ASD's Blueprint for Secure Cloud

Endpoint security policies

This section describes the configuration of endpoint security policies within Microsoft Defender associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Windows policies

ASD Windows Hardening Guidelines-Attack Surface Reduction

Policy details
ItemValue
Policy typeAttack Surface Reduction Rules
Policy categoryAttack surface reduction
PlatformWindows 10
Targetmdm,microsoftSense
Policy setting values
ItemValue
Block executable content from email client and webmailAudit
Block all Office applications from creating child processesAudit
Block Office applications from creating executable contentAudit
Block Office applications from injecting code into other processesAudit
Block JavaScript or VBScript from launching downloaded executable contentAudit
Block execution of potentially obfuscated scriptsAudit
Block Win32 API calls from Office macrosAudit
Block executable files from running unless they meet a prevalence, age, or trusted list criterionAudit
Use advanced protection against ransomwareAudit
Block credential stealing from the Windows local security authority subsystemAudit
Block process creations originating from PSExec and WMI commandsAudit
Block untrusted and unsigned processes that run from USBAudit
Block Office communication application from creating child processesAudit
Block Adobe Reader from creating child processesAudit
Block persistence through WMI event subscriptionAudit

ASD Windows Hardening Guidelines-Antivirus

Policy details
ItemValue
Policy typeMicrosoft Defender Antivirus
Policy categoryAntivirus
PlatformWindows 10
Targetmdm,microsoftSense
Policy setting values
ItemValue
Allow Archive ScanningAllowed. Scans the archive files.
Allow Behavior MonitoringAllowed. Turns on real-time behavior monitoring.
Allow Cloud ProtectionAllowed. Turns on Cloud Protection.
Cloud Extended Timeout50
Allow Email ScanningNot allowed. Turns off email scanning.
Allow Full Scan Removable Drive ScanningAllowed. Scans removable drives.
[Deprecated] Allow Intrusion Prevention SystemAllowed.
Allow scanning of all downloaded files and attachmentsAllowed.
Allow Realtime MonitoringAllowed. Turns on and runs the real-time monitoring service.
Allow Scanning Network FilesAllowed. Scans network files.
Allow Script ScanningAllowed.
Allow User UI AccessNot allowed. Prevents users from accessing UI.
Avg CPU Load Factor50
Check For Signatures Before Running ScanEnabled
Cloud Block LevelHigh
Disable Catchup Full ScanEnabled
Disable Catchup Quick ScanEnabled
Enable Low CPU PriorityEnabled
Enable Network ProtectionEnabled (block mode)
PUA ProtectionPUA Protection on. Detected items are blocked. They will show in history along with other threats.
Real Time Scan DirectionMonitor all files (bi-directional).
Schedule Quick Scan Time120
Schedule Scan DayEvery day
Schedule Scan Time120
Signature Update Interval4
Submit Samples ConsentSend safe samples automatically.
Remediation action for Severe threatsBlock. Blocks file execution.
Allow On Access ProtectionAllowed.
Threat Severity Default Action Remediation action for Moderate severity threatsQuarantine. Moves files to quarantine.
Remediation action for Low severity threatsClean. Service tries to recover files and try to disinfect.

ASD Windows Hardening Guidelines-Endpoint Detection and Response

Policy details
ItemValue
Policy typeEndpoint detection and response
Policy categoryEndpoint detection and response
PlatformWindows 10
Targetmdm,microsoftSense
Policy setting values
ItemValue
Sample SharingNone
[Deprecated] Telemetry Reporting FrequencyExpedite

Mac policies

Not configured

Linux policies

Not configured

Security & Governance

  • None identified

Design

Configuration

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra