nenzira yepamusoro kuburikidza neDefender for Endpoint uye Microsoft 365 ecosystem (Intune, Configuration Manager, MDM, GPO). Hazvidi kuti uve nerezenisi yeE5 kuti ishande, asi inodiwa kana uchida manejimendi akazara, mishumo, uye kutsvaga njodzi.

Basa reASR mumuenzaniso weZero Trust

Maitiro eZero Trust anotanga nepfungwa yakajeka: "funga kuti watozvipira"Izvi zvinoda kuderedza kukanganiswa kwechiitiko chipi zvacho nekushandisa matanho ekudzora padanho re network, hunhu, uye endpoint. Mitemo yeASR inokodzera mu endpoint layer seinjini yekudzora yekudzivirira.

Panzvimbo pekumirira kuti binary yakaipa iite uye ionekweASR inovhara pachine nguva mavector anoshandiswa nevarwisi: Office macros inotanga PowerShell, ma executable asingazivikanwe akatorwa kubva kuemail, mascript akavharika, madhiraivha asina kuchengetedzeka, maitiro akatangwa kubva kuUSB, nezvimwewo.

Nenzira iyi, ASR inoshandisa musimboti wekodzero shoma pane zvinogona kuitwa nemafomu.kwete chete kune izvo vashandisi vanogona kuita. Word icharamba iri Word, asi haichazokwanisi kugadzira maitiro emwana asina kurongeka, kudana mamwe maWin32 API kubva kuma macros, kana kumhanyisa zvirimo zvakatorwa pasina kudzora.

Zvakabatanidzwa nekupatsanurwa kwenetwork, MFA, kutonga maapplication, dziviriro yewebhu, uye kugadzirisa maitiro akanakisaASR inobatsira "kuderedza" zvakanyanya nzvimbo yekurwiswa inoshanda pamaworkstations eWindows nemaservers, ayo anoramba ari iwo asina simba muzviitiko zvakawanda.

Mhando dzenzvimbo dzekurwiswa uye hukama hwadzo neASR

Nzvimbo dzekurwiswa dzinowanzo kamurwa kuita zvikamu zvitatu zvikuru: digital, physical, uye social engineering.Chimwe nechimwe chine zviyero zvakananga, asi zvose zvinobata chimwe nechimwe.

Nzvimbo yekurwiswa kwedhijitariIzvi zvinosanganisira mawebhusaiti, maseva, madhatabhesi, maendpoints, SaaS, cloud services, maAPI, nezvimwewo. Kusasimba kwesoftware, magadzirirwo asina kuchengetedzeka, uye masevhisi akafumurwa zvese izvi. Masangano anowanzo vimba nezvishandiso zveExternal Attack Surface Management (EASM) kuti arambe achitarisa zvinhu izvi.

Nzvimbo yekurwiswa kwepanyamaHardware yenetwork, maseva ari panzvimbo, midziyo yemushandisi, midziyo yekuchengetera, nezvimwewo. Izvi zvinoderedzwa nekushandisa zvidzoreso zvemuviri (kusvika kunzvimbo yedata, makamera, makiyi, kuchengetedzwa kwerack) uye nemutemo wakajeka pamidziyo inobviswa.

Pamusoro peinjiniya yemagariro evanhuKurwisa phishing, vishing, uye smishing kunoshandisa hutera hwevanhu. Kudzidziswa kwevashandi, phishing simulations, uye mitemo yakajeka pamusoro pemaretifiketi uye manejimendi ekuwana zvinhu ndizvo zvakakosha pano.

ASR inonyanya kurwisa nzvimbo yedhijitari pamagumoasi nemhedzisiro pafizikisi (semuenzaniso, kuvharira ma executables kubva kuUSB) uye pa human vector (zvichiita kuti zviomere kudzvanya email ine njodzi kupedzisa ne malware execution).

Mitemo yeASR inonyanya kukosha uye zvavanovhara

Microsoft ine katarogu yakakura yemitemo yeASR, yakawedzerwa neshanduro yega yega yeWindows 10/11Mamwe eanonyanya kukosha anotarisa pavectors anonyanya kushandiswa mazuva ano:

Mitemo yakatarisana neOffice uye mashandisirwo ekugadzira:

  • Block Office applications kubva pakugadzira maitiro evana (GUID D4F940AB-401B-4EFC-AADC-AD5F3C50688A): inodzivirira Word, Excel, nezvimwewo kubva pakuvhura maitiro akaita se cmd.exe kana powershell.exe, izvo zvinonyanya kuitika muma campaign ane macros.
  • Dzivisa maapplication ekukurukurirana eHofisi kubva pakugadzira maitiro evanakuwedzera kuomesa Outlook nemapurogiramu akafanana.
  • Dzivisa Adobe Reader kubva pakugadzira maitiro ekumashure, kuvhara imwe nzira yakajairika yekushandisa zvisina kunaka.

