From fab58fbc7b87f222f176d5f1abefbcee30be1d9a Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 11:19:06 -0400 Subject: [PATCH 01/49] mv & rm pages w/o renaming folder yet --- ...t-guard.md => attack-surface-reduction.md} | 0 ...oit-guard.md => audit-windows-defender.md} | 0 ...exploit-guard.md => controlled-folders.md} | 0 ...it-guard.md => emet-exploit-protection.md} | 0 ...evaluate-windows-defender-exploit-guard.md | 53 ----------- ...exploit-guard.md => exploit-protection.md} | 0 ...exploit-guard.md => network-protection.md} | 0 .../windows-defender-exploit-guard.md | 90 ------------------- 8 files changed, 143 deletions(-) rename windows/security/threat-protection/windows-defender-exploit-guard/{attack-surface-reduction-exploit-guard.md => attack-surface-reduction.md} (100%) rename windows/security/threat-protection/windows-defender-exploit-guard/{audit-windows-defender-exploit-guard.md => audit-windows-defender.md} (100%) rename windows/security/threat-protection/windows-defender-exploit-guard/{controlled-folders-exploit-guard.md => controlled-folders.md} (100%) rename windows/security/threat-protection/windows-defender-exploit-guard/{emet-exploit-protection-exploit-guard.md => emet-exploit-protection.md} (100%) delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md rename windows/security/threat-protection/windows-defender-exploit-guard/{exploit-protection-exploit-guard.md => exploit-protection.md} (100%) rename windows/security/threat-protection/windows-defender-exploit-guard/{network-protection-exploit-guard.md => network-protection.md} (100%) delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md deleted file mode 100644 index 7a23a23e04..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Evaluate the impact of Windows Defender Exploit Guard -description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios -keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: levinec -ms.author: ellevin -ms.date: 05/30/2018 -ms.reviewer: -manager: dansimp ---- - -# Evaluate Windows Defender Exploit Guard - -**Applies to:** - -- Windows 10, version 1709 and later -- Windows Server 2016 - -Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. - -Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization. - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - -Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are. - -- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Evaluate network protection](evaluate-network-protection.md) - -You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits: - -- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) - -## Related topics - -| Topic | Description | -|-------|-------------| -| | | - -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Protect your network](network-protection-exploit-guard.md) -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md deleted file mode 100644 index a60d5f5a24..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -title: Use Windows Defender Exploit Guard to protect your network -description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks -keywords: emet, exploit guard, Controlled folder access, Network protection, Exploit protection, Attack surface reduction, hips, host intrusion prevention system -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 08/09/2018 -ms.reviewer: -manager: dansimp ---- - -# Windows Defender Exploit Guard - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. - -There are four features in Windows Defender EG: - -- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV). -- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. -- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. -- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. - -Windows 10, version 1803 provides additional protections: - -- New Attack surface reduction rules -- Controlled folder access can now block disk sectors - -You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action: -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) - - -You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security. - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. - -Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. - -You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. - -## Requirements - -This section covers requirements for each feature in Windows Defender EG. - -| Symbol | Support | -|--------|---------| -| ![not supported](./images/ball_empty.png) | Not supported | -| ![supported](./images/ball_50.png) | Supported | -| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| - -| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription | -| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | - ->[!NOTE] -> The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription. - -The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. - -| Feature | Real-time protection | -|-----------------| ------------------------------------ | -| Exploit protection | No requirement | -| Attack surface reduction rules | Must be enabled | -| Network protection | Must be enabled | -| Controlled folder access | Must be enabled | - - ## In this library - -Topic | Description ----|--- -[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. -[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. -[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. -[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. - - From 4c98d898214ac11a1c5f8f1b20f443debc583680 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 11:23:05 -0400 Subject: [PATCH 02/49] renamed two more that slipped by --- ...d-folders-exploit-guard.md => customize-controlled-folders.md} | 0 ...lled-folders-exploit-guard.md => enable-controlled-folders.md} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/windows-defender-exploit-guard/{customize-controlled-folders-exploit-guard.md => customize-controlled-folders.md} (100%) rename windows/security/threat-protection/windows-defender-exploit-guard/{enable-controlled-folders-exploit-guard.md => enable-controlled-folders.md} (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md From 911cd037e9f5cd8d4751751591543f51249a1b57 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 11:59:30 -0400 Subject: [PATCH 03/49] linted and cleaned attack surface reduction --- .../attack-surface-reduction.md | 120 +++++++++--------- 1 file changed, 57 insertions(+), 63 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md index e78eb77ef5..1c085cc8f4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md @@ -16,32 +16,28 @@ ms.reviewer: manager: dansimp --- -# Reduce attack surfaces with attack surface reduction rules +# Reduce attack surfaces with attack surface reduction rules **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. - +Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. - Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: -- Executable files and scripts used in Office apps or web mail that attempt to download or run files -- Obfuscated or otherwise suspicious scripts -- Behaviors that apps don't usually initiate during normal day-to-day work +* Executable files and scripts used in Office apps or web mail that attempt to download or run files +* Obfuscated or otherwise suspicious scripts +* Behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). @@ -49,11 +45,11 @@ For information about configuring attack surface reduction rules, see [Enable at Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. -Here is an example query: +Here is an example query: -``` +```PowerShell MiscEvents | where ActionType startswith 'Asr' ``` @@ -62,12 +58,12 @@ MiscEvents You can review the Windows event log to view events that are created when attack surface reduction rules fire: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. +1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. 2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer. 3. Click **Import custom view...** on the left panel, under **Actions**. - + 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 5. Click **OK**. @@ -82,13 +78,12 @@ Event ID | Description The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed. - ## Attack surface reduction rules The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: -Rule name | GUID | File & folder exclusions --|-|- + Rule name | GUID | File & folder exclusions +-----------|------|-------------------------- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported @@ -111,8 +106,8 @@ Each rule description indicates which apps or file types the rule applies to. In This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers: -- Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +* Executable files (such as .exe, .dll, or .scr) +* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -138,7 +133,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ### Block Office applications from creating executable content -This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. +This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. @@ -154,7 +149,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection. -This rule applies to Word, Excel, and PowerPoint. +This rule applies to Word, Excel, and PowerPoint. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -166,12 +161,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 ### Block JavaScript or VBScript from launching downloaded executable content -Malware often uses JavaScript and VBScript scripts to launch other malicious apps. +Malware often uses JavaScript and VBScript scripts to launch other malicious apps. -Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. +Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. ->[!IMPORTANT] ->File and folder exclusions don't apply to this attack surface reduction rule. +> [!IMPORTANT] +> File and folder exclusions don't apply to this attack surface reduction rule. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -206,16 +201,16 @@ SCCM name: Block Win32 API calls from Office macros GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - + This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list: - -- Executable files (such as .exe, .dll, or .scr) ->[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +* Executable files (such as .exe, .dll, or .scr) ->[!IMPORTANT] ->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> [!NOTE] +> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +> [!IMPORTANT] +> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. @@ -226,13 +221,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 - + ### Use advanced protection against ransomware - + This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. ->[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> [!NOTE] +> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -241,14 +236,14 @@ Intune name: Advanced ransomware protection SCCM name: Use advanced protection against ransomware GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 - + ### Block credential stealing from the Windows local security authority subsystem (lsass.exe) - + Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. - >[!NOTE] - >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -261,11 +256,11 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. ->[!IMPORTANT] ->File and folder exclusions do not apply to this attack surface reduction rule. +> [!IMPORTANT] +> File and folder exclusions do not apply to this attack surface reduction rule. ->[!WARNING] ->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. +> [!WARNING] +> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -274,13 +269,13 @@ Intune name: Process creation from PSExec and WMI commands SCCM name: Not applicable GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c - + ### Block untrusted and unsigned processes that run from USB - + With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - -- Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) + +* Executable files (such as .exe, .dll, or .scr) +* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -294,8 +289,8 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. ->[!NOTE] ->This rule applies to Outlook and Outlook.com only. +> [!NOTE] +> This rule applies to Outlook and Outlook.com only. This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810 @@ -307,7 +302,7 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 ### Block Adobe Reader from creating child processes -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810 @@ -319,7 +314,7 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c ### Block persistence through WMI event subscription -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. Intune name: Block persistence through WMI event subscription @@ -329,7 +324,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b ## Related topics -- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) - +* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) From bc1ff0b0bf2f81936bd2153367f7c11328708f8a Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 12:24:06 -0400 Subject: [PATCH 04/49] linted and cleaned audit windows defender --- .../audit-windows-defender.md | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md index dd9c960c79..8635669975 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md @@ -16,12 +16,11 @@ ms.reviewer: manager: dansimp --- - -# Use audit mode +# Use audit mode **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. @@ -33,25 +32,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft** You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. +This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - -|Audit options | How to enable audit mode | How to view events | -|- | - | - | -|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) | -|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) | -|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | -|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) | - + Audit options | How to enable audit mode | How to view events +-|-|- +Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) +|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) ## Related topics -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Protect your network](network-protection-exploit-guard.md) -- [Protect important folders](controlled-folders-exploit-guard.md) +* [Protect devices from exploits](exploit-protection.md) +* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +* [Protect your network](network-protection.md) +* [Protect important folders](controlled-folders.md) From bc38c8be8965fc0aa202300bd0bb735b7a1eac6f Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 12:28:09 -0400 Subject: [PATCH 05/49] missed an exploit guard! --- .../windows-defender-exploit-guard/audit-windows-defender.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md index 8635669975..0f6c505ac8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md @@ -44,7 +44,7 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) -|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) +|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer) ## Related topics From be4d426ef8e92e2a9f7d1b44d2296c5ba6859f22 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 13:31:37 -0400 Subject: [PATCH 06/49] lint/cleaned controlled folders & renamed event views --- .../controlled-folders.md | 35 +++++++++---------- ...-views-exploit-guard.md => event-views.md} | 0 2 files changed, 17 insertions(+), 18 deletions(-) rename windows/security/threat-protection/windows-defender-exploit-guard/{event-views-exploit-guard.md => event-views.md} (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md index 3029df4d23..a3acd284ab 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md @@ -20,7 +20,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). @@ -31,9 +31,9 @@ This is especially useful in helping to protect your documents and information f A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. @@ -43,13 +43,13 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time ## Review controlled folder access events in the Microsoft Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. -Here is an example query +Here is an example query: -``` +```PowerShell MiscEvents | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked') ``` @@ -58,17 +58,17 @@ MiscEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. +1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...**. - -4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -4. Click **OK**. +4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). -5. This will create a custom view that filters to only show the following events related to controlled folder access: +5. Click **OK**. + +6. This will create a custom view that filters to only show the following events related to controlled folder access: Event ID | Description -|- @@ -76,11 +76,10 @@ Event ID | Description 1124 | Audited controlled folder access event 1123 | Blocked controlled folder access event +## In this section - ## In this section - -Topic | Description ----|--- +Topic | Description +-|- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. -[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network -[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. +[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network +[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md rename to windows/security/threat-protection/windows-defender-exploit-guard/event-views.md From 68e9252fd15926616c3810910775d7f117b393d9 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 13:35:34 -0400 Subject: [PATCH 07/49] lint/cleaned customize attack surface reduction --- .../customize-attack-surface-reduction.md | 44 +++++++++---------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 2b7dec1738..2424a2cc8d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -20,10 +20,10 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. @@ -33,21 +33,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. +You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. ->[!WARNING] ->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +> [!WARNING] +> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). - -Rule description | GUID --|:-:|- +Rule description | GUID +-|-|- Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B @@ -62,19 +61,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b +Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b -See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. +See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule. ### Use Group Policy to exclude files and folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. -4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. ### Use PowerShell to exclude files and folders @@ -85,10 +84,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" ``` -Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. +Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. +> [!IMPORTANT] +> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Use MDM CSPs to exclude files and folders @@ -100,7 +99,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender- ## Related topics -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - +* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) From 198452f3c552ab3ecb5324a3516af42174a0ef7d Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 13:47:42 -0400 Subject: [PATCH 08/49] linted and cleaned emet --- .../emet-exploit-protection.md | 74 ++++++------------- 1 file changed, 21 insertions(+), 53 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md index 0a5a679109..c74a78deb7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md @@ -20,15 +20,15 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. -> ->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +> [!IMPORTANT] +> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. +> +> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. + +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. - Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. @@ -37,45 +37,17 @@ After July 31, 2018, it will not be supported. For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - - - ## Feature comparison - - The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard. - -  | Windows Defender Exploit Guard | EMET - -|:-:|:-: -Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later -Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
(no additional installation required)
Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device -User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training -Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
[Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
Ends after July 31, 2018 -Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
No planned updates or development -Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited set of mitigations -Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited ruleset configuration only for modules (no processes) -Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps protect important folders](controlled-folders-exploit-guard.md)
[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires installation and use of EMET tool -Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
