ASD's Blueprint for Secure Cloud

Microsoft Defender for Endpoint Baseline

This section describes the configuration of security baselines within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Basics

ItemValue
NameMicrosoft Defender for Endpoint baseline
Description
PlatformWindows 10 and later

Assignments

ItemValue
Included groups
Excluded groups

Configuration settings

Attack Surface Reduction Rules

ItemValue
Block Office communication apps from creating child processesNot configured
Block Adobe Reader from creating child processesNot configured
Block Office applications from injecting code into other processesNot configured
Block Office applications from creating executable contentNot configured
Block JavaScript or VBScript from launching downloaded executable contentNot configured
Enable network protectionNot configured
Block untrusted and unsigned processes that run from USBNot configured
Block credential stealing from the Windows local security authority subsystem (lsass.exe)Not configured
Block executable content download from email and webmail clientsNot configured
Block all Office applications from creating child processesNot configured
Block execution of potentially obfuscated scripts (js/vbs/ps)Not configured
Block Win32 API calls from Office macroNot configured

BitLocker

ItemValue
BitLocker system drive policyNot configured
Standby states when sleeping while on batteryNot configured
Standby states when sleeping while plugged inNot configured
Enable Full disk or Used Space only encryption for OS and fixed data drivesNot configured
BitLocker fixed drive policyNot configured
BitLocker removable drive policyNot configured

Device Guard

ItemValue
Turn on Credential GuardEnable with UEFI lock

Device Installation

ItemValue
Block hardware device installation by setup classesNot configured

DMA Guard

ItemValue
Enumeration of external devices incompatible with Kernel DMA ProtectionNot configured

Firewall

ItemValue
Stateful File Transfer Protocol (FTP)Disabled
Number of seconds a security association can be idle before it’s deleted300
Preshared key encodingUTF8
Certificate revocation list (CRL) verificationNot configured
Packet queuingNot configured
Firewall profile privateConfigure
- Inbound connections blockedYes
- Unicast responses to multicast broadcasts requiredYes
- Outbound connections requiredNot configured
- Inbound notifications blockedNot configured
- Global port rules from group policy mergedNot configured
- Firewall enabledAllowed
- Authorized application rules from group policy not mergedNot configured
- Connection security rules from group policy not mergedYes
- Incoming traffic requiredYes
- Policy rules from group policy not mergedYes
Firewall profile publicConfigure
- Inbound connections blockedYes
- Unicast responses to multicast broadcasts requiredYes
- Outbound connections requiredNot configured
- Authorized application rules from group policy mergedNot configured
- Inbound notifications blockedNot configured
- Global port rules from group policy mergedNot configured
- Firewall enabledAllowed
- Connection security rules from group policy not mergedYes
- Incoming traffic requiredYes
- Policy rules from group policy not mergedYes
Firewall profile domainNot configured

Microsoft Defender

ItemValue
Turn on real-time protectionNot configured
Additional amount of time (0-50 seconds) to extend cloud protection timeout50
Scan all downloaded files and attachmentsNot configured
Scan typeQuick scan
Defender schedule scan dayEveryday
Scheduled scan start timeNot configured
Defender sample submission consentSend safe samples automatically
Cloud-delivered protection levelNot configured
Scan removable drives during full scanYes
Defender potentially unwanted app actionBlock
Turn on cloud-delivered protectionNot configured

Smart Screen

ItemValue
Block users from ignoring SmartScreen warningsNot configured
Turn on Windows SmartScreenNot configured
Require SmartScreen for Microsoft Edge LegacyNot configured
Block malicious site accessNot configured
Block unverified file downloadNot configured
Configure Microsoft Defender SmartScreenNot configured
Prevent bypassing Microsoft Defender SmartScreen prompts for sitesNot configured
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloadsNot configured
Configure Microsoft Defender SmartScreen to block potentially unwanted appsNot configured

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra