Edit

Attack surface reduction in Microsoft Defender for Business

Attack surfaces are all the places and ways the network and devices in your organization are vulnerable to attacks. For example:

  • Unsecured devices.
  • Unrestricted access to URLs on company devices.
  • Unrestricted running of apps or scripts on company devices.

To help protect your network and devices, Microsoft Defender for Business includes several attack surface reduction capabilities. These capabilities include attack surface reduction (ASR) rules as described in the following table:

Capability Description
Attack surface reduction (ASR) rules Prevent specific actions commonly associated with malicious activity from running on Windows devices.
Controlled folder access (CFA) Allow only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation.
Firewall protection Determines which network traffic can flow to or from your organization's devices.
Network protection Prevent users from accessing dangerous domains through applications on their Windows and Mac devices. Network protection is also a key component of web content filtering.
Web protection Integrates with web browsers and works with network protection to protect against web threats and unwanted content. Web protection includes web threat protection, web content filtering, and custom indicators.

Configure attack surface reduction features

Note

Microsoft 365 Business Premium includes Microsoft Intune Plan 1, which is the recommended method to configure and deploy security features on devices. Standalone Defender for Business doesn't include Intune, so you need to use another configuration method (for example, Group Policy or PowerShell locally on devices).

Monitor attack surface reduction features

You can monitor how attack surface reduction features are working in your organization by using the following reports in the Microsoft Defender portal: