Implement Microsoft Attack Surface Reduction Rules
Apply Microsoft's rules to reduce potential weaknesses in user applications.
Plain language
This control is about applying Microsoft's security rules to make your computer systems safer. These rules help by closing off paths that hackers could use to attack your applications. If these paths aren't reduced, it makes it easier for hackers to break into your systems, steal information, or cause disruptions to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
Microsoft's attack surface reduction rules are implemented.
Why it matters
Without Microsoft Attack Surface Reduction (ASR) rules, Windows endpoints are more exposed to commodity malware and ransomware via Office/macros and scripting.
Operational notes
Manage ASR rules via Intune/GPO; review audit/block events in Defender, tune exclusions, and retest after Office or app updates.
Implementation tips
- The IT team should review Microsoft's recommended attack surface reduction rules. They do this by consulting Microsoft’s online documentation or their internal IT policy resources. This helps ensure they are aware of the rules that could be applied to their systems.
- System owners should configure these rules on all applicable systems. They can do this by accessing system settings through Microsoft’s security management tools and applying each rule as guided. This process should be scheduled during a low-traffic time to avoid disrupting users.
- Managers should ensure staff are aware of these security changes. They should communicate to their teams the purpose and benefits of the new rules via email or a short team meeting. This helps in gaining voluntary compliance and cooperation.
- The security team should regularly monitor the effectiveness of these rules. They should use available reporting tools to analyse any issue logs that indicate violations or blocks by the rules, adapting settings as needed to minimise unnecessary disruption.
- Procurement staff need to prioritise acquiring or renewing Microsoft licences that support these reduction rules. They should work with budgets to ensure all systems have the requisite licences by liaising with providers well in advance of deadlines.
Audit / evidence tips
- AskThe list of currently implemented Microsoft attack surface reduction rules GoodIs a comprehensive list showing dates of implementation and coverage across all known applications
- AskChange management records relating to the implementation of these rules GoodIs records that show timely updates and justification for each configuration change
- GoodIs evidence of system-wide communication that outlines both the changes and their expected impact
- AskThe incident logs filtered to show activity related to these rules GoodIs logs indicating the rules are effectively blocking known threats rather than causing legitimate access issues
Cross-framework mappings
How ISM-1601 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.