Available -Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) -System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring -Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations - -([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). - -([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. +* [Protect devices from exploits](exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) ## Mitigation comparison -The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md). +The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md). The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection. -Mitigation | Available in Windows Defender Exploit Guard | Available in EMET --|:-:|:-: +Mitigation | Available in Windows Defender | Available in EMET +-|-|- Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] @@ -100,19 +72,15 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] - ->[!NOTE] ->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. -> ->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. - +> [!NOTE] +> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process. +> +> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - - +* [Protect devices from exploits with Windows Defender](exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) From a6065c40788afc9f765c791d0e0b2c6e27b82b3f Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 13:58:40 -0400 Subject: [PATCH 09/49] lint/cleaned enable controlled folders --- .../emet-exploit-protection.md | 2 +- .../enable-controlled-folders.md | 73 ++++++++++--------- 2 files changed, 38 insertions(+), 37 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md index c74a78deb7..ab962884c6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md @@ -16,7 +16,7 @@ ms.reviewer: manager: dansimp --- -# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard +# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md index 29ed15335f..7da99a6da0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md @@ -20,24 +20,25 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. +[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender](windows-defender.md). Controlled folder access is included with Windows 10 and Windows Server 2019. You can enable controlled folder access by using any of these methods: -- [Windows Security app](#windows-security-app) -- [Microsoft Intune](#intune) -- [Mobile Device Management (MDM)](#mdm) -- [System Center Configuration Manager (SCCM)](#sccm) -- [Group Policy](#group-policy) -- [PowerShell](#powershell) +* [Windows Security app](#windows-security-app) +* [Microsoft Intune](#intune) +* [Mobile Device Management (MDM)](#mdm) +* [System Center Configuration Manager (SCCM)](#sccm) +* [Group Policy](#group-policy) +* [PowerShell](#powershell) [Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine. Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: -- Windows Defender Antivirus **Configure local administrator merge behavior for lists** -- System Center Endpoint Protection **Allow users to add exclusions and overrides** + +* Windows Defender Antivirus **Configure local administrator merge behavior for lists** +* System Center Endpoint Protection **Allow users to add exclusions and overrides** For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). @@ -49,30 +50,30 @@ For more information about disabling local list merging, see [Prevent or allow u 3. Set the switch for **Controlled folder access** to **On**. ->[!NOTE] ->If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. ->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. +> [!NOTE] +> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. +> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. -1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. +1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) - >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. + > [!NOTE] + > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -1. Click **OK** to save each open blade and click **Create**. +1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -## MDM +## MDM -Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. ## SCCM @@ -80,28 +81,28 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 2. Click **Home** > **Create Exploit Guard Policy**. 3. Enter a name and a description, click **Controlled folder access**, and click **Next**. 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. - >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. + > [!NOTE] + > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 5. Review the settings and click **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, click **Close**. ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. -6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: - - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log - - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. +4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following: + * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log + * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. + * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png) ->[!IMPORTANT] ->To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +> [!IMPORTANT] +> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. ## PowerShell @@ -119,6 +120,6 @@ Use `Disabled` to turn the feature off. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) +* [Protect important folders with controlled folder access](controlled-folders.md) +* [Customize controlled folder access](customize-controlled-folders.md) +* [Evaluate Microsoft Defender ATP](evaluate-windows-defender.md) From 5e1037d359545092a57251f9685e9470f056d540 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 14:28:41 -0400 Subject: [PATCH 10/49] exploit protection linted -- need to rd EG links --- .../exploit-protection.md | 75 +++++++++---------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md index d701915788..1e56b29997 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md @@ -20,14 +20,14 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. +It is part of [Windows Defender](windows-defender.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. ->[!TIP] ->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> [!TIP] +> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). @@ -37,23 +37,23 @@ When a mitigation is encountered on the machine, a notification will be displaye You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. -Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. ->[!IMPORTANT] ->If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +> [!IMPORTANT] +> If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. ->[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. +> [!WARNING] +> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network. ## Review exploit protection events in the Microsoft Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. Here is an example query: -``` +```PowerShell MiscEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` @@ -63,7 +63,7 @@ MiscEvents You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: Provider/source | Event ID | Description --|:-:|- +-|-|- Security-Mitigations | 1 | ACG audit Security-Mitigations | 2 | ACG enforce Security-Mitigations | 3 | Do not allow child processes audit @@ -93,45 +93,45 @@ Win32K | 260 | Untrusted Font ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard ->[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. +> [!IMPORTANT] +> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. > ->You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +> You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET - -|:-:|:-: + -|-|- Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
(no additional installation required)
Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
[Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
Ends after July 31, 2018 Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
No planned updates or development Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited set of mitigations -Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited ruleset configuration only for modules (no processes) -Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps protect important folders](controlled-folders-exploit-guard.md)
[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block known infection vectors](attack-surface-reduction.md)
[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited ruleset configuration only for modules (no processes) +Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block malicious network connections](network-protection.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available +Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps protect important folders](controlled-folders.md)
[Configurable for apps and folders](customize-controlled-folders.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires installation and use of EMET tool Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
Available Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring -Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views.md) and [full audit mode reporting](audit-windows-defender.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). -([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. +([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection.md) do not require Windows Defender Antivirus. ## Mitigation comparison -The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md). +The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection.md). The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. Mitigation | Available in Windows Defender Exploit Guard | Available in EMET --|:-:|:-: +-|-|- Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] @@ -156,19 +156,16 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] ->[!NOTE] ->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. -> ->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. - +> [!NOTE] +> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. +> +> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. ## Related topics -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) -- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) - - +* [Protect devices from exploits](exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) From 54901becf66a21a2e567879367a2474d9c763353 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 14:39:44 -0400 Subject: [PATCH 11/49] lint/cleaned network protection --- .../network-protection.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md index e4fccb655d..478e8d5d1a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md @@ -20,40 +20,40 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). Network protection is supported beginning with Windows 10, version 1709. ->[!TIP] ->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> [!TIP] +> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled. +You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled. ## Requirements Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection. Windows 10 version | Windows Defender Antivirus -- | - +-|- Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled ## Review network protection events in the Microsoft Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. -Here is an example query +Here is an example query -``` +```PowerShell MiscEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` @@ -62,7 +62,7 @@ MiscEvents You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: -1. [Copy the XML directly](event-views-exploit-guard.md). +1. [Copy the XML directly](event-views.md). 2. Click **OK**. @@ -71,12 +71,10 @@ You can review the Windows event log to see events that are created when network Event ID | Description -|- 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + 1125 | Event when network protection fires in audit mode + 1126 | Event when network protection fires in block mode - ## Related topics +## Related topics -Topic | Description ----|--- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. From d3beae478ab8bea93a07193f7eeb0d88b3b6fb32 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 14:43:56 -0400 Subject: [PATCH 12/49] lint/cleaned configure machines --- .../configure-machines-asr.md | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 785daef982..d6dd489b05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -20,34 +20,36 @@ ms.topic: article # Optimize ASR rule deployment and detections **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) + +[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. ![Attack surface management card](images/secconmgmt_asr_card.png)
*Attack surface management card* The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to: -- Understand how ASR rules are currently deployed in your organization -- Review ASR detections and identify possible incorrect detections -- Analyze the impact of exclusions and generate the list of file paths to exclude +* Understand how ASR rules are currently deployed in your organization +* Review ASR detections and identify possible incorrect detections +* Analyze the impact of exclusions and generate the list of file paths to exclude Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center. ![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center* ->[!NOTE] ->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions) +> [!NOTE] +> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions) -For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) +For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) # Related topics -- [Ensure your machines are configured properly](configure-machines.md) -- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) \ No newline at end of file + +* [Ensure your machines are configured properly](configure-machines.md) +* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) From 5645ea7f6785e9a2193aa175e0e386852d1fd979 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 14:46:02 -0400 Subject: [PATCH 13/49] lint/cleaned threat index --- windows/security/threat-protection/index.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index d85f33b6b5..a8e7f0db20 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -58,16 +58,16 @@ This built-in capability uses a game-changing risk-based approach to the discove **[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. -- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) +- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) -- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) -- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) +- [Exploit protection](windows-defender-exploit-guard/exploit-protection.md) +- [Network protection](windows-defender-exploit-guard/network-protection.md) +- [Controlled folder access](windows-defender-exploit-guard/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) -- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) +- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction.md) From ee3eff70029340703fff59686a4141ac5a9f029e Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 14:53:34 -0400 Subject: [PATCH 14/49] lint/cleaned customize exploit protection --- .../customize-exploit-protection.md | 121 +++++++++--------- 1 file changed, 58 insertions(+), 63 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index f6197a0a67..c594656bb5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -20,18 +20,18 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. - + You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. - This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. +This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). ->[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network. +> [!WARNING] +> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network. ## Exploit protection mitigations @@ -39,14 +39,14 @@ All mitigations can be configured for individual apps. Some mitigations can also You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table. -Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". +Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults. For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. Mitigation | Description | Can be applied to | Audit mode available -- | - | - | :-: +-|-|-|- Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] @@ -69,57 +69,57 @@ Validate handle usage | Causes an exception to be raised on any invalid handle r Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] ->[!IMPORTANT] ->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: +> [!IMPORTANT] +> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: > > ->Enabled in **Program settings** | Enabled in **System settings** | Behavior ->:-: | :-: | :-: ->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** ->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** ->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** ->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option +> Enabled in **Program settings** | Enabled in **System settings** | Behavior +> -|-|- +> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option > > -> ->- **Example 1** -> +> +> * **Example 1** +> > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. -> +> > Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -> ->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. -> -> ->- **Example 2** -> +> +> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +> +> +> * **Example 2** +> > Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > -> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. +> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. > > Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. > >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. >CFG will be enabled for *miles.exe*. ->[!NOTE] ->If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country. +> [!NOTE] +> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country. ### Configure system-level mitigations with the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. - + 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation + * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may require a restart. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. @@ -127,15 +127,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 1. If the app you want to configure is already listed, click it and then click **Edit** 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - -You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. +You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. @@ -151,33 +150,34 @@ Exporting the configuration as an XML file allows you to copy the configuration You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell -Get-ProcessMitigation -Name processName.exe +Get-ProcessMitigation -Name processName.exe ``` ->[!IMPORTANT] ->System-level mitigations that have not been configured will show a status of `NOTSET`. +> [!IMPORTANT] +> System-level mitigations that have not been configured will show a status of `NOTSET`. > ->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. > ->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Security. +> The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: ```PowerShell Set-ProcessMitigation - - ,, ``` + Where: -- \: - - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. - - `-System` to indicate the mitigation should be applied at the system level +* \: + * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. + * `-System` to indicate the mitigation should be applied at the system level - \: - - `-Enable` to enable the mitigation - - `-Disable` to disable the mitigation -- \: - - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. + * `-Enable` to enable the mitigation + * `-Disable` to disable the mitigation +* \: + * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: @@ -185,8 +185,8 @@ Where: Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation ``` - >[!IMPORTANT] - >Separate each mitigation option with commas. + > [!IMPORTANT] + > Separate each mitigation option with commas. If you wanted to apply DEP at the system level, you'd use the following command: @@ -202,8 +202,7 @@ Where: Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` - - You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. + You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: @@ -219,7 +218,6 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that - Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet - | - | - | - Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available @@ -244,23 +242,20 @@ Validate handle usage | App-level only | StrictHandle | Audit not available Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available - - \[1\]: Use the following format to enable EAF modules for dlls for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` - ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +* [Protect devices from exploits](exploit-protection.md) +* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) From 0d3cf3e8eefe91e6a7b1ac4f884b130033fbe7cd Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:15:57 -0400 Subject: [PATCH 15/49] lint/clean enable asr need to go back & work on EG references --- .../enable-attack-surface-reduction.md | 117 +++++++++--------- 1 file changed, 59 insertions(+), 58 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index b346df9a75..06c0cb2672 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -18,7 +18,7 @@ manager: dansimp # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. Each ASR rule contains three settings: @@ -30,11 +30,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r You can enable attack surface reduction rules by using any of these methods: -- [Microsoft Intune](#intune) -- [Mobile Device Management (MDM)](#mdm) -- [System Center Configuration Manager (SCCM)](#sccm) -- [Group Policy](#group-policy) -- [PowerShell](#powershell) +* [Microsoft Intune](#intune) +* [Mobile Device Management (MDM)](#mdm) +* [System Center Configuration Manager (SCCM)](#sccm) +* [Group Policy](#group-policy) +* [PowerShell](#powershell) Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. @@ -42,20 +42,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. ->[!WARNING] ->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. -> ->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). - ->[!IMPORTANT] ->File and folder exclusions do not apply to the following ASR rules: +> [!WARNING] +> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > ->- Block process creations originating from PSExec and WMI commands ->- Block JavaScript or VBScript from launching downloaded executable content +> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). + +> [!IMPORTANT] +> File and folder exclusions do not apply to the following ASR rules: +> +> * Block process creations originating from PSExec and WMI commands +> * Block JavaScript or VBScript from launching downloaded executable content You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. @@ -66,8 +66,8 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. 3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: - - *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* + + *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. @@ -75,7 +75,7 @@ The following procedures for enabling ASR rules include instructions for how to Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. -The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). +The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules @@ -83,9 +83,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776 The values to enable, disable, or enable in audit mode are: -- Disable = 0 -- Block (enable ASR rule) = 1 -- Audit = 2 +* Disable = 0 +* Block (enable ASR rule) = 1 +* Audit = 2 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. @@ -95,8 +95,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc Value: c:\path|e:\path|c:\Whitelisted.exe ->[!NOTE] ->Be sure to enter OMA-URI values without spaces. +> [!NOTE] +> Be sure to enter OMA-URI values without spaces. ## SCCM @@ -105,12 +105,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. 1. Choose which rules will block or audit actions and click **Next**. 1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +1. After the policy is created, click **Close**. ## Group Policy ->[!WARNING] ->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. +> [!WARNING] +> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -119,15 +119,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Disable = 0 - - Block (enable ASR rule) = 1 - - Audit = 2 + + * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + + * Disable = 0 + * Block (enable ASR rule) = 1 + * Audit = 2 ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) -5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. - +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + ## PowerShell >[!WARNING] @@ -141,32 +143,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` - To enable ASR rules in audit mode, use the following cmdlet: + To enable ASR rules in audit mode, use the following cmdlet: - ```PowerShell - Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` - To turn off ASR rules, use the following cmdlet: + To turn off ASR rules, use the following cmdlet: - ```PowerShell - Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled + ```PowerShell + Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled ``` - >[!IMPORTANT] - >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. - > - >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: - > - >```PowerShell - >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode - >``` + > [!IMPORTANT] + > You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. + > + > In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode: + > + > ```PowerShell + > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode + > ``` - You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. - >[!WARNING] - >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. - >You can obtain a list of rules and their current state by using `Get-MpPreference` + > [!WARNING] + > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. + > You can obtain a list of rules and their current state by using `Get-MpPreference` 3. To exclude files and folders from ASR rules, use the following cmdlet: @@ -174,14 +176,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" ``` - Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. - - >[!IMPORTANT] - >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. + Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list. + > [!IMPORTANT] + > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ## Related topics -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) +* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) From 7b13a3b6a8e9d4bcf189a06e2159b3e90affbe95 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:27:22 -0400 Subject: [PATCH 16/49] lint/cleaned enable exploit protection --- .../enable-exploit-protection.md | 150 +++++++++--------- 1 file changed, 73 insertions(+), 77 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index e3fd820ba9..ede2c232c7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -20,93 +20,93 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. +[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. -Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. +Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. You can enable each mitigation separately by using any of these methods: -- [Windows Security app](#windows-security-app) -- [Microsoft Intune](#intune) -- [Mobile Device Management (MDM)](#mdm) -- [System Center Configuration Manager (SCCM)](#sccm) -- [Group Policy](#group-policy) -- [PowerShell](#powershell) +* [Windows Security app](#windows-security-app) +* [Microsoft Intune](#intune) +* [Mobile Device Management (MDM)](#mdm) +* [System Center Configuration Manager (SCCM)](#sccm) +* [Group Policy](#group-policy) +* [PowerShell](#powershell) -They are configured by default in Windows 10. +They are configured by default in Windows 10. -You can set each mitigation to on, off, or to its default value. +You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. -You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. +You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. ## Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. - + 3. Go to **Program settings** and choose the app you want to apply mitigations to: 1. If the app you want to configure is already listed, click it and then click **Edit** 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. +5. Repeat this for all the apps and mitigations you want to configure. -3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation +6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: + * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: Enabled in **Program settings** | Enabled in **System settings** | Behavior -:-: | :-: | :-: +-|-|- [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option -**Example 1** - +**Example 1** + Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. - + The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. **Example 2** Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. -Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. +Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. +The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. - + 3. Go to **Program settings** and choose the app you want to apply mitigations to: 1. If the app you want to configure is already listed, click it and then click **Edit** 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. @@ -116,11 +116,11 @@ CFG will be enabled for *miles.exe*. 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. 1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: ![Enable network protection in Intune](images/enable-ep-intune.png) -1. Click **OK** to save each open blade and click **Create**. +1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -134,50 +134,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt 1. Enter a name and a description, click **Exploit protection**, and click **Next**. 1. Browse to the location of the exploit protection XML file and click **Next**. 1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +1. After the policy is created, click **Close**. ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. +1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. ## PowerShell You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell -Get-ProcessMitigation -Name processName.exe +Get-ProcessMitigation -Name processName.exe ``` ->[!IMPORTANT] ->System-level mitigations that have not been configured will show a status of `NOTSET`. +> [!IMPORTANT] +> System-level mitigations that have not been configured will show a status of `NOTSET`. > ->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. > ->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Security. +> The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: ```PowerShell Set-ProcessMitigation - - ,, ``` + Where: -- \: - - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. - - `-System` to indicate the mitigation should be applied at the system level -- \: - - `-Enable` to enable the mitigation - - `-Disable` to disable the mitigation -- \: - - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. +* \: + * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. + * `-System` to indicate the mitigation should be applied at the system level +* \: + * `-Enable` to enable the mitigation + * `-Disable` to disable the mitigation +* \: + * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: @@ -185,8 +186,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation ``` ->[!IMPORTANT] ->Separate each mitigation option with commas. +> [!IMPORTANT] +> Separate each mitigation option with commas. If you wanted to apply DEP at the system level, you'd use the following command: @@ -202,8 +203,7 @@ If you need to restore the mitigation back to the system default, you need to in Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` -This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. - +This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet - | - | - | - @@ -213,39 +213,35 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +Block remote images | App-level only | BlockRemoteImages | Audit not available +Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned Disable extension points | App-level only | ExtensionPoint | Audit not available Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available - - +Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available \[1\]: Use the following format to enable EAF modules for dlls for a process: ```PowerShell -Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll +Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` - ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. - ## Related topics -- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) From c9c38758ad9b121504881b71307f2f206cfc96fb Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:32:05 -0400 Subject: [PATCH 17/49] lint/cleaned enable network protection -- need more work on eg refs --- .../enable-network-protection.md | 63 +++++++++---------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 59240aa5f7..c319d3d411 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -20,28 +20,28 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. You can enable network protection by using any of these methods: -- [Microsoft Intune](#intune) -- [Mobile Device Management (MDM)](#mdm) -- [System Center Configuration Manager (SCCM)](#sccm) -- [Group Policy](#group-policy) -- [PowerShell](#powershell) +* [Microsoft Intune](#intune) +* [Mobile Device Management (MDM)](#mdm) +* [System Center Configuration Manager (SCCM)](#sccm) +* [Group Policy](#group-policy) +* [PowerShell](#powershell) ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. ![Enable network protection in Intune](images/enable-np-intune.png) -1. Click **OK** to save each open blade and click **Create**. +1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -55,60 +55,59 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d 1. Enter a name and a description, click **Network protection**, and click **Next**. 1. Choose whether to block or audit access to suspicious domains and click **Next**. 1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +1. After the policy is created, click **Close**. -## Group Policy +## Group Policy -You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. +You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. -1. On a standalone computer, click **Start**, type and then click **Edit group policy**. +1. On a standalone computer, click **Start**, type and then click **Edit group policy**. -Or- - + On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - - **Block** - Users will not be able to access malicious IP addresses and domains - - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. + * **Block** - Users will not be able to access malicious IP addresses and domains + * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains + * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. ->[!IMPORTANT] ->To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. +> [!IMPORTANT] +> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. You can confirm network protection is enabled on a local computer by using Registry editor: 1. Click **Start** and type **regedit** to open **Registry Editor**. 1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -1. Click **EnableNetworkProtection** and confirm the value: - - 0=Off - - 1=On - - 2=Audit +1. Click **EnableNetworkProtection** and confirm the value: + * 0=Off + * 1=On + * 2=Audit ## PowerShell 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: - ``` + ```PowerShell Set-MpPreference -EnableNetworkProtection Enabled ``` You can enable the feature in audit mode using the following cmdlet: -``` +```PowerShell Set-MpPreference -EnableNetworkProtection AuditMode ``` Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. - ## Related topics -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Network protection](network-protection-exploit-guard.md) -- [Evaluate network protection](evaluate-network-protection.md) -- [Troubleshoot network protection](troubleshoot-np.md) +* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +* [Network protection](network-protection.md) +* [Evaluate network protection](evaluate-network-protection.md) +* [Troubleshoot network protection](troubleshoot-np.md) From 0b5a47b1114a2ce038c2cd4ec12f7d5ea32c2455 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:36:44 -0400 Subject: [PATCH 18/49] lint/cleaned evaluate attack surface reduction --- .../evaluate-attack-surface-reduction.md | 45 +++++++------------ 1 file changed, 15 insertions(+), 30 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 145da203d5..88b5fd4383 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -20,14 +20,14 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> [!TIP] +> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact @@ -43,42 +43,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode This enables all attack surface reduction rules in audit mode. ->[!TIP] ->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). +> [!TIP] +> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md). ## Review attack surface reduction events in Windows Event Viewer To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. - -| Event ID | Description | -|----------|-------------| -|5007 | Event when settings are changed | -| 1121 | Event when an attack surface reduction rule fires in block mode | -| 1122 | Event when an attack surface reduction rule fires in audit mode | + Event ID | Description +-|- + 5007 | Event when settings are changed + 1121 | Event when an attack surface reduction rule fires in block mode + 1122 | Event when an attack surface reduction rule fires in audit mode ## Customize attack surface reduction rules -During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. +During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature. See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) - - - - - - - - - - - - - - +* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +* [Evaluate Windows Defender](evaluate-windows-defender.md) +* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md) From c2fe711d1edb8477f79f19c6ac206e8117f551bc Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:39:51 -0400 Subject: [PATCH 19/49] lint/cleaned evaluate controlled folder --- .../evaluate-controlled-folder-access.md | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 08d11df095..2a2bcb12fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -20,16 +20,16 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> [!TIP] +> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact @@ -43,27 +43,28 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -EnableControlledFolderAccess AuditMode ``` ->[!TIP] ->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md). +> [!TIP] +> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder. -| Event ID | Description | -| --- | --- | -| 5007 | Event when settings are changed | -| 1124 | Audited controlled folder access event | -| 1123 | Blocked controlled folder access event | +Event ID | Description +-|- + 5007 | Event when settings are changed + 1124 | Audited controlled folder access event + 1123 | Blocked controlled folder access event ## Customize protected folders and apps -During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. +During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. -See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. +See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode](audit-windows-defender-exploit-guard.md) + +* [Protect important folders with controlled folder access](controlled-folders.md) +* [Evaluate Microsoft Defender ATP](evaluate-windows-defender.md) +* [Use audit mode](audit-windows-defender.md) From ba09549c94a000e84b16b9426d1599d34d7e7484 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:45:46 -0400 Subject: [PATCH 20/49] lint/cleaned evaluate exploit protection --- .../evaluate-exploit-protection.md | 85 +++++++++---------- 1 file changed, 42 insertions(+), 43 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 61220879a8..a5bc1ec8a0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -20,70 +20,69 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. +[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. It consists of a number of mitigations that can be applied to either the operating system or an individual app. -Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. +Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. -This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. +This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode for certain app-level mitigations to see how they will work in a test environment. This lets you see a record of what *would* have happened if you had enabled the mitigation in production. You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. +> [!TIP] +> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. ## Enable exploit protection in audit mode -You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. +You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. ### Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. - + 3. Go to **Program settings** and choose the app you want to apply mitigations to: 1. If the app you want to configure is already listed, click it and then click **Edit** 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. ### PowerShell -To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. +To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. Configure each mitigation in the following format: - ```PowerShell Set-ProcessMitigation - - ,, ``` Where: -- \: - - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. -- \: - - `-Enable` to enable the mitigation - - `-Disable` to disable the mitigation -- \: - - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. +* \: + * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. +* \: + * `-Enable` to enable the mitigation + * `-Disable` to disable the mitigation +* \: + * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. -| Mitigation | Audit mode cmdlet | -| - | - | -|Arbitrary code guard (ACG) | AuditDynamicCode | -|Block low integrity images | AuditImageLoad | -|Block untrusted fonts | AuditFont, FontAuditOnly | -|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | -|Disable Win32k system calls | AuditSystemCall | -|Do not allow child processes | AuditChildProcess | + Mitigation | Audit mode cmdlet +-|- + Arbitrary code guard (ACG) | AuditDynamicCode + Block low integrity images | AuditImageLoad + Block untrusted fonts | AuditFont, FontAuditOnly + Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned + Disable Win32k system calls | AuditSystemCall + Do not allow child processes | AuditChildProcess For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: @@ -98,21 +97,21 @@ You can disable audit mode by replacing `-Enable` with `-Disable`. To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. Feature | Provider/source | Event ID | Description -:-|:-|:-:|:- -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit -Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit +-|-|-|- + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit + Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit ## Related topics -- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) -- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) -- [Enable network protection](enable-network-protection.md) -- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) -- [Enable attack surface reduction](enable-attack-surface-reduction.md) +* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) +* [Enable network protection](enable-network-protection.md) +* [Enable controlled folder access](enable-controlled-folders.md) +* [Enable attack surface reduction](enable-attack-surface-reduction.md) From 1ae0a5455ef59ec995d8919436cf7a837e143695 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 15:48:09 -0400 Subject: [PATCH 21/49] lint/cleaned evaluate network protection -- need to work on ref to EG --- .../evaluate-network-protection.md | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 5015d0f283..6064e1cbdd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -20,15 +20,14 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. - ->[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. +> [!TIP] +> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. ## Enable network protection in audit mode @@ -52,9 +51,9 @@ You might want to do this to make sure it doesn't affect line-of-business apps o The network connection will be allowed and a test message will be displayed. ![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png) - + ## Review network protection events in Windows Event Viewer - + To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. | Event ID | Provide/Source | Description | @@ -63,10 +62,9 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev |1125 | Windows Defender (Operational) | Event when a network connection is audited | |1126 | Windows Defender (Operational) | Event when a network connection is blocked | - ## Related topics -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Network protection](network-protection-exploit-guard.md) -- [Enable network protection](enable-network-protection.md) -- [Troubleshoot network protection](troubleshoot-np.md) +* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +* [Network protection](network-protection.md) +* [Enable network protection](enable-network-protection.md) +* [Troubleshoot network protection](troubleshoot-np.md) From c27a0535276e54a36fa4b3ec18c91169ee72ef44 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 30 Jul 2019 18:24:07 -0400 Subject: [PATCH 22/49] second pass at links --- windows/security/threat-protection/TOC.md | 10 +-- .../attack-surface-reduction.md | 2 +- .../customize-controlled-folders.md | 55 ++++++------ .../enable-network-protection.md | 2 +- ...port-export-exploit-protection-emet-xml.md | 71 +++++++-------- .../windows-defender-exploit-guard/oldTOC.md | 22 +++-- .../troubleshoot-asr.md | 41 +++++---- ...bleshoot-exploit-protection-mitigations.md | 86 +++++++++---------- .../troubleshoot-np.md | 60 +++++++------ .../wdsc-app-browser-control.md | 2 +- 10 files changed, 177 insertions(+), 174 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index dfc28eefbc..19b31cf45d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -27,10 +27,10 @@ ##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) #### [Application control](windows-defender-application-control/windows-defender-application-control.md) -#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) -#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) -#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) -#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) +#### [Exploit protection](windows-defender-exploit-guard/exploit-protection.md) +#### [Network protection](windows-defender-exploit-guard/network-protection.md) +#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders.md) +#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) @@ -206,7 +206,7 @@ ##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) #### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) -#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) +#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders) #### [Attack surface reduction controls]() ##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md index 1c085cc8f4..8604b3e061 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md @@ -64,7 +64,7 @@ You can review the Windows event log to view events that are created when attack 3. Click **Import custom view...** on the left panel, under **Actions**. -4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). 5. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md index 1acfffd14f..e3f6569085 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md @@ -20,19 +20,19 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): -- [Add additional folders to be protected](#protect-additional-folders) -- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +* [Add additional folders to be protected](#protect-additional-folders) +* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) ->[!WARNING] ->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. +> [!WARNING] +> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. > ->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact. +> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact. ## Protect additional folders @@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). You can use the Windows Security app or Group Policy to add and remove additional protected folders. @@ -55,14 +55,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. - + ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. @@ -79,8 +79,8 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad ![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png) ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. +> [!IMPORTANT] +> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Use MDM CSPs to protect additional folders @@ -88,17 +88,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m ## Allow specific apps to make changes to controlled folders -You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. +You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. ->[!IMPORTANT] ->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. ->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. +> [!IMPORTANT] +> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. +> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. - ### Use the Windows Defender Security app to allow specific apps 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -113,11 +112,11 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. @@ -135,22 +134,24 @@ An allowed application or service only has write access to a controlled folder a ```PowerShell Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" ``` + Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png) ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. +> [!IMPORTANT] +> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Use MDM CSPs to allow specific apps -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics -- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) -- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md) + +* [Protect important folders with controlled folder access](controlled-folders.md) +* [Enable controlled folder access](enable-controlled-folders.md) +* [Evaluate attack surface reduction rules](evaluate-windows-defender.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index c319d3d411..984a616f3c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -107,7 +107,7 @@ Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. ## Related topics -* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +* [Windows Defender Exploit Guard](windows-defender.md) * [Network protection](network-protection.md) * [Evaluate network protection](evaluate-network-protection.md) * [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 676188aa12..7113a66136 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -20,13 +20,13 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. @@ -34,7 +34,7 @@ You can also convert and import an existing EMET configuration XML file into an This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. +The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. ## Create and export a configuration file @@ -51,13 +51,13 @@ When you have configured exploit protection to your desired state (including bot 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**: ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png) - + 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. ![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png) ->[!NOTE] ->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. +> [!NOTE] +> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. ### Use PowerShell to export a configuration file @@ -65,7 +65,7 @@ When you have configured exploit protection to your desired state (including bot 2. Enter the following cmdlet: ```PowerShell - Get-ProcessMitigation -RegistryConfigFilePath filename.xml + Get-ProcessMitigation -RegistryConfigFilePath filename.xml ``` Change `filename` to any name or location of your choosing. @@ -74,7 +74,7 @@ Example command **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] -> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. +> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. ## Import a configuration file @@ -84,12 +84,11 @@ After importing, the settings will be instantly applied and can be reviewed in t ### Use PowerShell to import a configuration file - 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell - Set-ProcessMitigation -PolicyFilePath filename.xml + Set-ProcessMitigation -PolicyFilePath filename.xml ``` Change `filename` to the location and name of the exploit protection XML file. @@ -97,11 +96,9 @@ Change `filename` to the location and name of the exploit protection XML file. Example command **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** - ->[!IMPORTANT] +> [!IMPORTANT] > ->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first. - +> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first. ## Convert an EMET configuration file to an exploit protection configuration file @@ -109,14 +106,13 @@ You can convert an existing EMET configuration file to the new format used by ex You can only do this conversion in PowerShell. ->[!WARNING] +> [!WARNING] > ->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work. +> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work. > ->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. +> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. > ->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection. - +> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection. 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -127,46 +123,45 @@ You can only do this conversion in PowerShell. Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. ->[!IMPORTANT] +> [!IMPORTANT] > ->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured: +> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured: > > 1. Open the PowerShell-converted XML file in a text editor. > 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled. - ## Manage or deploy a configuration You can use Group Policy to deploy the configuration you've created to multiple machines in your network. > [!IMPORTANT] -> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. +> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. ### Use Group Policy to distribute the configuration -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**. +3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**. ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png) -6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. +4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. -7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples: - - C:\MitigationSettings\Config.XML - - \\\Server\Share\Config.xml - - https://localhost:8080/Config.xml - - C:\ExploitConfigfile.xml +5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples: -8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). + * C:\MitigationSettings\Config.XML + * \\\Server\Share\Config.xml + * https://localhost:8080/Config.xml + * C:\ExploitConfigfile.xml +6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ## Related topics -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Protect devices from exploits](exploit-protection.md) +* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md index eedb76c8dc..6682c7e6c4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md @@ -1,11 +1,11 @@ # [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) -### [View Exploit Guard events](event-views-exploit-guard.md) +## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender.md) +### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender.md) +### [View Exploit Guard events](event-views.md) -## [Exploit protection](exploit-protection-exploit-guard.md) -### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) +## [Exploit protection](exploit-protection.md) +### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) ### [Evaluate Exploit protection](evaluate-exploit-protection.md) ### [Enable Exploit protection](enable-exploit-protection.md) ### [Customize Exploit protection](customize-exploit-protection.md) @@ -13,18 +13,16 @@ ### [Memory integrity](memory-integrity.md) #### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) #### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md) -## [Attack surface reduction](attack-surface-reduction-exploit-guard.md) +## [Attack surface reduction](attack-surface-reduction.md) ### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) ### [Enable Attack surface reduction](enable-attack-surface-reduction.md) ### [Customize Attack surface reduction](customize-attack-surface-reduction.md) ### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md) -## [Network Protection](network-protection-exploit-guard.md) +## [Network Protection](network-protection.md) ### [Evaluate Network Protection](evaluate-network-protection.md) ### [Enable Network Protection](enable-network-protection.md) ### [Troubleshoot Network protection](troubleshoot-np.md) -## [Controlled folder access](controlled-folders-exploit-guard.md) +## [Controlled folder access](controlled-folders.md) ### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md) -### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) -### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) - - +### [Enable Controlled folder access](enable-controlled-folders.md) +### [Customize Controlled folder access](customize-controlled-folders.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 373d0c8387..fc063ad06a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -20,44 +20,44 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: +When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +* A rule blocks a file, process, or performs some other action that it should not (false positive) +* A rule does not work as described, or does not block a file or process that it should (false negative) There are four steps to troubleshooting these problems: 1. Confirm prerequisites 2. Use audit mode to test the rule 3. Add exclusions for the specified rule (for false positives) -3. Submit support logs +4. Submit support logs ## Confirm prerequisites Attack surface reduction rules will only work on devices with the following conditions: ->[!div class="checklist"] -> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). -> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +> [!div class="checklist"] +> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). +> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. ## Use audit mode to test the rule -You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. +You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). -3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. +3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. > ->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. > >Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. @@ -82,21 +82,24 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: + ```console cd c:\program files\windows defender ``` + 2. Run this command to generate the diagnostic logs: + ```console mpcmdrun -getfiles ``` -3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. + +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) -- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - +* [Attack surface reduction rules](attack-surface-reduction.md) +* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 63963825e3..26d89accfe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -20,7 +20,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. @@ -46,7 +46,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use Write-Host "Removing MitigationAuditOptions for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } - + # Remove the FilterFullPath value if there is nothing else if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) { Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop; @@ -58,19 +58,19 @@ You can manually remove unwanted mitigations in Windows Security, or you can use Remove-Item -Path $Key.PSPath -ErrorAction Stop } } - Catch { - Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" + Catch { + Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } # Delete all ExploitGuard ProcessMitigations function Remove-All-ProcessMitigations { if (!(Test-IsAdmin)) { - throw "ERROR: No Administrator-Privileges detected!"; return + throw "ERROR: No Administrator-Privileges detected!"; return } Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { - $MitigationItem = $_; + $MitigationItem = $_; $MitigationItemName = $MitigationItem.PSChildName Try { @@ -85,7 +85,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use Write-Host "Removing FullPathEntry: " $Name Remove-ProcessMitigations $FullPathItem $Name } - + # If there are no subkeys now, we can delete the "UseFilter" value if ($MitigationItem.SubKeyCount -eq 0) { Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop @@ -97,8 +97,8 @@ You can manually remove unwanted mitigations in Windows Security, or you can use Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop } } - Catch { - Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" + Catch { + Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } } @@ -106,18 +106,18 @@ You can manually remove unwanted mitigations in Windows Security, or you can use # Delete all ExploitGuard System-wide Mitigations function Remove-All-SystemMitigations { - if (!(Test-IsAdmin)) { - throw "ERROR: No Administrator-Privileges detected!"; return + if (!(Test-IsAdmin)) { + throw "ERROR: No Administrator-Privileges detected!"; return } - + $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" - Try { - if ($Kernel.GetValue("MitigationOptions")) + Try { + if ($Kernel.GetValue("MitigationOptions")) { Write-Host "Removing System MitigationOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop; } - if ($Kernel.GetValue("MitigationAuditOptions")) + if ($Kernel.GetValue("MitigationAuditOptions")) { Write-Host "Removing System MitigationAuditOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } @@ -132,30 +132,30 @@ You can manually remove unwanted mitigations in Windows Security, or you can use 2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations: - ```xml + ```xml - - - - - - - - - - + + + + + + + + + + - + - - + + - - - - - + + + + + @@ -180,9 +180,9 @@ You can manually remove unwanted mitigations in Windows Security, or you can use - - - + + + @@ -195,9 +195,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu ## Related topics -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) -- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +* [Protect devices from exploits](exploit-protection.md) +* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) +* [Evaluate exploit protection](evaluate-exploit-protection.md) +* [Enable exploit protection](enable-exploit-protection.md) +* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index cfd19843a9..69c87f7ca6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -20,48 +20,50 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- IT administrators +* IT administrators -When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as: +When you use [Network protection](network-protection.md) you may encounter issues, such as: -- Network protection blocks a website that is safe (false positive) -- Network protection fails to block a suspicious or known malicious website (false negative) +* Network protection blocks a website that is safe (false positive) +* Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: 1. Confirm prerequisites 2. Use audit mode to test the rule 3. Add exclusions for the specified rule (for false positives) -3. Submit support logs +4. Submit support logs ## Confirm prerequisites Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). -> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). +> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. +> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +## Use audit mode -## Use audit mode - -You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled. +You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled. 1. Set network protection to **Audit mode**. - ```powershell + + ```PowerShell Set-MpPreference -EnableNetworkProtection AuditMode ``` -2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. + +1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). + +1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. > >If network protection is not blocking a connection that you are expecting it should block, enable the feature. -```powershell +```PowerShell Set-MpPreference -EnableNetworkProtection Enabled ``` @@ -75,21 +77,25 @@ To whitelist the website that is being blocked (false positive), add its URL to ## Collect diagnostic data for file submissions -When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: - ``` + + ```PowerShell cd c:\program files\windows defender ``` -2. Run this command to generate the diagnostic logs: - ``` + +1. Run this command to generate the diagnostic logs: + + ```PowerShell mpcmdrun -getfiles ``` -3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. + +1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Network protection](network-protection-exploit-guard.md) -- [Evaluate network protection](evaluate-network-protection.md) -- [Enable network protection](enable-network-protection.md) +* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +* [Network protection](network-protection.md) +* [Evaluate network protection](evaluate-network-protection.md) +* [Enable network protection](enable-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index ca32f2c55a..b1ad6fffbc 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -26,7 +26,7 @@ manager: dansimp The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). -In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library. +In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) topic in the Windows Defender Exploit Guard library. You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. From 9e720e5cebcc317ad762e14d16def197bc21ea8a Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 31 Jul 2019 11:38:41 -0400 Subject: [PATCH 23/49] third pass, rm'ing suggestions & warnings unrelated to exploit guard page from files in eg directory --- windows/security/threat-protection/TOC.md | 2 +- .../windows-defender-exploit-guard/attack-surface-reduction.md | 1 + .../windows-defender-exploit-guard/controlled-folders.md | 1 + .../customize-attack-surface-reduction.md | 1 + .../customize-controlled-folders.md | 1 + .../customize-exploit-protection.md | 1 + .../windows-defender-exploit-guard/emet-exploit-protection.md | 1 + .../enable-attack-surface-reduction.md | 1 + .../windows-defender-exploit-guard/enable-exploit-protection.md | 1 + .../windows-defender-exploit-guard/enable-network-protection.md | 1 + .../evaluate-attack-surface-reduction.md | 1 + .../evaluate-controlled-folder-access.md | 1 + .../evaluate-exploit-protection.md | 1 + .../evaluate-network-protection.md | 1 + .../windows-defender-exploit-guard/event-views.md | 2 ++ .../windows-defender-exploit-guard/exploit-protection.md | 1 + .../import-export-exploit-protection-emet-xml.md | 1 + .../windows-defender-exploit-guard/network-protection.md | 1 + .../windows-defender-exploit-guard/troubleshoot-asr.md | 1 + .../troubleshoot-exploit-protection-mitigations.md | 1 + .../windows-defender-exploit-guard/troubleshoot-np.md | 1 + .../wdsc-app-browser-control.md | 1 + 22 files changed, 23 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 19b31cf45d..99739203c3 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -206,7 +206,7 @@ ##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) #### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) -#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders) +#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders.md) #### [Attack surface reduction controls]() ##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md index 8604b3e061..456defe3a9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/07/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md index a3acd284ab..0cb75933d7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 11/29/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 2424a2cc8d..839daef3d1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/13/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md index e3f6569085..6b462b650e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/13/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index c594656bb5..b8afb82a4f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 03/26/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md index ab962884c6..59435df273 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 08/08/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 06c0cb2672..bd67eebf80 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/13/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index ede2c232c7..138efd6a68 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/09/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 984a616f3c..d6346c051a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/13/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 88b5fd4383..60381c0ee2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/02/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 2a2bcb12fb..1443a8d07f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 11/16/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index a5bc1ec8a0..7405d7f9d2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/02/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 6064e1cbdd..0d45506dbd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/10/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md index 5652a45bd4..8d4d80534d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md @@ -11,9 +11,11 @@ ms.sitesec: library ms.pagetype: security ms.date: 04/16/2018 ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 03/26/2019 +manager: dansimp --- # View attack surface reduction events diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md index 1e56b29997..8dbf461446 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/02/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 7113a66136..bface7c1ee 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/30/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md index 478e8d5d1a..eb4b64456b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/30/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index fc063ad06a..aec7204fc9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: dansimp ms.author: dansimp ms.date: 03/27/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 26d89accfe..ae216de7bb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: dansimp ms.author: dansimp ms.date: 08/09/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 69c87f7ca6..cab96f898b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: dansimp ms.author: dansimp ms.date: 03/27/2019 diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index b1ad6fffbc..840b012de6 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: dansimp ms.author: dansimp ms.date: 04/30/2018 From 78cbb4ea28ce28d243783df09248046465577c82 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 31 Jul 2019 16:11:51 -0400 Subject: [PATCH 24/49] fourth pass at links --- .../configure-attack-surface-reduction.md | 24 +- .../microsoft-defender-atp/oldTOC.md | 12 +- .../overview-attack-surface-reduction.md | 27 +- .../secure-score-dashboard.md | 314 +++++++++--------- .../audit-windows-defender.md | 1 + .../customize-controlled-folders.md | 2 +- .../enable-controlled-folders.md | 5 +- .../enable-network-protection.md | 1 - .../evaluate-attack-surface-reduction.md | 2 +- .../evaluate-controlled-folder-access.md | 2 +- .../evaluate-network-protection.md | 1 - .../exploit-protection.md | 4 +- ...port-export-exploit-protection-emet-xml.md | 2 - .../windows-defender-exploit-guard/oldTOC.md | 7 +- .../troubleshoot-np.md | 1 - 15 files changed, 206 insertions(+), 199 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 0d8f88aa59..a9e67f227a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -1,15 +1,14 @@ --- -title: -ms.reviewer: -description: -keywords: +title: Configure attack surface reduction +description: Configure attack surface reduction +keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -23,22 +22,21 @@ ms.date: 07/01/2018 You can configure attack surface reduction with a number of tools, including: -- Microsoft Intune -- System Center Configuration Manager -- Group Policy -- PowerShell cmdlets - +* Microsoft Intune +* System Center Configuration Manager +* Group Policy +* PowerShell cmdlets The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools). ## In this section + Topic | Description -:---|:--- +-|- [Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains -[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps +[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)|How to protect valuable data from malicious apps [Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network - diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md index 35d03646ca..65f226fe65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md @@ -27,10 +27,10 @@ #### [Application control]() ##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md) -#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) -#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) -#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) -#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) +#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) +#### [Network protection](../windows-defender-exploit-guard/network-protection.md) +#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md) +#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md) #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) @@ -196,8 +196,8 @@ #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md) #### [Controlled folder access]() -##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) -##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md) +##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md) +##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled.md) #### [Attack surface reduction controls]() ##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 5de1f9d993..2d11947734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -2,14 +2,14 @@ title: Overview of attack surface reduction ms.reviewer: description: Learn about the attack surface reduction capability in Microsoft Defender ATP -keywords: +keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -21,17 +21,16 @@ ms.topic: conceptual # Overview of attack surface reduction **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats. - -| Capability | Description | -|------------|-------------| -| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious websites. | -| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. | -| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) | -| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. | -| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. | -| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. | -| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. | +Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats. + Capability | Description +-|- + [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious websites. + [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. + [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) + [Network protection](../windows-defender-exploit-guard/network-protection.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. + [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. + [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. + [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index b0ae432a26..e729d48f6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -18,109 +18,123 @@ ms.topic: conceptual --- # Configure the security controls in Secure score -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. +**Applies to:** + +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!NOTE] +> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. Each security control lists recommendations that you can take to increase the security posture of your organization. ### Endpoint detection and response (EDR) optimization + A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. ->[!IMPORTANT] ->This feature is available for machines on Windows 10, version 1607 or later. +> [!IMPORTANT] +> This feature is available for machines on Windows 10, version 1607 or later. -#### Minimum baseline configuration setting for EDR: -- Microsoft Defender ATP sensor is on -- Data collection is working correctly -- Communication to Microsoft Defender ATP service is not impaired +#### Minimum baseline configuration setting for EDR + +* Microsoft Defender ATP sensor is on +* Data collection is working correctly +* Communication to Microsoft Defender ATP service is not impaired + +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Turn on sensor -- Fix sensor data collection -- Fix impaired communications -For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). +* Turn on sensor +* Fix sensor data collection +* Fix impaired communications + +For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). ### Microsoft Defender Antivirus (Microsoft Defender AV) optimization + A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AV. ->[!IMPORTANT] ->This feature is available for machines on Windows 10, version 1607 or later. +> [!IMPORTANT] +> This feature is available for machines on Windows 10, version 1607 or later. + +#### Minimum baseline configuration setting for Microsoft Defender AV -#### Minimum baseline configuration setting for Microsoft Defender AV: Machines are considered "well configured" for Microsoft Defender AV if the following requirements are met: -- Microsoft Defender AV is reporting correctly -- Microsoft Defender AV is turned on -- Security intelligence is up-to-date -- Real-time protection is on -- Potentially Unwanted Application (PUA) protection is enabled +* Microsoft Defender AV is reporting correctly +* Microsoft Defender AV is turned on +* Security intelligence is up-to-date +* Real-time protection is on +* Potentially Unwanted Application (PUA) protection is enabled + +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: ->[!NOTE] -> For the Microsoft Defender Antivirus properties to show, you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine. +> [!NOTE] +> For the Microsoft Defender Antivirus properties to show, you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine. -- Fix antivirus reporting - - This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). -- Turn on antivirus -- Update antivirus Security intelligence -- Turn on real-time protection -- Turn on PUA protection +* Fix antivirus reporting + * This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +* Turn on antivirus +* Update antivirus Security intelligence +* Turn on real-time protection +* Turn on PUA protection For more information, see [Configure Microsoft Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). - ### OS security updates optimization + This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. - ->[!IMPORTANT] ->This feature is available for machines on Windows 10, version 1607 or later. + +> [!IMPORTANT] +> This feature is available for machines on Windows 10, version 1607 or later. You can take the following actions to increase the overall security score of your organization: -- Install the latest security updates -- Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). + +* Install the latest security updates +* Fix sensor data collection + * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). - ### Microsoft Defender Exploit Guard (Microsoft Defender EG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. + ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1709 or later. +A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. + +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Microsoft Defender EG -#### Minimum baseline configuration setting for Microsoft Defender EG: Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met: -- System level protection settings are configured correctly -- Attack Surface Reduction rules are configured correctly -- Controlled Folder Access setting is configured correctly +* System level protection settings are configured correctly +* Attack Surface Reduction rules are configured correctly +* Controlled Folder Access setting is configured correctly + +##### System level protection -##### System level protection: The following system level configuration settings must be set to **On or Force On**: -1. Control Flow Guard +1. Control Flow Guard 2. Data Execution Prevention (DEP) 3. Randomize memory allocations (Bottom-up ASLR) 4. Validate exception chains (SEHOP) 5. Validate heap integrity ->[!NOTE] ->The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. ->Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. +> [!NOTE] +> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. +> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. + +##### Attack Surface Reduction (ASR) rules -##### Attack Surface Reduction (ASR) rules: The following ASR rules must be configured to **Block mode**: -Rule description | GUIDs +Rule description | GUIDs -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -129,172 +143,176 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5 Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B - - ->[!NOTE] ->The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. ->Consider enabling this rule in **Audit** or **Block mode** for better protection. - +> [!NOTE] +> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. +> Consider enabling this rule in **Audit** or **Block mode** for better protection. ##### Controlled Folder Access + The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. ->[!NOTE] +> [!NOTE] > Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications. ->Consider enabling Controlled Folder Access for better protection. +> Consider enabling Controlled Folder Access for better protection. + +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Turn on all system-level Exploit Protection settings -- Set all ASR rules to enabled or audit mode -- Turn on Controlled Folder Access -- Turn on Microsoft Defender Antivirus on compatible machines -For more information, see [Microsoft Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). +* Turn on all system-level Exploit Protection settings +* Set all ASR rules to enabled or audit mode +* Turn on Controlled Folder Access +* Turn on Microsoft Defender Antivirus on compatible machines ### Microsoft Defender Application Guard (Microsoft Defender AG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1709 or later. +A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. + +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Microsoft Defender AG -#### Minimum baseline configuration setting for Microsoft Defender AG: Machines are considered "well configured" for Microsoft Defender AG if the following requirements are met: -- Hardware and software prerequisites are met -- Microsoft Defender AG is turned on compatible machines -- Managed mode is turned on +* Hardware and software prerequisites are met +* Microsoft Defender AG is turned on compatible machines +* Managed mode is turned on + +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Ensure hardware and software prerequisites are met - - >[!NOTE] - >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. -- Turn on Microsoft Defender AG on compatible machines -- Turn on managed mode +* Ensure hardware and software prerequisites are met + > [!NOTE] + > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. + +* Turn on Microsoft Defender AG on compatible machines +* Turn on managed mode For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). - ### Microsoft Defender SmartScreen optimization + A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. ->[!WARNING] +> [!WARNING] > Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1709 or later. ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1709 or later. +#### Minimum baseline configuration setting for Microsoft Defender SmartScreen -#### Minimum baseline configuration setting for Microsoft Defender SmartScreen: The following settings must be configured with the following settings: -- Check apps and files: **Warn** or **Block** -- SmartScreen for Microsoft Edge: **Warn** or **Block** -- SmartScreen for Microsoft store apps: **Warn** or **Off** +* Check apps and files: **Warn** or **Block** +* SmartScreen for Microsoft Edge: **Warn** or **Block** +* SmartScreen for Microsoft store apps: **Warn** or **Off** You can take the following actions to increase the overall security score of your organization: -- Set **Check app and files** to **Warn** or **Block** -- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** -- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** + +* Set **Check app and files** to **Warn** or **Block** +* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** +* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - - ### Microsoft Defender Firewall optimization -A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1709 or later. +A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. -#### Minimum baseline configuration setting for Microsoft Defender Firewall +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1709 or later. -- Microsoft Defender Firewall is turned on for all network connections -- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked +#### Minimum baseline configuration setting for Microsoft Defender Firewall + +* Microsoft Defender Firewall is turned on for all network connections +* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked +* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked +* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked For more information on Microsoft Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). ->[!NOTE] +> [!NOTE] > If Microsoft Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Turn on firewall -- Secure domain profile -- Secure private profile -- Secure public profile -- Verify secure configuration of third-party firewall -- Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). + +* Turn on firewall +* Secure domain profile +* Secure private profile +* Secure public profile +* Verify secure configuration of third-party firewall +* Fix sensor data collection + * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). ### BitLocker optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1803 or later. +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. + +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1803 or later. #### Minimum baseline configuration setting for BitLocker -- Ensure all supported drives are encrypted -- Ensure that all suspended protection on drives resume protection -- Ensure that drives are compatible +* Ensure all supported drives are encrypted +* Ensure that all suspended protection on drives resume protection +* Ensure that drives are compatible + +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Encrypt all supported drives -- Resume protection on all drives -- Ensure drive compatibility -- Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). + +* Encrypt all supported drives +* Resume protection on all drives +* Ensure drive compatibility +* Fix sensor data collection + * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). ### Microsoft Defender Credential Guard optimization + A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Credential Guard. ->[!IMPORTANT] ->This security control is only applicable for machines with Windows 10, version 1709 or later. +> [!IMPORTANT] +> This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Microsoft Defender Credential Guard -#### Minimum baseline configuration setting for Microsoft Defender Credential Guard: Well-configured machines for Microsoft Defender Credential Guard meets the following requirements: -- Hardware and software prerequisites are met -- Microsoft Defender Credential Guard is turned on compatible machines +* Hardware and software prerequisites are met +* Microsoft Defender Credential Guard is turned on compatible machines +##### Recommended actions -##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Ensure hardware and software prerequisites are met -- Turn on Credential Guard -- Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). +* Ensure hardware and software prerequisites are met +* Turn on Credential Guard +* Fix sensor data collection + * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Manage Microsoft Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics -- [Overview of Secure score](overview-secure-score.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) - - - +* [Overview of Secure score](overview-secure-score.md) +* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +* [Exposure score](tvm-exposure-score.md) +* [Configuration score](configuration-score.md) +* [Security recommendations](tvm-security-recommendation.md) +* [Remediation](tvm-remediation.md) +* [Software inventory](tvm-software-inventory.md) +* [Weaknesses](tvm-weaknesses.md) +* [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md index 0f6c505ac8..cb5f42efe4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 04/02/2019 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md index 6b462b650e..792faa49e8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md @@ -155,4 +155,4 @@ See the [Windows Security](../windows-defender-security-center/windows-defender- * [Protect important folders with controlled folder access](controlled-folders.md) * [Enable controlled folder access](enable-controlled-folders.md) -* [Evaluate attack surface reduction rules](evaluate-windows-defender.md) +* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md index 7da99a6da0..ea03b88559 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro author: levinec ms.author: ellevin ms.date: 05/13/2019 @@ -22,7 +23,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender](windows-defender.md). Controlled folder access is included with Windows 10 and Windows Server 2019. +[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019. You can enable controlled folder access by using any of these methods: @@ -122,4 +123,4 @@ Use `Disabled` to turn the feature off. * [Protect important folders with controlled folder access](controlled-folders.md) * [Customize controlled folder access](customize-controlled-folders.md) -* [Evaluate Microsoft Defender ATP](evaluate-windows-defender.md) +* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index d6346c051a..2e14c49fc9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -108,7 +108,6 @@ Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. ## Related topics -* [Windows Defender Exploit Guard](windows-defender.md) * [Network protection](network-protection.md) * [Evaluate network protection](evaluate-network-protection.md) * [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 60381c0ee2..271622f774 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -65,6 +65,6 @@ During your evaluation, you may wish to configure each rule individually or excl See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics + * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) -* [Evaluate Windows Defender](evaluate-windows-defender.md) * [Use audit mode to evaluate Windows Defender](audit-windows-defender.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 1443a8d07f..5f8fc8a0da 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -67,5 +67,5 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics * [Protect important folders with controlled folder access](controlled-folders.md) -* [Evaluate Microsoft Defender ATP](evaluate-windows-defender.md) +* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md) * [Use audit mode](audit-windows-defender.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 0d45506dbd..cc1e37b1af 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -65,7 +65,6 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev ## Related topics -* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) * [Network protection](network-protection.md) * [Enable network protection](enable-network-protection.md) * [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md index 8dbf461446..c8c5d7b447 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md @@ -23,9 +23,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. - -It is part of [Windows Defender](windows-defender.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index bface7c1ee..87f3077150 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -25,8 +25,6 @@ manager: dansimp Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md index 6682c7e6c4..759d9db64f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md @@ -1,8 +1,5 @@ -# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) - -## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender.md) -### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender.md) -### [View Exploit Guard events](event-views.md) +## [Use auditing mode to evaluate Windows Defender](audit-windows-defender.md) +## [View events](event-views.md) ## [Exploit protection](exploit-protection.md) ### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index cab96f898b..af397987a0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -96,7 +96,6 @@ When you report a problem with network protection, you are asked to collect and ## Related topics -* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) * [Network protection](network-protection.md) * [Evaluate network protection](evaluate-network-protection.md) * [Enable network protection](enable-network-protection.md) From 6ce96c3a436fa6f9f9e3225c6368a6c5913eaf42 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 31 Jul 2019 17:25:29 -0400 Subject: [PATCH 25/49] typo correction --- .../security/threat-protection/microsoft-defender-atp/oldTOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md index 65f226fe65..fb2d4197e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md @@ -197,7 +197,7 @@ #### [Controlled folder access]() ##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md) -##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled.md) +##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md) #### [Attack surface reduction controls]() ##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md) From c2dcb444d1a349a264728526bd7e8a08c0ae793f Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 1 Aug 2019 15:28:35 -0400 Subject: [PATCH 26/49] removed comparison table from ep page --- .../exploit-protection.md | 43 +++---------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md index c8c5d7b447..1e317f2160 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md @@ -36,7 +36,7 @@ When a mitigation is encountered on the machine, a notification will be displaye You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. -Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. > [!IMPORTANT] > If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. @@ -90,46 +90,13 @@ Security-Mitigations | 24 | ROP SimExec enforce WER-Diagnostics | 5 | CFG Block Win32K | 260 | Untrusted Font -## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard - -> [!IMPORTANT] -> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. -> -> You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. - -This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. -The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard. - -  | Windows Defender Exploit Guard | EMET - -|-|- -Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