Mitemo chaiyo yemakros:

  • Vimba mafoni eWin32 API kubva kuOffice macros (GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B): Inomisa imwe yema "macro malware" akajairika, ayo anoda kushandisa ma "kernel functions" kana mamwe maraibhurari kuti apedzise kurwisa.
  • Vhara zviri mukati zvinogoneka kubva kuemail kana webmail: Inobvisa kurwiswa kwakawanda kunotanga nechinhu chine njodzi kana chinongedzo.

Mitemo inorambidza zvinyorwa zvine hutsinye:

  • Dzivirira kuitwa kwemagwaro asina kujeka, muPowerShell uye mumitauro yakaita seJavaScript kana VBScript.
  • Dzivisa JavaScript/VBScript scripts kuti isaburitse zvirimo zvakatorwa, kudzivirira hutachiona husingaonekwe nemushandisi.

Mitemo yekufamba kwedivi, madhiraivha, uye USB:

  • Kugadzirwa kwemaitiro ekuvhara kubva kuPsExec neWMI, nzira mbiri dzekare dzekufambisa mativi mumanethiwekhi eWindows.
  • Vharai LSASS kubiwa kwemagwarozvishandiso zvekudzikisa dambudziko zvakaita seMimikatz.
  • Kushandiswa zvisina kunaka kweblock zvitupa nemasaini emutyairikudzivirira varoyi kuti vasavimbe nevatyairi vepamutemo asi vasina kunaka.
  • Vhara maitiro asina kusaina kana asina kuvimbika akatangwa kubva kuUSB, inobatsira zvikuru munzvimbo umo vashandisi vanoshandisa madhiraivha anobviswa kazhinji.
  • Dzivisa kuramba uchishanda uchishandisa kunyoreswa kwezviitiko zveWMI, nzira inodzokororwa yekugara muhurongwa pasina kukwezva kutariswa kwakawanda.

Zvakakosha kuyeuka kuti haisi mitemo yese inoshanda zvakaenzana yoga.Semuenzaniso, mutemo wekuti "kuvharira Office kubva pakugadzira maitiro emwana" waive wakaganhurirwa kune maitiro akatangwa kuburikidza neWMI, uye Microsoft yaifanira kuisa mimwe mitemo chaiyo yekuvhara mukaha iwoyo. Mimwe, senge iyo inovharira Win32 APIs mumacros, yakasimba zvikuru uye yakaoma kunzvenga nhasi.

Maitiro Ekushanda eMitemo yeASR

Chii chinonzi ASR (Attack Surface Reduction) uye mashandisirwo ayo

Mutemo wega wega weASR unogona kuva mune imwe yenyika ina dzinosarudza maitiro ayo:

  • Haina kugadzirwa / YakaremaraMutemo wacho haushande uye hauburitse ruzivo.
  • Vimba: mutemo unoshanda, unodzivirira chiito uye unonyora chiitiko chacho.
  • KuongororaHazvidziviriri, asi zvinonyora zviri kuitika paizove yakakiyiwa, yakakodzera kuongororwa.
  • Yambiro: inovhara asi inobvumira mushandisi kupasa block kwemaawa makumi maviri nemana, mushure mezvo mutemo wacho unoshandiswa zvakare.

Maitiro ekuongorora ndiwo musimboti wekushandiswa kwakadzorwaKutanga nekushandisa mitemo yese nenzira iyi kunoita kuti uone kuti ndeapi mapurogiramu ebhizinesi achakanganiswa, kuti zviitiko zvingani zvinogadzirwa, uye kuti ndeapi panofanira kuiswa zvinhu zvisingabatanidzwe kuti pasave nekutyorwa kwemaitiro akakosha.

Nzira yekunyevera inoitirwa sedanho repakati. Kune masangano anoda kupa vashandisi rusununguko mune dzimwe nguva. Zvisinei, hazvitsigirwi pamitemo yese kana mune zvese zviitiko: semuenzaniso, kune mitemo mitatu isingatsigire yambiro kana yakagadzirirwa kubva kuIntune (kunyangwe ichiita kuburikidza neGPO), uye mune shanduro dzekare dzeWindows, "Warn" setting inoshandura kuita "Block".

