top of page
  • Hanna Korotka

Enhance Your Cybersecurity with Microsoft Defender for Endpoint Attack Surface Reduction Rules

Cybercriminals are always on the lookout for vulnerabilities in your network and devices, which can lead to data breaches and financial losses. To fortify your defenses, it's crucial to reduce your attack surface—the various points of vulnerability within your organization. One effective way to achieve this is by configuring Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is an integral part of managed security for Microsoft 365. It provides a robust set of tools to bolster your cybersecurity, including attack surface reduction rules. These rules specifically target software behaviors that are commonly exploited by attackers, thereby reducing potential vulnerabilities.

Attack Surface Reduction Rules Explained

Attack surface reduction rules are designed to mitigate security risks by focusing on specific software behaviors. They help safeguard your organization against a variety of threats, including:

  1. Launching executable files and scripts: Attack surface reduction rules can identify and block attempts to download or run malicious files or scripts.

  2. Running obfuscated or suspicious scripts: By monitoring script behavior, these rules can thwart attacks that involve disguised or suspicious code.

  3. Unusual app behaviors: These rules can detect behaviors that deviate from normal day-to-day operations and block them.

By targeting these areas, you can significantly reduce your organization's attack surface and, in turn, prevent attacks from occurring in the first place.

Setting up Attack Surface Reduction Rules

Configuring Microsoft Defender for Endpoint's attack surface reduction rules is a straightforward process. You can do this by using Microsoft Intune, a cloud-based service that streamlines device management and security.

Here's how to set up ASR rules using Intune:

1. As a global administrator, in the Microsoft Intune admin center, go to Endpoint security > Attack surface reduction.

2. Choose Create policy to create a new policy.

  • For Platform, choose Windows 10, Windows 11, and Windows Server.

  • For Profile, select Attack Surface Reduction Rules, and then choose Create.

3. Set up your policy as follows:

a. Specify a name and description, and then choose Next.

b. You don't need to configure rules all simultaneously. Instead, you can opt to initially set up certain rules in audit mode, allowing you to evaluate their impact on your organization before transitioning them into block mode. With that in mind, we highly recommend promptly enabling the following standard protection rules:

  • Block credential stealing from the Windows local security authority subsystem

  • Block persistence through WMI event subscription

  • Block abuse of exploited vulnerable signed drivers

Then choose Next.

c. On the Scope tags step, choose Next.

d. On the Assignments step, choose the users or devices to receive the rules, and then choose Next. (We recommend selecting Add all devices.)

e. On the Review + create step, review the information, and then choose Create.

Microsoft Defender for Endpoint is a robust solution that enhances cybersecurity for Microsoft 365 making it an invaluable asset in safeguarding your organization's digital infrastructure.


In today's world, where cyber threats are constantly evolving, it is crucial for organizations to take a proactive approach to cybersecurity. By configuring Microsoft Defender for Endpoint's attack surface reduction rules, you can significantly reduce your organization's attack surface, fortifying your defenses and mitigating the risk of cyberattacks. This, in turn, helps ensure the managed security and compliance of your Microsoft 365 environment.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.

19 views0 comments


Get the Latest News to Your Inbox

bottom of page