Windows 8.1; Windows 8; Windows 7
Cannot be installed on Windows 10, version 1709 and later -Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
(no additional installation required)
Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device -User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training -Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
[Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
Ends after July 31, 2018 -Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
No planned updates or development -Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited set of mitigations -Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block known infection vectors](attack-surface-reduction.md)
[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited ruleset configuration only for modules (no processes) -Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps block malicious network connections](network-protection.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
[Helps protect important folders](controlled-folders.md)
[Configurable for apps and folders](customize-controlled-folders.md) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires installation and use of EMET tool -Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
Available -Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) -System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views.md) and [full audit mode reporting](audit-windows-defender.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring -Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations - -([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). - -([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection.md) do not require Windows Defender Antivirus. - ## Mitigation comparison -The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection.md). +The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md). -The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. +The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. -Mitigation | Available in Windows Defender Exploit Guard | Available in EMET +Mitigation | Available under Exploit protection | Available in EMET -|-|- Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" @@ -156,7 +123,7 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] > [!NOTE] -> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. +> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. > > See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. From d1fcdadae439063e305fa630462da7420529c070 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 1 Aug 2019 15:53:15 -0400 Subject: [PATCH 27/49] clean/linted tpm recs --- .../tpm/tpm-recommendations.md | 75 +++++++++---------- 1 file changed, 37 insertions(+), 38 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index a1a64bebe4..5da4caee6b 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -20,8 +20,9 @@ ms.date: 11/29/2018 # TPM recommendations **Applies to** -- Windows 10 -- Windows Server 2016 + +- Windows 10 +- Windows Server 2016 This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. @@ -47,27 +48,27 @@ From an industry standard, Microsoft has been an industry leader in moving and s TPM 2.0 products and systems have important security advantages over TPM 1.2, including: -- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. +- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. -- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017. +- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017. -- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms. +- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms. - - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms. + - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms. - - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx). + - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx). - - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)). + - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)). - - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions. + - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions. -- TPM 2.0 offers a more **consistent experience** across different implementations. +- TPM 2.0 offers a more **consistent experience** across different implementations. - - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary. + - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary. - - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee. + - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee. -- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. +- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. @@ -78,11 +79,11 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in There are three implementation options for TPMs: -- Discrete TPM chip as a separate component in its own semiconductor package +- Discrete TPM chip as a separate component in its own semiconductor package -- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components +- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components -- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit +- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs. @@ -94,39 +95,37 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core -- TPM is optional on IoT Core. +- TPM is optional on IoT Core. ### Windows Server 2016 -- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. +- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. ## TPM and Windows Features The following table defines which Windows features require TPM support. -| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | -|-------------------------|--------------|--------------------|--------------------|----------| -| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot | -| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support | -| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | -| Windows Defender Application Control (Device Guard) | No | Yes | Yes | | -| Windows Defender Exploit Guard | No | N/A | N/A | | -| Windows Defender System Guard | Yes | No | Yes | | -| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. | -| Device Health Attestation| Yes | Yes | Yes | | -| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. | -| UEFI Secure Boot | No | Yes | Yes | | -| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | | -| Virtual Smart Card | Yes | Yes | Yes | | -| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. | -| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | -| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | -| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | - + Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | +-|-|-|-|- + Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot + BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support + Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. + Windows Defender Application Control (Device Guard) | No | Yes | Yes + Windows Defender System Guard | Yes | No | Yes + Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. + Device Health Attestation| Yes | Yes | Yes + Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. + UEFI Secure Boot | No | Yes | Yes + TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes + Virtual Smart Card | Yes | Yes | Yes + Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. + Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. + SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. + DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. ## OEM Status on TPM 2.0 system availability and certified parts From 76d4d57fa8fa0ece8b8557cfb85cc4b39d16115a Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 1 Aug 2019 16:41:55 -0400 Subject: [PATCH 28/49] clean/linted control usb devices --- .../control-usb-devices-using-intune.md | 156 +++++++++--------- 1 file changed, 75 insertions(+), 81 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index e8f58439cb..1dcceeb19d 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -18,31 +18,30 @@ audience: ITPro **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: +Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices: -1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: - - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. - - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. - - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. - -2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) - - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). +1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. + - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. + - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. + +2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) + - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). 3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: - - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. - - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. + - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. + - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. ![Create device configuration profile] These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection. - ## Prevent threats from removable storage Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. -### Enable Windows Defender Antivirus Scanning +### Enable Windows Defender Antivirus Scanning -Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. +Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. - If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. @@ -55,32 +54,32 @@ Protecting authorized removable storage with Windows Defender Antivirus requires ### Block untrusted and unsigned processes on USB peripherals -End-users might plug in removable devices that are infected with malware. -To prevent infections, a company can block USB files that are unsigned or untrusted. -Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. -This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. -With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. +End-users might plug in removable devices that are infected with malware. +To prevent infections, a company can block USB files that are unsigned or untrusted. +Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. +With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. -These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. ![Create device configuration profile](images/create-device-configuration-profile.png) 3. Use the following settings: - - Name: Type a name for the profile - - Description: Type a description - - Platform: Windows 10 or later - - Profile type: Endpoint protection + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 or later + - Profile type: Endpoint protection ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) -4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. +4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. -5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. +5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. ![Block untrusted processes](images/block-untrusted-processes.png) @@ -92,11 +91,11 @@ These settings require [enabling real-time protection](https://docs.microsoft.co DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks: -1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. +1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. - - Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). 2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: @@ -107,53 +106,55 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals. -| Control | Description | -|----------|-------------| -| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types | -| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types | + Control | Description +-|- + Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types + Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: ![Admintemplates](images/admintemplates.png) ->[!Note] ->Using Intune, you can apply device configuration policies to AAD user and/or device groups. +> [!Note] +> Using Intune, you can apply device configuration policies to AAD user and/or device groups. The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)). ->[!Note] ->Always test and refine these settings with a pilot group of users and devices first before applying them in production. +> [!Note] +> Always test and refine these settings with a pilot group of users and devices first before applying them in production. For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/). ### Allow installation and usage of USB drives and other peripherals -One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. +One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. ->[!Note] ->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. ->1. Enable **prevent installation of devices not described by other policy settings** to all users. ->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +> [!Note] +> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. +> +> 1. Enable **prevent installation of devices not described by other policy settings** to all users. +> 2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). To enforce the policy for already installed devices, apply the prevent policies that have this setting. If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example, -1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup** -2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs** +1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup** +2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs** ->[!Note] ->How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy. +> [!Note] +> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy. >Using PowerShell: Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property * ->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers) +>For the typical format for the USB ID, please reference [Standard USB Identifiers](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers) ### Prevent installation and usage of USB drives and other peripherals -If you want to prevent a device class or certain devices, you can use the prevent device installation policies. -1. Enable **Prevent installation of devices that match any of these device IDs**. -2. Enable the **Prevent installation of devices that match these device setup classes policy**. +If you want to prevent a device class or certain devices, you can use the prevent device installation policies. ->[!Note] ->The prevent device installation policies take precedence over the allow device installation policies. +1. Enable **Prevent installation of devices that match any of these device IDs**. +2. Enable the **Prevent installation of devices that match these device setup classes policy**. + +> [!Note] +> The prevent device installation policies take precedence over the allow device installation policies. ### Security Baseline @@ -163,57 +164,54 @@ The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, repre ### Bluetooth -Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. +Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. ![Bluetooth](images/bluetooth.png) - - - ## Detect plug and play connected events -You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. -For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). -## Respond to threats +## Respond to threats Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. ->[!NOTE] ->Always test and refine these settings with a pilot group of users and devices first before applying them in production. +> [!NOTE] +> Always test and refine these settings with a pilot group of users and devices first before applying them in production. -The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). -| Control | Description | -|----------|-------------| -| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | -| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | -| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + Control | Description +-|- + [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage + [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware + [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware ->[!NOTE] ->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. +> [!NOTE] +> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. ### Block installation and usage of removable storage 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. ![Create device configuration profile](images/create-device-configuration-profile.png) -3. Use the following settings: +3. Use the following settings: - - Name: Type a name for the profile - - Description: Type a description - - Platform: Windows 10 and later - - Profile type: Device restrictions + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions ![Create profile](images/create-profile.png) 4. Click **Configure** > **General**. -5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. ![General settings](images/general-settings.png) @@ -235,15 +233,11 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). - ## Related topics - [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) - [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) - [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](https://aka.ms/scanusb) -- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) - [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) - - - From beee821d6ca7790ec3bbb43e06a77f86c0edb76a Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 1 Aug 2019 16:52:21 -0400 Subject: [PATCH 29/49] clean/linted configure proxy internet --- .../configure-proxy-internet.md | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 84bd3f8d8a..7354437049 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -17,15 +17,13 @@ ms.collection: M365-security-compliance ms.topic: article --- - # Configure machine proxy and Internet connectivity settings **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. @@ -33,25 +31,25 @@ The embedded Microsoft Defender ATP sensor runs in system context using the Loca The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - - Auto-discovery methods: - - Transparent proxy - - Web Proxy Auto-discovery Protocol (WPAD) +- Auto-discovery methods: + - Transparent proxy + - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). - - - Manual static proxy configuration: - - Registry based configuration - - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) +- Manual static proxy configuration: + - Registry based configuration + - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) ## Configure the proxy server manually using a registry-based static proxy Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. -The static proxy is configurable through Group Policy (GP). The group policy can be found under: +The static proxy is configurable through Group Policy (GP). The group policy can be found under: + - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - - Set it to **Enabled** and select **Disable Authenticated Proxy usage**: - ![Image of Group Policy setting](images/atp-gpo-proxy1.png) + - Set it to **Enabled** and select **Disable Authenticated Proxy usage**: + ![Image of Group Policy setting](images/atp-gpo-proxy1.png) - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: - Configure the proxy:
![Image of Group Policy setting](images/atp-gpo-proxy2.png) @@ -63,6 +61,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can ```text : ``` + For example: 10.0.0.6:8080 The registry value `DisableEnterpriseAuthProxy` should be set to 1. @@ -82,35 +81,39 @@ Use netsh to configure a system-wide static proxy. b. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**: - ``` + + ```PowerShell netsh winhttp set proxy : ``` + For example: netsh winhttp set proxy 10.0.0.6:8080 To reset the winhttp proxy, enter the following command and press **Enter** -``` + +```PowerShell netsh winhttp reset proxy ``` + See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. ## Enable access to Microsoft Defender ATP service URLs in the proxy server + If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: ->[!NOTE] -> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. +> [!NOTE] +> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. -Service location | Microsoft.com DNS record -:---|:--- + Service location | Microsoft.com DNS record +-|- Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com``` European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` United States | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` - - If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. -## Microsoft Defender ATP service backend IP range +## Microsoft Defender ATP service backend IP range + If you network devices don't support the URLs white-listed in the prior section, you can use the following information. Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: @@ -123,13 +126,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region - \+\ - \+\ - You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). ->[!NOTE] +> [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. - ## Verify client connectivity to Microsoft Defender ATP service URLs Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. @@ -146,11 +147,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 4. Enter the following command and press **Enter**: - ``` + ```PowerShell HardDrivePath\WDATPConnectivityAnalyzer.cmd ``` + Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example - ``` + + ```PowerShell C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd ``` @@ -158,13 +161,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: + ```text Testing URL : https://xxx.microsoft.com/xxx 1 - Default proxy: Succeeded (200) 2 - Proxy auto discovery (WPAD): Succeeded (200) 3 - Proxy disabled: Succeeded (200) 4 - Named proxy: Doesn't exist - 5 - Command line proxy: Doesn't exist + 5 - Command line proxy: Doesn't exist ``` If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

@@ -172,10 +176,11 @@ If at least one of the connectivity options returns a (200) status, then the Mic However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] -> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. +> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. ## Conduct investigations with Microsoft Defender ATP behind a proxy + Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names.

@@ -192,15 +197,16 @@ Event's information: All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.
Using this simple query will show you all the relevant events: -``` +```PowerShell NetworkCommunicationEvents -| where ActionType == "ConnectionSuccess" +| where ActionType == "ConnectionSuccess" | take 10 ``` ![Image of advanced hunting query](images/atp-proxy-investigation-ah.png) You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy: -``` + +```PowerShell NetworkCommunicationEvents | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" | take 10 @@ -209,7 +215,7 @@ NetworkCommunicationEvents **How to enable the advanced network connection sensor**
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode.
-Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit.
+Network protection is a feature that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit.