Kana mutemo weASR watanga, mushandisi anoona bhokisi rehurukuro rinoratidza kuti zviri mukati zvavharwa.Uye kana mode ichikubvumira, unogona kuivhura kwenguva pfupi. Chiitiko ichi chinogona kugadziriswa uye chinoperekedzwa nezviitiko zviri muWindows log uye, kana uchishandisa Defender yeEndpoint, zviziviso zviri mu portal.

Prerequisites uye inoenderana mashandiro masisitimu

Kushandisa zvizere ASR nezvimwe zvese zvinokwanisa kuderedza kurwiswa kwenzvimboKune zvinhu zvakawanda zvinodiwa zvinofanira kujeka:

Zvinodiwa zveMicrosoft Defender Antivirus:

  • Defender ndiyo inofanira kuva antivirus yako huru., hazvigone kuitwa mu passive kana disabled mode.
  • Dziviriro yenguva chaiyo inofanira kushanda.
  • Dziviriro Yakaunzwa Negore inofanira kubvumidzwa uye neinternet connectivity, sezvo mimwe mitemo ichienderana nazvo.
  • Minimum versions Inokurudzirwa kune yambiro uye mamwe mabasa epamusoro: puratifomu 4.18.2008.9 uye injini 1.1.17400.5 kana kupfuura.

Padanho rekushandisa systemMitemo yeASR inotsigirwa muzvinyorwa zvakasiyana-siyana zveWindows 10 neWindows 11, munzvimbo dzehunyanzvi uye dzemabhizinesi. Rezinesi yeWindows E5 haidiwi zvakanyanya kuti mitemo ishande, asi inofanirwa kuve ne:

Kutungamira kwepamusoro uye maficha ekuonekwa:

  • Kutarisa kwakabatana uye kuongorora kwakadzama kubva kuDefender for Endpoint.
  • Mishumo uye magadzirirwo epamusoro kubva kuMicrosoft Defender XDR portal.
  • Kubatanidzwa kwakadzama nemamiriro ekutsvaga epamusoro uye ekuvhima.

Nemarezinesi ehunyanzvi kana eE3 Mitemo yeASR inogona kushandiswa, asi kuonekwa kunogumira kumagwaro emunharaunda (Event Viewer, Defender logs) kana mhinduro dzakagadzirwa nemutengi (semuenzaniso, kutumira zviitiko kuSIEM yavo).

Maitiro ekuongorora mitemo yeASR usati waishandisa

Kushandisa mitemo yese yeASR mu "Block" mode panguva imwe chete inzira yakanaka yekutyora maapplication uye kutsamwisa vashandisi.Microsoft inokurudzira uye inonyora nzira yekuchinja-chinja zvichienderana neongororo yapfuura.

Nzvimbo yakanaka yekutanga ndeyekushandisa Microsoft Defender vulnerability management.apo mutemo wega wega weASR unoonekwa serumbidzo yekuchengetedza. Kubva pane panerubatsiro rwemashoko erumbidzo, unogona kuona fungidziro yemhedzisiro kune vashandisi nemidziyo: chikamu chemapoinzi ekupedzisira apo mutemo unogona kugoneswa mu blocking mode pasina kukanganisa zvakanyanya kugadzirwa.

Danho rinotevera nderekushandisa mitemo muhurongwa hwekuongororaMumuitiro uyu, zviitiko zvinonyorwa pane zvese zvingadai zvakavharirwa, asi pasina kukanganisa mashandiro. Izvi zvinobvumira:

  • Ziva mapurogiramu ebhizinesi ari kuita "zvisinganzwisisike" Asi zvinodiwa.
  • Yera kuti mutemo wega wega unoburitsa zviitiko zvingani uye sarudza kana zvichikwanisika kana kuti kana paine ruzha rwakanyanya.
  • Gadzira uye edza nzira yekubvisa vamwe nefaira, folda, kana maitiro.

Mapurogiramu mazhinji eLOB akanyorwa pasina kunyanya kutarisirwa kwekuchengetedzwa. Uye vanogona kushandisa maitiro akafanana zvakanyanya nemalware: mascript akavharika, ma assistant executables, madhiraivha asina kujairika, nezvimwewo. Audit mode inobvumira nyaya idzi kuwanikwa pasina kukanganisa maitiro akakosha.

Kusabatanidzwa uye kusanganiswa kwemirairo muASR

Kusabatanidzwa kwakakosha kudzivirira ASR kuti isave musoro.Mitemo mizhinji inokutendera kuti utsanangure nzira kana mafaira asingazoongororwa, kunyangwe kana maitiro acho achiwanzo vharwa.

Kuwedzera zvinhu zvisingabatanidzwi kunoda kungwarira kukuru.:

  • Zvideredzei kusvika padiki.gara wakanyatsojeka sezvinobvira (chinhu chinogoneka, kwete dhairekitori hombe).
  • Nyora zvakajeka chikonzero chekusabatanidzwa kwega kwega uye dziongorore nguva nenguva.
  • Dzivisa kubvisa nzvimbo dzakajairika dze malware zvakaita semaprofile evashandisi, mafaira enguva pfupi, kudhawunirodha, kana nzira dzeemail.

Munzvimbo dzine mitemo yakawanda inoshandiswa (MDM, Intune, GPO, nezvimwewo) pane kubatanidza pfungwa.Pamidziyo inodzorwa, "superset" yemitemo inogona kuvakwa kubva kumaprofayiri akati wandei: magadzirirwo asingarwisani anowedzerwa pamwe chete, nepo ayo anopesana achibviswa mumutemo wakabatanidzwa.

Kana paine mirairo inopesana pakati peMDM neIntune neGPOMutemo weBoka unowanzo tanga uye unoiswa pamberi. Zvakakosha kuongorora hurongwa uye kusarudza zvakajeka kuti ndeipi sisitimu yekutonga inofanira "kuva" neDefender configuration musangano.

Maitiro ekugadzirisa uye kushandisa ASR

Microsoft inopa nzira dzakasiyana-siyana dzekugadzirisa nekuparadzira mitemo yeASR.Kubva pamutsetse wemirairo kusvika kumapuratifomu epamusoro egore, zvakajairika mubhizinesi kusanganisa anopfuura rimwe.

Kutungamirirwa kwebhizinesi kunokurudzirwa (Intune / Configuration Manager):

  • Intune - Endpoint Security PolicyIyi ndiyo nzira inonyanya kufarirwa munzvimbo dzegore. Inokubvumira kugadzira ma profiles chaiwo e "Attack Surface Reduction Rule", kuseta mamiriro emutemo wega wega, kuwedzera zvisingabatanidzwe, uye kugovera marongero kumapoka evashandisi kana zvishandiso.
  • Intune - Mapurofayiri Ekugadzirisa Chishandiso (Kudzivirirwa Kwemagumo): imwe nzira yekutarisira ASR mukati memutemo wakakura wekudzivirira.
  • Intune - Mapurofayiri eOMA-URI Akagadzirwa Nemunhu: kune zviitiko zvepamusoro apo unofanirwa kushandisa Defender's CSP zvakananga, uchitsanangura mitemo yeGUIDs uye mamiriro ezvinhu (0 disable, 1 block, 2 audit, 6 warn).
  • Microsoft Configuration Manager (SCCM): inokutendera kuti ugadzire marongero eWindows Defender Exploit Guard – Attack Surface Reduction, sarudza mitemo yekudzivirira kana kuongorora, uye uiise muunganidzwa wemidziyo.

Dzimwe sarudzo dzekugadziriswa:

  • MDM yeGeneric uchishandisa CSP ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules y AttackSurfaceReductionOnlyExclusions Kune zvisingabatanidzwi, maGUID emitemo akanyorwa pamwe chete nehukuru hwemamiriro ezvinhu.
  • Group Policy (GPO)Izvi zvinogona kuitwa kuburikidza neAdministrative Templates > Windows Components > Microsoft Defender Antivirus > Vulnerability Protection > Attack Surface Reduction. Izvi zvinokutendera kuti ugadzirise mamiriro emutemo wega wega uye mutemo chaiwo wezvisina kuvharwa.
  • PowerShell: ne cmdlets senge Set-MpPreference y Add-MpPreference Unogona kugonesa, kuongorora, kunyevera, kana kudzima mitemo, pamwe nekugadzirisa zvisizvo. Izvi zvinobatsira pama script, otomatiki kamwe chete, kana nharaunda diki.

