Skip to content

Commit a34ebe5

Browse files
DansimpDansimp
authored
Merge pull request #3384 from YongRhee-MSFT/docs-editor/attack-surface-reduction-rules-1743814485
Update attack-surface-reduction-rules-reference.md
2 parents 52540fb + ba06554 commit a34ebe5

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

defender-endpoint/attack-surface-reduction-rules-reference.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -250,6 +250,13 @@ For rules with the "Rule State" specified:
250250

251251
### Block abuse of exploited vulnerable signed drivers
252252

253+
> [!NOTE]
254+
> To protect your environment from vulnerable drivers, you should first implement these:
255+
> For Windows 10 or later, Windows Server 2016 or later using [Microsoft App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
256+
> For Windows 8.1 or older, Windows Server 2012 R2 or older, using [Microsoft AppLocker](/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules), you should block all drivers by default and only allow drivers that you deem necessary and are not known to be vulnerable.
257+
> For Windows 11 or later, and Windows Server core 1809 or later, or Windows Server 2019 or later, you should also enable [Microsoft Windows vulnerable driver blocklist](/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules),
258+
> Then as another layer of defense, you should enable this attack surface reduction rule.
259+
253260
This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
254261

255262
The **Block abuse of exploited vulnerable signed drivers** rule doesn't block a driver already existing on the system from being loaded.

0 commit comments

Comments
 (0)