Device Attack Surface Reduction Rule Creation Procedure

This admin procedure will provide background information on creating an attack surface reduction rule that can be used to leverage device control restrictions or block child process spawning.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Attack Surface Reduction

When protection on the endpoint is mentioned, the idea of a firewall blocking network access and an antivirus being able to block malicious files is what comes to mind. However, what happens when an application is not detected by a firewall rule, and is also not found to be malicious based on its file name/hash? In comes attack surface reduction rules; these work in a way to prevent the actions of an application which are commonly associated with malicious activity, such as credential stealing or executing a macro from an excel document. While the application may appear benign, the actions it performs speaks a different narrative.


Procedure Scope: Administrators

Required Group Membership: Admin.DeviceSecurity


Creating a Device Attack Surface Reduction Rule

  1. Navigate to Attack Surface Reduction – Intune, select Create Policy to configure an OS platform and a profile type that fits the needs of your security scope. Select Create to proceed.
  2. You will supply basic policy information such as name and description. Select Next to proceed.
  3. All the configuration items related to the profile type will be listed, this example showcases App and Browser Isolation related settings. Select Next to continue.
  4. Scope tag selection can be made, it is mainly leveraged with RBAC. Select Next to continue.
  5. You will be able to configure group assignment or exclusion for the policy to effect. Select Next to proceed to revisions.
  6. The review page will allow you to see all configured settings for the profile type creation process, if you detect a discrepancy at this stage make note of the section and select Previous to go back to make alterations before finalization. If everything checks out, select Create to publish the rule.
  7. Upon successful creation the rule will show up in the list of all attack surface reduction policies managed through Intune.

You're Finished!

You should have successfully created an attack surface reduction rule that will be applied to the specific scope i.e., device control for USB restrictions, attack surface reduction rules for child process blocking, etc. For any other problems or questions, reach out to us!