Its not JUST about Defender: Attack Surface Reduction Practices

It’s been a minute since I’ve posted on my blog but I’ve had an exciting year talking to customer about the Microsoft Defender story, which in 2021 has been named a Gartner Magic Quadrant leader in the Endpoint Protection space. As it brings the traditional antimalware service execuable MsMpEng.exe, introduces the SenseCE.exe engine, and more that I covered in my MMS session about Defender, protecting the endpoint beyond real time protection sits at the core of Windows 10 by way of Attack Surface Reduction.


Why Attack Surface Reduction?

behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors – and Microsoft has a  full list of attack surface reduction rules documented – protecting you from Office, Adobe, Javascript, and more exploits.

So How’s It Licensed?

There is no license: its built into Windows, however there is a note from Microsoft around LMAR (logging, monitoring & reporting)

Although attack surface reduction rules don’t require a Windows E5 license, if you have Windows E5, you get advanced management capabilities. The advanced capabilities – available only in Windows E5 – include:

Now that we’ve covered the Concepts, let’s talk about the options for deployment

Option E[asy] = Intune:

Option [S]CCM = Configuration Manager

Testing & Logging

Want to know the effectiveness? Visit the Attack Surface Reduction – Microsoft Defender Testground to download the Microsoft tool to evaluate

To Review WHICH rules are firing off is not the easiest process if you DONT have an E5 license, but Microsoft has provided steps to ingest the XML log into Event Viewer for better consumption.

Chris Blackburn

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.