Intune
      Back to home
      1. Sittadel Knowledge Base
      2. Management Guides
      3. Intune

      Attack Surface Reduction Policy Creation

      This guide will provide background information on creating an attack surface reduction rule that can be used to leverage device control restrictions or block child process spawning.

      Attack Surface Reduction

      When protection on the endpoint is mentioned, the idea of a firewall blocking network access and an antivirus being able to block malicious files is what comes to mind. However, what happens when an application is not detected by a firewall rule, and is also not found to be malicious based on its file name/hash? In comes attack surface reduction rules; these work in a way to prevent the actions of an application which are commonly associated with malicious activity, such as credential stealing or executing a macro from an excel document. While the application may appear benign, the actions it performs speaks a different narrative.

      Role Requirements

      Procedure Scope: Administrators

      Required Group Membership: Admin.Security

      Handbook Reference

      Package: TBD

      Domain: TBD

      Modifies: TBD

      Creating a Device Attack Surface Reduction Rule

      1. Navigate to the Attack Surface Reduction – Intune portal, locate and select Create Policy. A pop-out will be generated where you will be able to specify an Operating System Platform scope and a Profile Type that fits the needs of your security scope. Select Create to proceed.
      2. You will supply basic identification information such as the Name and Description for the policy. Select Next to proceed.
      3. All the security related configuration items within the scope of the designated profile type will be listed, configure these controls to meet your desired security needs for your organization. Select Next to continue.
      4. Scope tag selection can be utilized if desired, it is mainly leveraged with RBAC. Select Next to continue.
      5. You will be able to configure Group Assignments or Exclusion for the policy, this section will outline the selected groups that will be in scope to have the profile deployed. Select Next to proceed to revisions.
      6. The review page will allow you to see all configured settings for the policy, if you detect a discrepancy at this stage make note of the section and select Back to go to the previous sections to make the necessary alterations before finalization. If everything checks out, select Save to publish the device control rule.
      7. Upon successful creation the rule will show up in the list of all attack surface reduction policies managed through Intune.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.