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
@@ -222,9 +228,11 @@ If you do not configure this policy, network blocking will be disabled by defaul > In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode. Additional documentation: + - [Applying network protection with GP – policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) -- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) +- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) ## Related topics + - [Onboard Windows 10 machines](configure-endpoints.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) From 7a4d180985fbf269af58a233ca7ef2d04840f80e Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 2 Aug 2019 17:10:04 -0400 Subject: [PATCH 30/49] clean/linted wdsc app browser controls --- .../wdsc-app-browser-control.md | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 840b012de6..33fff60684 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -17,64 +17,63 @@ ms.reviewer: manager: dansimp --- - # App and browser control **Applies to** - Windows 10, version 1703 and later - The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). -In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) topic in the Windows Defender Exploit Guard library. +In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md). You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. - ## Prevent users from making changes to the Exploit protection area in the App & browser control section You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately. You can only prevent users from modifying Exploit protection settings by using Group Policy. ->[!IMPORTANT] ->### Requirements +> [!IMPORTANT] > ->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +> ### Requirements +> +> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Security > App and browser protection**. +3. Expand the tree to **Windows components > Windows Security > App and browser protection**. -6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**. +4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ## Hide the App & browser control section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. ->[!IMPORTANT] ->### Requirements +> [!IMPORTANT] > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +> ### Requirements +> +> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Security > App and browser protection**. +3. Expand the tree to **Windows components > Windows Security > App and browser protection**. -6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**. +4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ->[!NOTE] ->If you hide all sections then the app will show a restricted interface, as in the following screenshot: -> ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +> [!NOTE] +> If you hide all sections then the app will show a restricted interface, as in the following screenshot: +> +> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) From 67588dd6b00a473a78769a4e39fd19ec7be05984 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 2 Aug 2019 17:15:56 -0400 Subject: [PATCH 31/49] lint/cleaned wdsc customize contact info --- .../wdsc-customize-contact-information.md | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 9692fa9046..d84d263388 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -30,23 +30,23 @@ manager: dansimp - Group Policy -You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. +You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. -![](images/security-center-custom-flyout.png) +![The security center custom fly-out](images/security-center-custom-flyout.png) -This information will also be shown in some enterprise-specific notifications (including those for [Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard), the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus). - -![](images/security-center-custom-notif.png) +This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus). +![A security center notification](images/security-center-custom-notif.png) Users can click on the displayed information to initiate a support request: + - Clicking **Call** or the phone number will open Skype to start a call to the displayed number - Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email - Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address ## Requirements -You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. ## Use Group Policy to enable and customize contact information @@ -54,29 +54,26 @@ There are two stages to using the contact card and customized notifications. Fir This can only be done in Group Policy. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**. +3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**. -6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other: +4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect one or the other: 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**. -7. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. +5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. -8. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**: +6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**: 1. **Specify contact email address or Email ID** 2. **Specify contact phone number or Skype ID** 3. **Specify contact website** -9. Click **OK** after configuring each setting to save your changes. - +7. Click **OK** after configuring each setting to save your changes. >[!IMPORTANT] >You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. - - From 79eb2cc92c54bec953116c1cacdbd767159c7340 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 2 Aug 2019 17:20:02 -0400 Subject: [PATCH 32/49] clean/linted wdsc --- .../windows-defender-security-center.md | 73 +++++++------------ 1 file changed, 25 insertions(+), 48 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index a12e0b136b..af8816db71 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -16,10 +16,6 @@ ms.reviewer: manager: dansimp --- - - - - # The Windows Security app **Applies to** @@ -29,6 +25,7 @@ manager: dansimp This library describes the Windows Security app, and provides information on configuring certain features, including: + - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md) - [Hiding notifications](wdsc-hide-notifications.md) @@ -38,33 +35,32 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a ![Screen shot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) ->[!NOTE] ->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +> [!NOTE] +> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). You can't uninstall the Windows Security app, but you can do one of the following: -- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). +- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). - Hide all of the sections on client computers (see below). - Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: - -- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive. -- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. +- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive. +- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. - [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall. - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations. - [Device security](wdsc-device-security.md), which provides access to built-in device security settings. - [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues. - [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online. - ->[!NOTE] ->If you hide all sections then the app will show a restricted interface, as in the following screenshot: -> ->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +> [!NOTE] +> If you hide all sections then the app will show a restricted interface, as in the following screenshot: +> +> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) ## Open the Windows Security app + - Click the icon in the notification area on the taskbar. ![Screen shot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png) @@ -75,34 +71,30 @@ You can find more information about each section, including options for configur ![Screen shot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) - > [!NOTE] > Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. - - ## How the Windows Security app works with Windows security features - ->[!IMPORTANT] ->Windows Defender AV and the Windows Security app use similarly named services for specific purposes. -> ->The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. -> +> [!IMPORTANT] +> Windows Defender AV and the Windows Security app use similarly named services for specific purposes. +> +> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. +> >These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. -> +> >Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> ->Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). +> +> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). > [!WARNING] -> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. -> ->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. -> ->This will significantly lower the protection of your device and could lead to malware infection. +> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> +> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. +> +> This will significantly lower the protection of your device and could lead to malware infection. -The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. +The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. It acts as a collector or single place to see the status and perform some configuration for each of the features. @@ -112,18 +104,3 @@ Disabling any of the individual features (through Group Policy or other manageme > Individually disabling any of the services will not disable the other services or the Windows Security app. For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. - - - - - - - - - - - - - - - From a249f28dc9b7a46ebb5e628048e24b414e82eacc Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 5 Aug 2019 11:49:54 -0400 Subject: [PATCH 33/49] cleaning windows dir --- windows/client-management/mdm/policy-csp-defender.md | 3 +-- windows/client-management/mdm/policy-csp-exploitguard.md | 2 +- .../deployment/planning/windows-10-1709-removed-features.md | 2 +- .../planning/windows-10-fall-creators-removed-features.md | 2 +- windows/whats-new/whats-new-windows-10-version-1709.md | 2 +- windows/whats-new/whats-new-windows-10-version-1803.md | 6 +++--- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index f796a9ae53..067c82000d 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1821,7 +1821,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. +Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. @@ -2815,4 +2815,3 @@ Footnote: - [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) - [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) - diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 8e0abebf9d..b1150dc1b9 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -65,7 +65,7 @@ manager: dansimp -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md index a8ef0ceac2..33651cc50e 100644 --- a/windows/deployment/planning/windows-10-1709-removed-features.md +++ b/windows/deployment/planning/windows-10-1709-removed-features.md @@ -23,7 +23,7 @@ For more information about a listed feature or functionality and its replacemen |----------|---------|------------| |**3D Builder app**
No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | | |**Apndatabase.xml**
For more information about the replacement database, see the following Hardware Dev Center articles:
[MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
[COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | | -|**Enhanced Mitigation Experience Toolkit (EMET)**
Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | | +|**Enhanced Mitigation Experience Toolkit (EMET)**
Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature as a replacement.| X | | |**IIS 6 Management Compatibility**
We recommend that users use alternative scripting tools and a newer management console. | | X | |**IIS Digest Authentication**
We recommend that users use alternative authentication methods.| | X | |**Microsoft Paint**
Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X | diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md index e343e3390c..54cb535093 100644 --- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md +++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md @@ -30,7 +30,7 @@ Replaced by the Country and Operator Settings Asset (COSA) database. For more in - [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) ### Enhanced Mitigation Experience Toolkit (EMET) -Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details. +Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details. ### Outlook Express Removed this non-functional code. diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index df1f40120d..a1ba0c02f2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -96,7 +96,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is ### Window Defender Exploit Guard -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. For more information, see [Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard). +Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection). ### Windows Defender Device Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 7c41c62396..f74337a7a7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -178,11 +178,11 @@ Windows Defender Antivirus now shares detection status between M365 services and ### Windows Defender Exploit Guard -Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. +Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. -For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction) -### Windows Defender ATP +### Windows Defender ATP [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: From f536917b5c0d37dfbc695c7fe01aa779180c9345 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 9 Aug 2019 18:21:29 -0400 Subject: [PATCH 34/49] missed some imgs --- .../images/Untitled-1.png | Bin .../images/asr-notif.png | Bin .../images/asr-rules-gp.png | Bin .../images/asr-test-tool.png | Bin .../images/cfa-allow-app-ps.png | Bin .../images/cfa-allow-app.png | Bin .../images/cfa-allow-folder-ps.png | Bin .../images/cfa-audit-gp.png | Bin .../images/cfa-filecreator.png | Bin .../images/cfa-gp-enable.png | Bin .../images/cfa-notif.png | Bin .../images/cfa-on.png | Bin .../images/cfa-prot-folders.png | Bin .../images/check-no.png | Bin .../create-endpoint-protection-profile.png | Bin .../images/create-exploit-guard-policy.png | Bin .../images/dg-fig11-dgproperties.png | Bin .../images/enable-cfa-app-allow.png | Bin .../images/enable-cfa-app-folder.png | Bin .../images/enable-cfa-app.png | Bin .../images/enable-cfa-intune.png | Bin .../images/enable-ep-intune.png | Bin .../images/enable-hvci-gp.png | Bin .../images/enable-np-intune.png | Bin .../images/ep-default.png | Bin .../images/ep-prog.png | Bin .../images/event-viewer-import.png | Bin .../images/event-viewer.gif | Bin .../images/events-create.gif | Bin .../images/events-import.gif | Bin .../images/exp-prot-gp.png | Bin .../images/np-notif.png | Bin .../images/sccm-asr-blocks.png | Bin .../images/sccm-asr-rules.png | Bin .../images/sccm-cfa-block.png | Bin .../images/sccm-cfa.png | Bin .../images/sccm-ep-xml.png | Bin .../images/sccm-ep.png | Bin .../images/sccm-np-block.png | Bin .../images/sccm-np.png | Bin .../images/svg/check-no.svg | 0 .../images/svg/check-yes.svg | 0 .../images/wdeg.png | Bin .../wdsc-exp-prot-app-settings-options.png | Bin .../images/wdsc-exp-prot-app-settings.png | Bin .../images/wdsc-exp-prot-export.png | Bin .../images/wdsc-exp-prot-sys-settings.png | Bin .../images/wdsc-exp-prot.png | Bin .../images/ball_50.png | Bin 1591 -> 0 bytes .../images/ball_75.png | Bin 1470 -> 0 bytes .../images/ball_empty.png | Bin 1477 -> 0 bytes .../images/ball_full.png | Bin 1454 -> 0 bytes .../images/turn-windows-features-on-or-off.png | Bin 66484 -> 0 bytes 53 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/Untitled-1.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/asr-notif.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/asr-rules-gp.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/asr-test-tool.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-allow-app-ps.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-allow-app.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-allow-folder-ps.