Attack Surface Reduction (ASR) Rules – Microsoft Defender for Endpoint

Purpose: Prevent exploitation of vulnerable processes, particularly those abused by malware

and ransomware.

Configuration Steps:

 Open the Group Policy Management Console (gpedit.msc).

 Navigate to:
Computer Configuration → Administrative Templates → Windows
Components → Microsoft Defender Antivirus → Microsoft Defender
Exploit Guard → Attack Surface Reduction.
 Enable the following rules by setting them individually:
o Block credential stealing from LSASS:
 Policy Name: "Configure Attack Surface Reduction rules"
 Enable the rule ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
o Block Office applications from creating child processes:
 Rule ID: 3B576869-A4EC-4529-8536-B80A7769E899
o Block executable content from email and webmail:
 Rule ID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Format: Use a semicolon-separated list for multiple rules, like:

"D4F940AB-401B-4EFC-AADC-AD5F3C50688A=1;3B576869-A4EC-4529-8536-
B80A7769E899=1;BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1"

 Set enforcement mode to enabled (value 1) or audit mode (2) depending on policy
phase.
 Click OK and close the editor.

Note: These settings require Microsoft Defender Antivirus to be active. For enterprise
environments, configuration via Intune or Microsoft Endpoint Manager is recommended.

Patch Management Policy

Purpose: Maintain system and application security through timely updates.

Configuration Steps:

 If using Windows Update for Business:

o Open Group Policy Editor (gpedit.msc).
o Navigate to:
Computer Configuration → Administrative Templates → Windows
Components → Windows Update → Windows Update for Business.
o Configure the following:
 Select when Preview Builds and Feature Updates are received
 Select when Quality Updates are received
  Defer feature updates by: Set to 30–60 days
 Defer quality updates by: Set to 7–15 days
 If using WSUS (Windows Server Update Services):
o Open Group Policy Editor.
o Navigate to:
Computer Configuration → Administrative Templates → Windows
Components → Windows Update.
o Configure:
 Specify intranet Microsoft update service location: Set WSUS
server URL
 Configure Automatic Updates: Enable and set schedule
 Third-party software patching:
o Deploy tools like:
 Chocolatey (via PowerShell automation)
 PDQ Deploy or ManageEngine Patch Manager Plus
o Configure scheduled scans and installations
o Maintain an up-to-date inventory of applications
 Test all patches in a controlled environment before wide deployment.

Least Privilege Enforcement

Purpose: Minimize misuse and privilege escalation risks.

Configuration Steps:

 Enforce removal of local admin rights:

o Use Microsoft LAPS (Local Administrator Password
Solution) or Windows LAPS.
o Deploy via GPO:
 Navigate to:
Computer Configuration → Administrative Templates → LAPS
 Configure:
 Enable local admin password management
 Set password complexity and expiration
 Configure Software Restriction Policies or AppLocker:
o Navigate to:
Computer Configuration → Windows Settings → Security Settings →
Application Control Policies
o Use AppLocker to restrict:
 Executable files
 Scripts
 MSI installers
 Packaged apps
 Use Just Enough Administration (JEA):
o Configure PowerShell role-based access with constrained endpoints.
o Define role capabilities and session configurations in .psrc and .pssc files.
 Remove unnecessary users from the local "Administrators" group:
o Use Group Policy Preferences or PowerShell (Remove-LocalGroupMember).
Credential Guard and Device Guard

Purpose: Protect credentials and enforce code integrity using virtualization-based security.

Configuration Steps:

 Enable Credential Guard via Group Policy:

o Navigate to:
Computer Configuration → Administrative Templates → System →
Device Guard.
o Enable:
 Turn On Virtualization Based Security
 Set platform security level to Secure Boot with DMA Protection
 Credential Guard Configuration: Enable with UEFI lock
 Ensure hardware compatibility:
o Requires:
 Windows 10/11 Enterprise or Education
 UEFI with Secure Boot
 Virtualization extensions (Intel VT-x or AMD-V)
 Enable Device Guard (on supported CPUs):
o Navigate to the same path.
o Enable Deploy Windows Defender Application Control
o Use a trusted code integrity policy signed with a valid certificate
o Use PowerShell to create and sign policy (New-CIPolicy, Set-
RuleOption, ConvertFrom-CIPolicy)
 Reboot the system after enabling both features.

Browser Hardening

Purpose: Reduce browser-based threats such as phishing and malicious scripts.

Configuration Steps:

 For Microsoft Edge:

o Download and import the Edge ADMX templates from Microsoft.
o Navigate to:
Computer Configuration → Administrative Templates → Microsoft
Edge.
o Enforce the following policies:
 SmartScreen for Microsoft Edge: Enabled
 Prevent certificate error bypass: Enabled
 Configure Do Not Track: Enabled
 Allow only secure origins for public key pins: Enabled (if
applicable)
 For Chrome:
o Download Google Chrome ADMX templates.
 o Navigate to:
Computer Configuration → Administrative Templates → Google →
Google Chrome.
o Enforce:
 Safe Browsing: Enabled
 Block legacy TLS/SSL: Set minimum protocol to TLS 1.2 or 1.3
 Disable running plugins unless allowed: Enabled
 For Internet Explorer (if legacy use is required):
o Navigate to:
Computer Configuration → Administrative Templates → Windows
Components → Internet Explorer.
o Configure:
 Disable ActiveX: Enabled
 Enable Enterprise Mode: Enabled for specified websites
 Prevent Active Scripting: Enable only on trusted zones
 Disable JavaScript and Flash unless explicitly required by business applications.
 Maintain regular browser update policies via WSUS or 3rd-party patching tools.