Enable your attack surface reduction rules in Microsoft Defender for Business
Your attack surfaces are all the places and ways that your organization's network and devices are vulnerable to cyberthreats and attacks. Unsecured devices, unrestricted access to any URL on a company device, and allowing any type of app or script to run on company devices are all examples of attack surfaces. They leave your company vulnerable to cyberattacks.
To help protect your network and devices, Microsoft Defender for Business includes several attack surface reduction capabilities, including attack surface reduction rules. This article describes how to set up your attack surface reduction rules and describes attack surface reduction capabilities.
There are lots of attack surface reduction rules available. You don't have to set them all up at once. And, you can set up some rules in audit mode just to see how they work for your organization, and change them to work in block mode later. That said, we recommend enabling the following standard protection rules as soon as possible:
- Block credential stealing from the Windows local security authority subsystem
- Block abuse of exploited vulnerable signed drivers
- Block persistence through WMI event subscription
These rules help protect your network and devices but shouldn't cause disruption for users. Use Intune to set up your attack surface reduction rules.
In the Microsoft Intune admin center, go to Endpoint security > Attack surface reduction.
Choose Create policy to create a new policy.
- For Platform, choose Windows 10, Windows 11, and Windows Server.
- For Profile, select Attack Surface Reduction Rules, and then choose Create.
Set up your policy as follows:
Specify a name and description, and then choose Next.
For at least the following three rules, set each one to Block:
- Block credential stealing from the Windows local security authority subsystem
- Block persistence through WMI event subscription
- Block abuse of exploited vulnerable signed drivers
Then choose Next.
On the Scope tags step, choose Next.
On the Assignments step, choose the users or devices to receive the rules, and then choose Next. (We recommend selecting Add all devices.)
On the Review + create step, review the information, and then choose Create.
Tip
If you prefer, you can set up your attack surface reduction rules in audit mode at first to see detections before files or processes are actually blocked. For more detailed information about attack surface reduction rules, see Attack surface reduction rules deployment overview.
Defender for Business includes an attack surface reduction report that shows how attack surface reduction rules are working for you.
In the Microsoft Defender portal, in the navigation pane, choose Reports.
Under Endpoints, choose Attack surface reduction rules. The report opens and includes three tabs:
- Detections, where you can view detections that occurred as a result of attack surface reduction rules
- Configuration, where you can view data for standard protection rules or other attack surface reduction rules
- Add exclusions, where you can add items to be excluded from attack surface reduction rules (use exclusions sparingly; every exclusion reduces your level of security protection)
To learn more about attack surface reduction rules, see the following articles:
- Attack surface reduction rules overview
- Attack surface reduction rules report
- Attack surface reduction rules reference
- Attack surface reduction rules deployment overview
Attack surface reduction rules are available in Defender for Business. The following table summarizes attack surface reduction capabilities in Defender for Business. Notice how other capabilities, such as next-generation protection and web content filtering, work together with your attack surface reduction capabilities.
Capability | How to set it up |
---|---|
Attack surface reduction rules Prevent specific actions that are commonly associated with malicious activity to run on Windows devices. |
Enable your standard protection attack surface reduction rules (section in this article). |
Controlled folder access Controlled folder access allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. |
Set up controlled folder access policy in Microsoft Defender for Business. |
Network protection Network protection prevents people from accessing dangerous domains through applications on their Windows and Mac devices. Network protection is also a key component of Web content filtering in Microsoft Defender for Business. |
Network protection is already enabled by default when devices are onboarded to Defender for Business and next-generation protection policies in Defender for Business are applied. Your default policies are configured to use recommended security settings. |
Web protection Web protection integrates with web browsers and works with network protection to protect against web threats and unwanted content. Web protection includes web content filtering and web threat reports. |
Set up Web content filtering in Microsoft Defender for Business. |
Firewall protection Firewall protection determines what network traffic is permitted to flow to or from your organization's devices. |
Firewall protection is already enabled by default when devices are onboarded to Defender for Business and firewall policies in Defender for Business are applied. |