Vulnarex | Elite Cybersecurity Learning Platform

#A Baseline Is Not a Checklist—It's the Minimum Security Floor#link

Microsoft publishes security baselines for Windows 10/11 that contain hundreds of recommended settings. But blindly deploying them can break legacy applications. This lesson teaches you to customize the Microsoft Security Compliance Toolkit baselines and integrate them with Microsoft Defender for Endpoint (MDE) for a defense-in-depth posture that includes attack surface reduction (ASR), exploit protection, and EDR.

Understanding the Security Compliance Toolkit

The Toolkit includes GPO backups, LGPO scripts, and documentation. Baselines cover everything from credential delegation to BitLocker, Windows Defender Firewall, and Internet Explorer/Edge. The key is to start with the 'MSFT Windows 11 - Domain Security' baseline, then create an overlay GPO for your organization's exceptions. Use the Policy Analyzer tool to compare the baseline against your current GPOs and identify drift.

Import a security baseline GPO backup

root@vulnarex:~#LGPO.exe /g "C:\Baselines\Windows10-21H2\GPOs"

LGPO.exe applies the baseline directly to local policy, useful for non-domain joined machines. For domain, import the GPOs via Group Policy Management Console.

Attack Surface Reduction (ASR) Rules via MDE

MDE's ASR rules are a powerful complement to baselines. Rules like 'Block executable content from email client and webmail', 'Block Office applications from creating child processes', and 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' stop common malware techniques. These rules are configured via Intune or Group Policy and can be set to Audit mode first to measure impact.

powershell

# Check ASR rules configuration on a device
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
# Enable a rule in block mode
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled

info

💡 The rule ID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 corresponds to 'Block Office apps from creating executable content'. Test in Audit mode before enforcing.

ASR Rule	ID	Protects Against
Block executable content from email	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550	Phishing attachments
Block Office child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A	Macro-based malware
Block credential stealing from lsass	9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2	Mimikatz-like tools
Block process creations from PSExec	D1E49AAC-8F56-4280-B9BA-993A6D77406C	Lateral movement

Exploit Protection and Controlled Folder Access

Exploit Protection enables system-wide mitigations like DEP, SEHOP, and ASLR, plus per-app rules. Controlled Folder Access protects designated directories from unauthorized modifications, effectively preventing ransomware encryption of critical data. These features, combined with baselines and ASR, create multiple layers that must all be bypassed.

▪Download the Microsoft Security Compliance Toolkit and baseline for your OS version.
▪Apply baseline via GPO, then create an overlay for organization-specific exceptions.
▪Enable ASR rules in Audit mode, review alerts, then switch to Block.
▪Turn on Controlled Folder Access for sensitive directories; whitelist trusted apps.

STRICT SECURE AUDIT RULE

⚠️ Some ASR rules break legitimate applications (e.g., PDF readers using child processes). Always pilot with a representative user group and have a rollback plan.

quiz BLOCK (★ 50 XP)

Which approach provides the strongest defense against a macro-based malware dropper?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Baseline Customization Lab