Mumabhizinesi madiki asina Intune, maGPO nePowerShell zvinoramba zviri nzira huru.Kunyangwe pasina "bhatani remashiripiti" muDefender for Endpoint portal yekusundira mitemo yeASR, unogona kushandisa maGPO ari pakati muActive Directory kana ma logon scripts nePowerShell kuti uchengetedze marongero akafanana.

Mamwe mabasa ekuderedza kurwiswa kwenzvimbo muDefender

ASR haisi yega: ​​iri chikamu chehurongwa hwakakura hwekuderedza kurwiswa kwenzvimbo yakabatanidzwa muMicrosoft Defender yeEndpoint.

Hunhu hukuru hwekuwedzera:

  • Kudzora Mashandisirwo (WDAC)Zvinomanikidza mapurogiramu kuti avimbwe asati akwanisa kumhanya. Ndiyo nhanho inotevera yekuoma mushure meASR, sezvo ichitsanangura kuti ndeapi ma binary anogona kumhanya, kwete chete zvavanogona kuita.
  • Kupinda kwakadzorwa kumaforodha: inodzivirira madhairekitori makuru (magwaro, desktop, nezvimwewo) kubva pakugadziriswa kusina mvumo, kunyanya kunobatsira kubva kuransomware.
  • Kudzora mudziyo: inodzora kushandiswa kweUSB nedzimwe nzira dzinobviswa kudzivirira kubuda kwedata uye malware kubva kumadhiraivha ekunze.
  • Dziviriro Yekushandisa Zvisina Kunaka: inoshandisa nzira dzekudzivirira mashandiro ehurongwa nemaitiro kubva pakushandisa macomputer, pasina kushandisa antivirus yekutanga.
  • Kuzviparadzanisa kwakavakirwa pahardware: inodzivirira kusimba kwesystem kuburikidza ne secure boot, VBS, HVCI uye browser containers (semuenzaniso, Edge isolation).
  • Dziviriro yenetiweki uye dziviriro yewebhuVanowedzera kudzora kune vanobuda mumigwagwa, madhomini ane njodzi, uye mawebhusaiti, zvichibatanidzwa neDefender SmartScreen uye mawebhusaiti.

Kushandisa hunyanzvi uhu pamwe chete kunobvumira kudzikiswa kukuru kwenzvimbo yekurwiswa.Asi nguva dzose nenzira imwe chete: tanga nenzira yekuongorora, gadzirisa, tanga zvinhu zvisingabatanidzwe zvakanyatsofungwa, uye wobva waenda kune blocking.

Kutarisa zviitiko zveASR uye kutsvaga kwepamusoro

Kutarisa zviri kuitwa nemitemo yeASR kwakakosha sekungoiisa.Zviitiko zvine chekuita nazvo zvinonyorwa pamatanho akasiyana-siyana.

Pamugumo pachawoZviitiko zvikuru zviri mu:

  • Microsoft-Windows-Windows Defender/Inoshanda, nemaID akadai se1121 (mutemo uri muchimiro chekuvharira), 1122 (mutemo uri muchimiro chekuongororwa) uye 5007 (kuchinja kwemagadzirirwo).
  • Zvimwe zvinyorwa zvakananga yekudzivirira network, kupinda mumaforodha anodzorwa, dziviriro yekukuvadzwa, nezvimwewo, imwe neimwe iine maID ayo akakodzera.

Kuti zviite nyore kuongorora, Microsoft inopa maonero akagadzirwa mufomati yeXML. Mafirita aya anongoratidza zviitiko zvine chekuita neASR, dziviriro yenetiweki, mukana wekupinda mumafolda anodzorwa, kana kuti kuderedzwa kwekuchengetedzwa. Anogona kupinzwa muEvent Viewer kana kuti XML query inogona kukopwa zvakananga.

Munzvimbo dzine Defender yeEndpoint, Advanced Hunting inobatsira zvikuruNemibvunzo iri pamatafura akaita se DeviceEvents Semuenzaniso, zvese zvinokonzeresa mitemo yeASR zvinogona kuwanikwa uchishandisa mibvunzo yakaita se:

Query muenzaniso: DeviceEvents | where ActionType startswith "Asr"

Kutsvaga uku kwakagadzirirwa kuderedza ruzha nekuratidza maitiro akasiyana chete paawa.Kana chiitiko chimwe chete chikaitika pamidziyo yakawanda pakati pa14:15 na14:45, chinhu chimwe chete chicharatidzwa chine nguva yechiitiko chekutanga, zvichiita kuti kuongorora kuve nyore pasina kuvigwa pasi pezviuru zvemitsara inodzokororwa.

Maitiro akanaka nematambudziko mukuderedza nzvimbo yekurwiswa

Kuderedza nzvimbo yekurwiswa inguva refu, kwete kumhanya-mhanya, uye inopesana zvakananga nemamwe maitiro ebhizinesi akadzika midzi.Kune matambudziko ari pachena uye nzira dzakanakisisa dzinobatsira kuti zvibudirire.

Matambudziko makuru:

  • Kuvimba kwakaomararaMashandisirwo ekare uye masisitimu anovimba nezvinhu zvekare kana zvisina kuchengetedzeka, zvakaoma kubata pasina kupwanya chimwe chinhu.
  • Kubatanidzwa kwenhaka izvo zvisingatsigire matanho matsva ekuchengetedza kana kuti zvinoda magadzirirwo asina kurongwa zvakanaka.
  • Kumhanya kwekuchinja kwetekinorojiMapuratifomu matsva nemasevhisi zvinounza mavector matsva, zvichiita kuti hurongwa hwacho hurambe huchiongororwa.
  • Zviganhu zvekushandisa: kushaya vashandi, zvishandiso kana bhajeti rekushandisa pamativi ese.
  • Mhedzisiro pamaitiro ebhizinesiKuchengeteka kwakanyanya kunowanzoreva kukakavadzana kwakawanda, uye unofanira kuwana chiyero chakakodzera.

Maitiro akanaka anosanganisa zvese:

  • Kutarisira zvinhu zvakaoma, ine zvinhu zvitsva zvehardware, software nedata, zvakanyorwa ne criticity uye muridzi.
  • Kuchengetedzwa kwenetiweki kwakavakirwa pakupatsanurwa uye kuonekwanemitemo yakajeka yekuti chii chinogona kukurukurwa naani, uye kutarisa traffic.
  • Kusimbiswa kwehurongwaBvisa software isina basa, dzima maficha nemaakaundi akajairika, isa ma patches nekukurumidza, uye gara uchiongorora marongero ekuchengetedza. kusimbisa telemetry yesystem.
  • Kudzora kwakasimba kwekupindaKutevera musimboti wekuti hapana ropafadzo yakawanda, neMFA, kudzokorora mvumo nguva nenguva uye kudzoserwa kwemvumo kana mumwe munhu achinja basa kana kuti abva.
  • Configuration Management zvinotsigirwa nezvishandiso zvinoona shanduko dzisina mvumo, zvinopa yambiro uye, kana zvichibvira, zvinozodzoserwa otomatiki.

Munzvimbo dzegore, kutarisisa kwakakosha kunofanirwawo kupihwa kune marongero ekuchengetera, ma identity, ma API, uye encryption.nekuti kukanganisa kwemvumo kana bhaketi risina kugadziriswa zvakanaka zvinogona kuisa data pa internet pasina munhu anozviona kusvika zvanonoka.

Mukushanda kwezuva nezuva, mitemo yeASR, pamwe chete nezvimwe zvese zvinogonekwa neDefender, zvinobatsira kuderedza zvakanyanya mikana yekurwisa kunobudirira.Kunyangwe kana mushandisi akadzvanya paasingafaniri kana kuti sisitimu isina kugadziriswa zvizere, yakarongedzwa zvakanaka uye yaiswa mu block mode mushure mechikamu chekuongorora nekugadziridza zvakakwana, inova layer inoshanda zvikuru uye yakajeka kune mushandisi wekupedzisira.

Kunyangwe network yese iyi yemitemo, maGUID, mamodhi, uye maturusi zvingaita sezvisinganzwisisike pakutangaNehurongwa hwakarongeka (kuongorora, kuongorora, kubvisa zvipingamupinyi nekungwarira, uye wobva wazvivhara), zvinogoneka kugadzirisika kunyangwe kumapoka madiki. Uye zvakanakira zviri pachena: nzvimbo shoma yekutarisa, mapoinzi mashoma ekudzivirira, uye nzvimbo shoma yekuti kutadza kwega kwega kuwedzere kuipa.

Yepamberi manejimendi yezvitupa zvekutyaira uye masiginecha muWindows
Nyaya inoenderana:
Yepamberi manejimendi yezvitupa zvekutyaira uye masiginecha muWindows