Attack Surface Reduction & Security Policies
Reduce the attack surface before threats arrive. Learn how to configure ASR rules, security policies, and endpoint hardening in Microsoft Defender for Endpoint.
What is attack surface reduction?
Think of your house. You have a front door, a back door, 12 windows, a garage, and a dog flap. Each one is a way someone could get in.
Attack Surface Reduction (ASR) is like locking the windows you never open, sealing the dog flap you don’t use, and putting a deadbolt on the back door. You reduce the number of ways an attacker can get in — without bricking the front door that everyone uses.
In MDE, ASR rules block specific behaviours that attackers commonly exploit: Office apps spawning child processes, scripts downloading executables, credential theft from LSASS. Each rule targets a known attack technique and can be set to Block, Audit, or Warn.
Common ASR rules
Microsoft provides dozens of ASR rules. Here are the most commonly tested:
| ASR Rule | What It Blocks | Attack It Prevents |
|---|---|---|
| Block Office apps from creating child processes | Word, Excel, PowerPoint spawning cmd.exe, PowerShell, etc. | Macro-based malware delivery |
| Block Office apps from injecting code into other processes | Office using CreateRemoteThread or similar injection | Process hollowing, code injection |
| Block executable content from email client and webmail | Running .exe, .dll, .scr from Outlook or browser-based email | Email-delivered malware |
| Block credential stealing from LSASS | Accessing the LSASS process memory | Credential dumping (Mimikatz) |
| Block JavaScript or VBScript from launching downloaded content | Scripts executing payloads they downloaded | Drive-by downloads, script-based attacks |
| Block persistence through WMI event subscription | WMI-based persistence mechanisms | Fileless malware persistence |
| Block process creations from PSExec and WMI commands | Remote execution via PsExec or WMIC | Lateral movement |
| Use advanced protection against ransomware | Heuristic checks on file behaviour | Ransomware encryption |
Exam tip: audit mode first
Never deploy ASR rules in Block mode without testing. The recommended rollout is:
- Audit mode — rules log events but do not block (2-4 weeks minimum)
- Review audit data — identify false positives (legitimate apps being flagged)
- Create exclusions for line-of-business apps that trigger false positives
- Switch to Block — rules actively prevent the behaviour
The exam may ask “what should you do before enforcing ASR rules?” The answer is always: deploy in audit mode first and review the data.
ASR deployment methods
| Method | Microsoft Intune | Group Policy | PowerShell |
|---|---|---|---|
| Best for | Cloud-managed devices (Entra joined) | Domain-joined on-prem devices | Testing, scripting, quick changes |
| Management | Endpoint security policies in Intune portal | Computer Configuration > Admin Templates > Windows Components > Microsoft Defender Antivirus | Set-MpPreference cmdlet |
| Targeting | Device groups, Entra groups, filters | OUs, security groups via GPO linking | Per-machine or via script deployment |
| Reporting | Defender XDR reports, Intune compliance | Event Viewer + Defender XDR | Event Viewer + manual collection |
Security policies beyond ASR
ASR rules are part of a broader set of security policies you configure in MDE:
Endpoint detection and response (EDR) settings
- Sample submission — whether MDE sends suspicious files to Microsoft for analysis
- Telemetry level — how much data the MDE sensor collects
- Block at first sight — cloud protection blocks new threats immediately while analysis completes
Firewall policies
- Windows Defender Firewall rules deployed via Intune
- Inbound/outbound rules applied per network profile (Domain, Private, Public)
Antivirus policies
- Cloud-delivered protection — real-time lookup against Microsoft’s cloud
- Potentially unwanted application (PUA) protection — blocks adware and bundled software
- Scan schedules — full scan, quick scan, custom schedules
Scenario: James deploys ASR across Pacific Meridian
James at Pacific Meridian needs to deploy ASR rules across 10,000 devices. His approach:
Phase 1 (Week 1-2): Deploy all ASR rules in Audit mode via Intune endpoint security policies. Target: All devices.
Phase 2 (Week 3-4): Review ASR audit data in Defender XDR reports. Findings:
- Finance team’s macro-heavy Excel workbooks trigger “Block Office from creating child processes” — adds exclusion for the specific workbook path
- Dev team’s build tools trigger “Block process creations from PSExec” — adds exclusion for the build server IP range
Phase 3 (Week 5): Switch to Block mode for all rules except the two with exclusions. Those stay in Warn mode while the teams migrate to safer alternatives.
Ongoing: Monthly review of ASR telemetry for new false positives and new rules from Microsoft.
James is deploying ASR rules at Pacific Meridian. The finance team reports that their critical Excel workbooks with macros stopped working after ASR rules were applied. What is the best approach?
An analyst at Sentinel Shield notices that a new ASR rule 'Block persistence through WMI event subscription' is available. How should Anika deploy it?
🎬 Video coming soon
Next up: Endpoints are hardened. Now let’s tune the alerts — configure email notifications and alert suppression so your SOC focuses on what matters.