Attack surface reduction rules deployment overview
Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to attack. Configuring Microsoft Defender for Endpoint attack surface reduction rules can help.
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually occur during normal day-to-day work
By reducing the different attack surfaces, you can help prevent attacks from happening in the first place.
This deployment collection provides information about the following aspects of attack surface reduction rules:
- attack surface reduction rules requirements
- plan for attack surface reduction rules deployment
- test attack surface reduction rules
- configure and enable attack surface reduction rules
- attack surface reduction rules best practices
- attack surface reduction rules advanced hunting
- attack surface reduction rules event viewer
Attack surface reduction rules deployment steps
As with any new, wide-scale implementation, which could potentially impact your line-of-business operations, it's important to be methodical in your planning and implementation. Careful planning and deployment of attack surface reduction rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize attack surface reduction rules carefully.
Important predeployment caveat
We recommended that you enable the following three standard protection rules. See Attack surface reduction rules by type for important details about the two types of attack surface reduction rules.
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block abuse of exploited vulnerable signed drivers
- Block persistence through Windows Management Instrumentation (WMI) event subscription
Typically, you can enable the standard protection rules with minimal-to-no noticeable impact to the end user. For an easy method to enable the standard protection rules, see Simplified standard protection option.
For customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules, Microsoft advises running the HIPS solution alongside attack surface reduction rules deployment until the moment you shift from Audit mode to Block mode. Keep in mind that you must reach out to your non-Microsoft antivirus provider for exclusion recommendations.
Before you begin testing or enabling attack surface reduction rules
During your initial preparation, it's vital to understand the capabilities of the systems that you put in place. Understanding the capabilities help you determine which attack surface reduction rules are most important for protecting your organization. Additionally, there are several prerequisites, which you must attend to in preparation of your attack surface reduction deployment.
This guide provides images and examples to help you decide how to configure attack surface reduction rules; these images and examples might not reflect the best configuration options for your environment.
Before you start, review Overview of attack surface reduction, and Demystifying attack surface reduction rules - Part 1 for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of attack surface reduction rules; see Attack surface reduction rules reference. While you're familiarizing yourself with the attack surface reduction rules set, take note of the per-rule GUID mappings; see Attack surface reduction rule to GUID matrix.
Attack surface reduction rules are only one capability of the attack surface reduction capabilities within Microsoft Defender for Endpoint. This document goes into more detail on deploying attack surface reduction rules effectively to stop advanced threats like human-operated ransomware and other threats.
Attack surface reduction rules list by category
The following table shows attack surface reduction rules by category:
|Lateral movement & credential theft
|Productivity apps rules
|Block executable files from running unless they meet a prevalence (1,000 machines), age, or trusted list criteria
|Block process creations originating from PSExec and WMI commands
|Block Office apps from creating executable content
|Block executable content from email client and webmail
|Block obfuscated JS/VBS/PS/macro code
|Block abuse of exploited vulnerable signed drivers 
|Block untrusted and unsigned processes that run from USB
|Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|Block Office apps from creating child processes
|Block only Office communication applications from creating child processes
|Block JS/VBS from launching downloaded executable content
|Use advanced protection against ransomware
|Block persistence through WMI event subscription
|Block Office apps from injecting code into other processes
|Block Office communication apps from creating child processes
|Block Adobe Reader from creating child processes
(1) Block abuse of exploited vulnerable signed drivers is now available under Endpoint Security > Attack Surface Reduction.
(2) Some attack surface reduction rules generate considerable noise, but don't block functionality. For example, if you're updating Chrome, Chrome accesses lsass.exe; passwords are stored in lsass on the device. However, Chrome shouldn't be accessing local device lsass.exe. If you enable the rule to block access to lsass, you see many events. Those events are good events because the software update process shouldn't access lsass.exe. Using this rule blocks Chrome updates from accessing lsass, but won't block Chrome from updating. This is also true of other applications that make unnecessary calls to lsass.exe. The block access to lsass rule blocks unnecessary calls to lsass, but doesn't block the application from running.
Attack surface reduction infrastructure requirements
Although multiple methods of implementing attack surface reduction rules are possible, this guide is based on an infrastructure consisting of
- Microsoft Entra ID
- Microsoft Intune
- Windows 10 and Windows 11 devices
- Microsoft Defender for Endpoint E5 or Windows E5 licenses
To take full advantage of attack surface reduction rules and reporting, we recommend using a Microsoft Defender XDR E5 or Windows E5 license, and A5. Learn more at Minimum requirements for Microsoft Defender for Endpoint.
There are multiple methods to configure attack surface reduction rules. Attack surface reduction rules can be configured using: Microsoft Intune, PowerShell, Group Policy, Microsoft Configuration Manager (ConfigMgr), Intune OMA-URI. If you are using a different infrastructure configuration than what is listed for Infrastructure requirements, you can learn more about deploying attack surface reduction rules using other configurations here: Enable attack surface reduction rules.
Attack surface reduction rules dependencies
Microsoft Defender Antivirus must be enabled and configured as primary anti-virus solution, and must be in the following mode:
- Primary antivirus/antimalware solution
- State: Active mode
Microsoft Defender Antivirus must not be in any of the following modes:
- Passive Mode with Endpoint detection and response (EDR) in Block Mode
- Limited periodic scanning (LPS)
Cloud Protection (MAPS) must be enabled to enable attack surface reduction rules
Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, arguably providing the best antivirus defense. Cloud protection is critical to preventing breaches from malware and a critical component of attack surface reduction rules. Turn on cloud-delivered protection in Microsoft Defender Antivirus.
Microsoft Defender Antivirus components must be current versions for attack surface reduction rules
The following Microsoft Defender Antivirus component versions must be no more than two versions older than the most-currently-available version:
- Microsoft Defender Antivirus Platform update version - Microsoft Defender Antivirus platform is updated monthly.
- Microsoft Defender Antivirus engine version - Microsoft Defender Antivirus engine is updated monthly.
- Microsoft Defender Antivirus security intelligence - Microsoft continually updates Microsoft Defender security intelligence (also known as, definition and signature) to address the latest threats, and to refine detection logic.
Keeping Microsoft Defender Antivirus versions current helps reduce attack surface reduction rules false positive results and improves Microsoft Defender Antivirus detection capabilities. For more details on the current versions and how to update the different Microsoft Defender Antivirus components visit Microsoft Defender Antivirus platform support.
Some rules don't work well if unsigned, internally developed application and scripts are in high usage. It's more difficult to deploy attack surface reduction rules if code signing isn't enforced.
Other articles in this deployment collection
Attack surface reduction rules collection
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.