Understanding Attack Surface Reduction
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Understanding Attack Surface Reduction Capabilities. Attack surfaces are all the places where our organization is vulnerable to cyber threats and attacks. Attack surface reduction hardens the places where a threat is likely to attack. That's closing gaps to reduce the risks. Microsoft Defender for Endpoint includes several capabilities to help reduce these attack surfaces without blocking user productivity. These can be customized to fit our organization and are turned on in Microsoft Endpoint Manager.

Let's take a look at these in more detail. Hardware based isolation isolates untrusted websites and pdf documents in a lightweight container or sandbox. If the site ends up being malicious, only the sandbox is impacted and the threat is wiped away. The threat is then reported back to the Endpoint Manager for visibility. Application control operates on the notion of trust nothing until it earns our trust. We place applications into a circle of trust and only those applications are allowed to run. Ransomware protection restricts opportunities for ransomware to penetrate our network. This is because once it's on our machines it can begin file encryption. Controlled folder access prevents untrusted apps from accessing protected folders.

We specify protected folders and only trusted apps can access them. Network protection offers similar protection for network connections. It blocks access to low reputation internet destinations and blocks all outbound traffic to those dangerous locations. It also enables custom IP and URL allow and blacklists. Web protection is a web threat protection to harden machines against threats like phishing sites, malware payloads, exploits sites untrusted sites, and any site we add to a custom indicators list. It acts like a web proxy and protects machines even if they aren't connected to the corporate network.

Exploit protection automatically applies exploit mitigation techniques to operating system processes and apps. These include control flow guard, data execution prevention, and arbitrary code guard to name a few. One good example of exploit protection is preventing macros from downloading items and creating child processes. With device control, security teams can allow and block certain removable devices to prevent threats they might contain. An example here would be blocking hardware device installation from USB drives, especially if they are untrusted.


About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.