4.3 - Implement Windows security enhancements with Microsoft Defender for Endpoint

Question 1

What is the purpose of Attack Surface Reduction?

Answer 1

Hardening the places where a threat is likely to attack

As a Security Analyst, it is crucial to understand protection options and provide recommendations.

Question 2

What role does a Security Analyst play in relation to Attack Surface Reduction?

Answer 2

Understand protection options and provide recommendations

Performing alert investigations involves knowing the events generated by Attack Surface Reduction.

Question 3

Name one component of Attack Surface Reduction.

Answer 3

• Attack surface reduction rules
• Hardware-based isolation
• Application control
• Exploit protection
• Network protection
• Web protection
• Controlled folder access
• Device control

Each component serves a specific purpose in enhancing security.

Question 4

What do attack surface reduction rules do?

Answer 4

Reduce vulnerabilities in applications with intelligent rules that help stop malware

Requires Microsoft Defender Antivirus.

Question 5

What is the function of hardware-based isolation?

Answer 5

Protect and maintain the integrity of a system as it starts and runs

Validates system integrity through local and remote attestation.

Question 6

What does application control require for applications to run?

Answer 6

Applications must earn trust

This ensures only trusted applications are executed.

Question 7

What is the purpose of exploit protection?

Answer 7

Help protect operating systems and apps from being exploited

Works with third-party antivirus solutions.

Question 8

What does network protection extend to?

Answer 8

Protection of network traffic and connectivity on devices

Requires Microsoft Defender Antivirus.

Question 9

What does web protection secure against?

Answer 9

Web threats and unwanted content

Helps regulate access to harmful websites.

Question 10

What does controlled folder access help prevent?

Answer 10

Malicious or suspicious apps from making changes to files in key system folders

Requires Microsoft Defender Antivirus.

Question 11

What is the role of device control?

Answer 11

Protects against data loss by monitoring and controlling media used on devices

Includes removable storage and USB drives.

Question 12

What does attack surface refer to?

Answer 12

All the places where an attacker could compromise your organization’s devices or networks

Reducing your attack surface means protecting your organization’s devices and network.

Question 13

What is the purpose of attack surface reduction?

Answer 13

To protect your organization’s devices and network, leaving attackers with fewer ways to perform attacks

This involves implementing rules that target certain software behaviors.

Question 14

Name one behavior that attack surface reduction rules target.

Answer 14

• Launching executable files and scripts that attempt to download or run files
• Running obfuscated or otherwise suspicious scripts
• Performing behaviors that apps don’t usually initiate during normal day-to-day work

These behaviors are often abused by attackers.

Question 15

True or false: Attack surface reduction rules can only be applied to malware.

Answer 15

FALSE

Such behaviors are sometimes seen in legitimate applications but are considered risky.

Question 16

What are the four settings for each Attack Surface Reduction rule?

Answer 16

• Not configured
• Block
• Audit
• Warn

Each setting determines how the attack surface reduction rule is applied.

Question 17

Fill in the blank: The Not configured setting for an Attack Surface Reduction rule means to _______.

Answer 17

Disable the attack surface reduction rule

This setting does not apply any restrictions.

Question 18

What does the Block setting do in Attack Surface Reduction rules?

Answer 18

Enable the Attack Surface Reduction rule

This setting actively prevents risky behaviors.

Question 19

What is the purpose of the Audit setting in Attack Surface Reduction rules?

Answer 19

Evaluate how the attack surface reduction rule would impact your organization if enabled

This setting does not enforce any rules but assesses potential impacts.

Question 20

What does the Warn setting allow in Attack Surface Reduction rules?

Answer 20

Enable the Attack Surface Reduction rule but allow the end user to bypass the block

This setting provides a warning while still allowing user discretion.

Question 21

What does it mean to exclude files and folders from attack surface reduction rules?

Answer 21

Files and folders will not be evaluated by most attack surface reduction rules

Even if a rule determines a file or folder contains malicious behavior, it will not block the file from running.

Question 22

How can you specify exclusions for attack surface reduction rules?

Answer 22

• Individual files
• Folders (using folder paths or fully qualified resource names)

You cannot specify which rules the exclusions apply to.

Question 23

True or false: An exclusion is applied only when the excluded application or service starts.

Answer 23

TRUE

If an exclusion is added for a service that is already running, it will continue to trigger events until stopped and restarted.

Question 24

What is the purpose of audit mode in evaluating attack surface reduction rules?

Answer 24

To evaluate how rules would impact the organization if enabled

Running all rules in audit mode helps understand their impact on line-of-business applications.

Question 25

Why is it important to monitor **audit data** when using attack surface reduction rules?

Answer 25

To add exclusions for necessary applications and avoid impacting productivity ## Footnote Many line-of-business applications may perform tasks that resemble malware.

Question 26

What happens when a **rule is triggered** in attack surface reduction?

Answer 26

A notification will be displayed on the device ## Footnote Notifications can be customized with company details and contact information.

Question 27

Fill in the blank: You can exclude attack surface reduction rules from triggering based on _______ and file hashes.

Answer 27

certificate ## Footnote This allows specified Defender for Endpoint file and certificate indicators.

Question 28

What are the minimum windows/windows server licenses that support attack surface reduction rules?

