E3V3A
commented
4 years ago @jcspencer
Is this something that would be worth me making a PR for?
Absolutely, but before you do that, we need to address the issue of "out-of-box" experience for first time Windows users.
So perhaps we need to think about this:
- How can we get the out-of-box Vanilla settings for all those? (I.e. a log of what is currently used, before running and changin anything.)
- Which of the are the most important to have, but which will not block you from using Office tools in a standard way?
- Maybe have 3 "blocks" of different presets, eahc representing (user knowledge).
For example:
[basic, audit, hardened]?
For example, basic would block obvious stuff like:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- etc
But not:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block untrusted and unsigned processes that run from USB|
Defender lets you set Attack Surface Reduction rules both via GPO or via Set-MpPreference. A list of the rules can be found here.
Current rules:
Is this something that would be worth me making a PR for?
The main issue is that there are currently 15 possible rules, each with three states (disabled, audit, enabled). Would this be something where there should be three options available as separate commands?