Answer 28

- 10 Pro v1709 or later - Windows Server 2012 R2 v 1803 or later

Question 29

What are the **methods** to enable attack surface reduction rules?

Answer 29

* Microsoft Intune * Mobile Device Management (MDM) * Microsoft Endpoint Configuration Manager * Group Policy * PowerShell ## Footnote These methods provide various ways to manage security settings across devices.

Question 30

Which management method is **recommended** for enabling attack surface reduction rules?

Answer 30

Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager ## Footnote Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.

Question 31

What is the first step to create a new **Device Configuration Profile** in Intune?

Answer 31

Select Device configuration > Profiles ## Footnote This is where you can choose an existing profile or create a new one.

Question 32

To create a new endpoint protection profile, what should you select after entering the profile information?

Answer 32

Create profile ## Footnote You must also select **Profile type** as **Endpoint protection**.

Question 33

In the **Endpoint protection pane**, which feature should you select to configure Attack Surface Reduction?

Answer 33

Windows Defender Exploit Guard ## Footnote This allows you to select the desired setting for each rule.

Question 34

What should you enter under **Attack Surface Reduction exceptions**?

Answer 34

Individual files and folders ## Footnote You can also import a CSV file with the required format.

Question 35

What is the required format for each line in the CSV file for exclusions?

Answer 35

C:\folder, %ProgramFiles%\folder\file, C:\path ## Footnote This format is necessary for excluding files and folders from attack surface reduction rules.

Question 36

What should you select after configuring the settings in the three configuration panes?

Answer 36

Select OK ## Footnote Then select **Create** for a new profile or **Save** for an existing one.

Question 37

To create a new **Endpoint Security Policy**, what is the first action to take?

Answer 37

Select Endpoint Security > Attack surface reduction ## Footnote This allows you to choose an existing rule or create a new one.

Question 38

What should you select for **Profile type** when creating a new policy?

Answer 38

Attack surface reduction rules ## Footnote This is essential for defining the type of policy being created.

Question 39

In the **Configuration settings pane**, what feature do you select to configure Attack Surface Reduction?

Answer 39

Attack Surface Reduction ## Footnote You then select the desired setting for each rule.

Question 40

What should you enter under **List of additional folders that need to be protected**?

Answer 40

Individual files and folders ## Footnote You can also import a CSV file for exclusions.

Question 41

What action should you take after entering the necessary information in the configuration settings?

Answer 41

Select Next ## Footnote Then select **Create** for a new policy or **Save** for an existing one.

Question 42

What is the **OMA-URI path** for managing attack surface reduction rules in mobile device management?

Answer 42

./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules ## Footnote This path is used to individually enable and set the mode for each rule.

Question 43

What are the **values** to enable, disable, or enable in audit mode for attack surface reduction rules?

Answer 43

* Disable = 0 * Block (enable rule) = 1 * Audit = 2 ## Footnote These values determine the action taken for each rule in mobile device management.

Question 44

How do you add **exclusions** for attack surface reduction rules in mobile device management?

Answer 44

Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service provider (CSP) ## Footnote Example value: c:\path|e:\path|c:\wlisted.exe.

Question 45

In Microsoft Endpoint Configuration Manager, where do you go to manage the attack surface reduction rules?

Answer 45

Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard ## Footnote This is the navigation path to access the relevant settings.

Question 46

What is the first step to create an **Exploit Guard Policy** in Microsoft Endpoint Configuration Manager?

Answer 46

Select Home > Create Exploit Guard Policy ## Footnote This initiates the process of creating a new policy.

Question 47

What should you do after creating the **Exploit Guard Policy** in Microsoft Endpoint Configuration Manager?

Answer 47

Select Close ## Footnote This finalizes the policy creation process.

Question 48

What is the purpose of **Group Policy** in managing attack surface reduction rules?

Answer 48

To configure settings for managing attack surface reduction rules ## Footnote Group Policy allows administrators to manage security settings across multiple devices.

Question 49

What happens if you manage your computers with **Intune** or **Configuration Manager** regarding Group Policy settings?

Answer 49

Management software will overwrite any conflicting Group Policy settings on startup ## Footnote This ensures that the most current management settings are applied.

Question 50

Which console do you open to manage Group Policy settings?

Answer 50

Group Policy Management Console ## Footnote This console is used to edit Group Policy Objects.

Question 51

In the Group Policy Management Editor, where do you navigate to configure attack surface reduction rules?

Answer 51

Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction ## Footnote This path leads to the settings for configuring attack surface reduction.

Question 52

What should you select to enable attack surface reduction rules?

Answer 52

Configure Attack surface reduction rules and select Enabled ## Footnote This allows you to set individual states for each rule.

Question 53

What are the possible states you can set for attack surface reduction rules?

Answer 53

* Disable = 0 * Block (enable attack surface reduction rule) = 1 * Audit = 2 ## Footnote These states determine how the rules will be applied.

Question 54

To exclude files and folders from attack surface reduction rules, which setting should you enable?

Answer 54

Exclude files and paths from Attack surface reduction rules ## Footnote This setting allows specific files or folders to be exempt from the rules.

Question 55

When excluding files or folders, what should you enter in the Value column?

Answer 55

0 for each item ## Footnote This indicates that the specified files or folders are excluded from the attack surface reduction rules.