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-audit-gp.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-filecreator.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-gp-enable.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-notif.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-on.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/cfa-prot-folders.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/check-no.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/create-endpoint-protection-profile.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/create-exploit-guard-policy.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/dg-fig11-dgproperties.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-cfa-app-allow.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-cfa-app-folder.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-cfa-app.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-cfa-intune.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-ep-intune.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-hvci-gp.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/enable-np-intune.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/ep-default.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/ep-prog.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/event-viewer-import.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/event-viewer.gif (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/events-create.gif (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/events-import.gif (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/exp-prot-gp.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/np-notif.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-asr-blocks.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-asr-rules.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-cfa-block.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-cfa.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-ep-xml.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-ep.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-np-block.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/sccm-np.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/svg/check-no.svg (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/svg/check-yes.svg (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdeg.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdsc-exp-prot-app-settings-options.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdsc-exp-prot-app-settings.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdsc-exp-prot-export.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdsc-exp-prot-sys-settings.png (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => }/images/wdsc-exp-prot.png (100%) delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png rename to windows/security/threat-protection/images/Untitled-1.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png rename to windows/security/threat-protection/images/asr-notif.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png rename to windows/security/threat-protection/images/asr-rules-gp.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png rename to windows/security/threat-protection/images/asr-test-tool.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png rename to windows/security/threat-protection/images/cfa-allow-app-ps.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png rename to windows/security/threat-protection/images/cfa-allow-app.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png rename to windows/security/threat-protection/images/cfa-allow-folder-ps.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png rename to windows/security/threat-protection/images/cfa-audit-gp.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png rename to windows/security/threat-protection/images/cfa-filecreator.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png rename to windows/security/threat-protection/images/cfa-gp-enable.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png rename to windows/security/threat-protection/images/cfa-notif.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png rename to windows/security/threat-protection/images/cfa-on.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png rename to windows/security/threat-protection/images/cfa-prot-folders.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/security/threat-protection/images/check-no.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png rename to windows/security/threat-protection/images/check-no.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png rename to windows/security/threat-protection/images/create-endpoint-protection-profile.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png rename to windows/security/threat-protection/images/create-exploit-guard-policy.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/images/dg-fig11-dgproperties.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png rename to windows/security/threat-protection/images/dg-fig11-dgproperties.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png rename to windows/security/threat-protection/images/enable-cfa-app-allow.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png rename to windows/security/threat-protection/images/enable-cfa-app-folder.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png rename to windows/security/threat-protection/images/enable-cfa-app.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png rename to windows/security/threat-protection/images/enable-cfa-intune.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png rename to windows/security/threat-protection/images/enable-ep-intune.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png b/windows/security/threat-protection/images/enable-hvci-gp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png rename to windows/security/threat-protection/images/enable-hvci-gp.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png rename to windows/security/threat-protection/images/enable-np-intune.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png rename to windows/security/threat-protection/images/ep-default.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png rename to windows/security/threat-protection/images/ep-prog.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png rename to windows/security/threat-protection/images/event-viewer-import.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif rename to windows/security/threat-protection/images/event-viewer.gif diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif rename to windows/security/threat-protection/images/events-create.gif diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif rename to windows/security/threat-protection/images/events-import.gif diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png rename to windows/security/threat-protection/images/exp-prot-gp.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png rename to windows/security/threat-protection/images/np-notif.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png rename to windows/security/threat-protection/images/sccm-asr-blocks.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png rename to windows/security/threat-protection/images/sccm-asr-rules.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png rename to windows/security/threat-protection/images/sccm-cfa-block.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png rename to windows/security/threat-protection/images/sccm-cfa.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png rename to windows/security/threat-protection/images/sccm-ep-xml.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png rename to windows/security/threat-protection/images/sccm-ep.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png rename to windows/security/threat-protection/images/sccm-np-block.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png rename to windows/security/threat-protection/images/sccm-np.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg rename to windows/security/threat-protection/images/svg/check-no.svg diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg rename to windows/security/threat-protection/images/svg/check-yes.svg diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png rename to windows/security/threat-protection/images/wdeg.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png rename to windows/security/threat-protection/images/wdsc-exp-prot-export.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png rename to windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png rename to windows/security/threat-protection/images/wdsc-exp-prot.png diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png deleted file mode 100644 index bab791f3c0ff175f7e7b736e470fbd35ac0f81f9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1591 zcmV-72FUq|P)Ee76b{R0wO|;K{P5CMIKN|!~_!+jbcRPfd>g<0%%YoMi7w}gIg}) z7P<7Iz_vi4&~|Crw%aYI-P@U&GvhzVuXlz=`@%Fk#0@()gpp)Y+tO^-nqdyBTS{3^ z0o~GvAV_aOE+k9}anx&}X>MP~{Q8dYBu!^dDr9oFvy)dH{Jp|#F$dC|gZpO=%MRvb z4LeaVbkHvo2HL8r1hLOaYgI?%FX?0*2t{gCma1iDP>%^DIS!N$Dl=y6#Q}3``Nh` zZFZO$7D51WD?vnn3jsALDYSI^KHt`bb9|SMmbxz;EiEZ{=J{#9IrCm^y4f+XXn5Aw zUzOK}Px&jbFfW`p>z@}H0 zqU8N$r-h<6ICAo49s2TvSg@25ojL=6w5n$Rlt4r`>x?0hQ^r6Uham(Qiw`dQaT8{5 zb4jbse$bR+pKMOC4M@pw#wy--p&pfuK4+5_$mu5-}7Km4$8P9B+RD4ISJz{Shf~_d%SsV zEiL_nO&(7}$&R}f6GBki;z#blG;P%C&4)NJvvvIJCt^27?J&B4(R{>$5yz5j)D2a+21+p%=zl+ zzKiD$189{(#DW2UopRy&rcWVS8lnszK0PVz`{NZ$&X=8H z;p)o0YKr}?>m+)(Ze3d$%h&K=b@>*{gX5->WLr_!>n1kYGOC!}1?57*YBAflopvwz z&2?~kbJ?-AfV^x3I}sOr%Y5H_0%`CXE3n#>Td;vxZNua4AMa938H+*zz@(7OZ~r{| z#>QR63ojko_p@lcwi|>zmPYZ}u#CRp_M)~oxNq-KMM)z= z^QMx)4?If-WIO_^%?Z_{W>}LvDJtow`F&JtY`DT2u9TwL;{v1y@ejv+f^Sn4qcA)C4u+gAhXmgN7)<2Mih&6Nr)+CDCYNV#FAU8U><|0t$ja zO(>Vru`RXj^a2!y4$zr)rnGZEXWx9V(93jYN-)0YO8#UgXYci`we~t|1OMB1u9@csko# z{nxIxFQ|M>zxSz?TO=Wc1b|9N+-g!?g;w+T4;JVCIM0#eO_e=K0t5g{*I;zT(ev$_ ze*f(#KY#4do@*@)MN>2QU-nR~$A5rwQ7}%~`2{IcKIdT8%ZyNp;$ihbIODfGtDAnQMVZPM>qmYdd~;$BNJQxb@IbLK*)C3mBB8 z6lGi`X3NW!8@JrQ{G+eOUd642kP-?ZwzC)9%Q_mJZ9_fXwbdI}PuP)h!vN#MU@lVr zl#(bjtVJa&cT~-7RaA`$&PFnpQlhJW5Z*X1>b!iV!rSFK@u8GM80qkFU<%GTbVi|5 z3f)L9$~aVOc9nhl%)6C)2T6s>{%o$}>%M-zS8oO|%e<0i7-2eVNZzFiUXQs~htno6qnANoDx$=@6Ybj++ z)rXxYl|jLTv?-aEsdLx8k$A_!Xbgc+n45~GmAi6mU#$PB#)OG04MHHfkXcb(x6?Ft z3=nX}Oq`4CsSBqhf(vb#;G7SH4d&?Z1&Sonn=~}jfVXViQq*g4p>ZD zuR*Doa$Ypahbz4i0zEVoi}}6%EuU^33nqkMcSAdt&AF#wT>k-`JmX#zKvG9WF&Z21aBr( zBmoQnMq52>@9rFm{_shIG-aqV!!lc_npFZL&c_P?7Xo6?AEhqmF{AP1Rv8+s1tuOt zsb`KoA95&QS1KNOLMf|Qi~ORcux95HRa2l0_oWb!j7mg;A?fRJ$;<8ggy-U30G@Om zKdD}UqBuxF>0;y;FNMus0h2iokOX=>h|tX|@ZV^V0iP36^Z?-L9p1Sq05SoXhtC@T zVv~XWx9u+{TAz!84IkD3001R)MObuXVRU6WV{&C-bY%cCFflkSFf=VPHB>P+Ix;dk zGcheNH99abEIV=20000bbVXQnWMOn=I&E)cX=ZrhPP)^kYX{5df4}d?dZmWL?nu*qrsqWLDelb|KI6yohC8 zGMUT}sZv%YMJUUs%h?7q2bW4PvH{d6P`aN(YE`Fc{SDpS#r1Wy{DX!&I&(*x&e3Oi zL3PdmC(p_bNlu8{Q}kk7WmmtOsDs6$ho2Av zLI~Z`=gcoXd#!r*`u9(=Qh6=_X0*I5|7I^h(TcenHy3R>a^}}BF5SsleXJ5U?zIJ` zZD{CGeLH&Gz8T+Ns49PX-8;VlNQz3&8ueot5F=&*fSF(N@v@>LXAf@t<(#JE&uR#1 zYIvxR=RpVwJyLgnSKgNGl>#;>BQh;x%+LX`GC2UyD|a4vd)<$xzD-@SD(I!R-bH?X z{?OnL%dSJ;(?6&9hoiOX8QH}cW4R5b+3$UXthE~@g@;b;%GGIiK+L%@EjFs2W?8vr;TwrbOA7{rZ*>@<>*-f^c6G}wo$WQ#R;=SE zOvRJSW5>cQY@3s2V?|=CNUlm*b!d-&-d`dWEe51U^Ad~I$~k+@9fsmY)KUom z@Dj1e4u*-|7EsH6k2@_knC$($%j5MBo^x`(iHG@l=LIw+@Ogcqfjs|!WoYn(*nAZ2 zWI|<(NFFw6;=m2)b-U$GyVZ+;+s+Tpj1EV%LT2U|ktHZ9UKu`r*`%S}HV5oH3!TZ)rN8m+GJM zgQctp)P^sK!{fb7E2pHdk9{FTqMbQmC{GB;>D|Fs^!Jw-nj4Kiqe1UzZ5j*)0C{f* ztj!I#IhrBzMQgG{S8NE()wseeplRG}f1G`_rfz{rS6c?aNO*2An4&0Hem?;5q5_A@ z^yoM*30)&}+Ej{7+s6&9Xz7H9Cz^xh*GqJj6$W?no#T{9JhJt|*d$PZSXx-JHF9(5 z*PorLP>t2=fi+&9Bz*oy`TppF;yTE}7ESr-#@MVDXU&5^9Tyh7azknSmhbj`a^g}3 zAw<;LYa7ylr#&2m5Vpx^dG&+Cr;bGx6xSmndM$?O{!$#a>%Y#ZFj^X8?G|1%7g* z81TA-pqW08)ugOd#l&f1V`5AR>d5v8xzs9T1eD9|QFfVo;#=At#8)gh|y33li?b8?*4FIP81xt zhkg3c06YL(V}bp*^$*OXH6T@=ZyNvr03~!qSaf7zbY(hYa%Ew3WdJfTF*q$SG%YeU zR53O>GB7$YGA%GQIxsMosl1Q?001R)MObuXVRU6WZEs|0W_bWIFflkSFf=VPHB>P+ fIx;XiFfuJLH99ab=JW(C00000NkvXXu0mjfRUxV3 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png deleted file mode 100644 index 2bc45259d3937ca6bc1daddb62de6132eb2e797f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1454 zcmah_X;71A5dOZ92oVArF+>p!h>(hyPb;6H z(-*L=K{!WW1X|HnCWBxYO`@W95R{xb%IUSR$`&vY2$(p(vO2f23LgI;z`tGm)G;Zk z7=3+na6IF=_{KAFR{!rs!>{UIPK~`^00okzl}F;~>w@26J4a(4i!ODK6%39K&&&a8 zR5G92FOF;*32z;a?+}%YOaO3jYBsg|MQGDNT-%U%b|LkN$gi%)HLDCzHwC|X)polU z)qx{)j8AbM^thEZQ3Im@mDV}TNXi2EoB59cHJ!}#Viiq7!;1;05|prZn{$Un$WIOI6yrSF*UIf3Z-D z6$~Sh+R+(=AG5JXY{CEA+_)N{Y523}H{dl?-GkMFui`k#N+uS7LT%I9=Nq0m#agb-D zk!PZi4uNu}#}FFYfPxSR7_SNMGl5MQFx3{O+Q3FMSmz+Dx($L6UkbiTWVRjG(qL_cOm~UUwXjAaO z7HDBTBd3~?Q)7DLu4x9)d*rlIa#|TVy^NG{i-^O_Ae;5?_Gihe_I{hB3B1IP4eso}DNHi$)V0UJ)hfIiu2F4_# zgAc3iy%{Ild^`g^{2xXrZVISB&kZpr#acXN>1Ae_*rBbXbe?OJiw>XsOc} zej-;Y7giLXA7>^ZI;V~E+!~jQ;s>g^cG+)|dzx1V+Sbc`4kR0%w~@ppTpDPfXb9J= z_7W#{5-dq=H6`rB)rJ?2&dhDWkF#C)kdq6Mu%Nn!oS&(O%)&i?dMFqtm)F;)23x1% zR0~>T;RCp>sd0CnSRd7Q>w+A6d$rp%Z`>{>R4D-hi3lN(0D*)gK-$LlySrz9|LvYVd(P&ZImyhEXP!Iv&b@O#pPA={t+kot z-s5}4#Ka`cZ(X+&6Wg93Du;LP617Mx+QCF$+n{!4*Tky&(Ym9NziPB%d?sIqeC@Y$qi< zR8Xl^)Ut-XuLU!3TIKWS4@N}7iix>=+nPH1_eb?p@~E7Tmc!|PM3t|02VN}P^1B1w z{rA#IxxZ~7K6F>db%bIz1A|3Zy zuPRj_Fg_x4M%hFY+}>L$|F_@4Kr87435jEy9HHR(p2sn120MsIA;DqLU6US#l~>&l zN-1|nmA-j@XO_m8&&HE~ea3~7dvaWz#Ba+V*O9*vzVlCIL)9A%cVj>Q!`uFL*@s^b zxeUaddfEHKQuj_sXj0NYk{?Rck|CC zQ}rktmk4P0_uoNp<7lYL5kJmPpXI~#Zh=W!&i0KT{`pLN?yY*c%60(d@FdtRCUGik zI7rKoTb5(Y-#*d8F}J7vXHmb(qNk?dSxyg5b}rKwQSxmjT3`5w$zY*`X|Xi-hnq9f zU@iF(4~%AQ?2YSAm9M&9>%FXS`)pV^WMvNjdN`WTvIwP)*fR>GgWk2!+dboNRvGRP z3H&%L$VOY-fgOqDXhd(!m_3MKf6TTwY^wkzfSmPy`CjYnyG^MArMy@Jrorefrg_}8 z=p(DdH*}=1qEzWs2`{=+Qm;#+fq1ro*!*+dErwRv@V?(KxMexQwT5xim58z18rlD1 z>LiknN0$FY;fy#_YLx!mcUVPaZ=1wlomEc6RlQ9*pRre-DxiS{@vW3L`dbuo`F*zz zdaz?v5m@Wm{`v9DfN%7qiQ;dy#tN8bWH2w$Ok}|${zgnKASz*J zG_x-tbnTB)v|!VDWTRF!)q?Retvqy@+Pau|DP=LmQO&vJP1KWC_T&-P*3M0Fy1N>Q zPvkgWkOO^0cHhFe1lk@fJ&@V^3il@auY`UA!_dNlDp#88-p4alWB-nK)mF;%x?4ST zDjQI0v-Y$vVHUO5+a`R+;Q=^lQ1;t2$ctN-wt~~@fhRGm5<(XRuCJowY=XDn0>zs- zU($-4g^@E5=aorZ;;Sp`gVUk3tTg{zwBw^fk5GilyWo4^%&0zoVa8n^HWG9^>ei)GQn1qIdVF zU!0!1}&-Bfg_NRPZZ0nvd2#7|jB9Gblpabm2ne=tkXX6hGH3 z`MtZVpEIgIlV~0e9iidDddxE2FOE0YFNfbsO5aGzH;%dGp{suAwC~)j=%MFZ4kojMD(og&6K48~hNybSeKqN7`xRq52(Luu@(YWJHOg7=cG#_|M zF^a^U+fI*exUSc3gAi=L7%enZe1mRo_$4?&{_O1BwJDq4-8)=P{!SvP0CJ2M#!67G z9&aptu39-FEAI`yu}aW-batr>eO~{gJvb~oP+P-RsJ7Tl2qR=cHxn zzvJZ{wgHW%S!rs{=ATeD>1JEro1?EhV0_7GYX>J%SW1N}JdyW(IuZv5vXXBQ71A1} z;l-`Y{^1~`PKmO~+3Q!FxL zif8x6lLFV!Z-%U(A?*qc{7WC+Pb6t)Aqi^&;3&JR64ORQ{=YY{XzCaEw|X| z0@Q&^xxE{-Ly6ZuVTd75MkZzZT#sDZm2fE3tup$-bx9vX<+B&B93^U(Nl8EHWVyBnCF^9Z1J{~GqgJ{9G&X$;)!lFQk4IOPXXw&D^TH}AVR-9zu~PXz_l z;qN}XRKps0{Q%H9a_UwaYLe(MLN9cKswySij#wGqM}>O@BS-T#LVwW>3wr7=uTK*G zJ=_k;7`T2dEvPzVEC|Y-QQ-3JI_txOL5D1V1T`Hg4<{Lfi#(~snk}7Sb^KqD?a}=( zoue@Z@tFlO&L~h{37|L=%ukD&r}y*1=YP)#A@jnGskq(@43FHqhEg2hEt3R6^Ao=L zeXVOhPh>iS5K7ExdaMeRHy{X5X31i;>yX-c(a~E-9B&#gOztfea$odDVz@=F6pD}o z@NN&Cqh$hxOibU|6yZ>B`KYCqKU*m)=MnTvrlnRH=h0d1OwQ%3ZrH@!bB)9Uq9wNb z)!vjivJnt0IrKREJi`5KmIM80s(bK*+Peiy^@|1T+#`VE^mRghgGXtQbbB%=KYQ6S zX%27*R5fYo6IvAIe!GUIp;;c%6toXU8uTimlrw7^qi(l>jO;^6shJOM{y@Efep9>C zj?fPWmG~X6#h~f#bx9&Wul$I#(Se#g>{C6{)2t7IhwCy0R@quO=PIoyd1K6&IH36Y zplzKU^!4x2BaFgwq%tISfz)#XVx$J~Xgv)9MGvq0P=!?J=4%|Ir@W5w^RsK_=1@7K zFi}nEG@hK*ZY~INpPNMM*R|_3OsR9GBQaAkv><c)YsgJy@7R*+m!T#%rIoFMzy%CksZzqv z8#{OF=$wMpqOIEt^M>C!H_i1tIQx*KCLB``Z1s8+U#Zv5uO`6ubq$)l9<3;wI`rfR zQhvk~6f`knd{M)ARA4O|eyF_XVFU3Zx(eP==Bk5?^$1FVy+4BJb=ORLCz*1pZECCr z(q|;f?l0vF@+Nw>E$ocPAKjJxewShC;!a6DH8@$cRxEPW=H{J+Z?814#Tji!06l6b zk5n~Ce>V-%dLGr^-xDt(+q=rZ0lMR5^D`j)g))!)eCM^0G!M@vO@j8~YdzvQHRp;D z`Qi7jXr|Rom86pAv%NWYz;)qc-7Fy0^ubDV=M?K%T!!QMC_>^%#a_lH$Ueo;;;Aj^ zO1;Ssa%!OVudkH`fo4YM^$*`Fsh=pBT)D#qMK`c_d*m;k!TyeExq1lp=LTM9Oo>Vl zcn=&eyl*w})GY>Sp({Q1OG`&b*=w!wyVpf1zW`HTUHQ>`4}llMu3W^5Vvm^Q9$IYC z>hbTOz0V~_<*4p99&LhW9{HYUAe;S|H~F#mTr?|Nt@=?hi4`YYR3J^uQcd;y-%|3B zpgjIs@*E4ViF@sz82~A2vcf)>X9T>5SlHF^kx$LX(I(49l~?-!sJNjgS`Vud zvfteEq&e3Qr{2CzqJ&&=Pn_p8glTx4)d~!-V{Y_=cX>x$KK0_oo|+#;r~z%j!auBK zcWCn8#qRi>GUs2_*8VX{C&%Qa!W}We2CA9QJ)+1rqG!m87W1300;8-R%o?t|BbPgM zH~3oP!n?cLA~Bv$01-rSsz^VPUinUM9+crr!FQ9pJVgm$D2wV?*WZqqPXDr&m<*Rp z3{uT(iNAqZQ1c5uX6IfXweRKmcY#=K-QCzD(9Mq z4^N*7C}*0FgdemI-My}mqCf~XM7~h=4*jWXez5}@>k;wH5nDg`EZlpb*o|G8@}Hgb zKR+(Omv5^n@cFzoc1X=h-C0^I)N^NRxvF|qvjG5dhe;XDU|2YVQYP>|pv@orPIR+6U_^g(3N@h$`LD9Wy3GQ{B{I&x z*V05IO59c>%89a5sW7>!=0|B$FiIOEsbN|rfDTV+B_|oqE&3u$9_Mx02uHZ&e!|L| zF7(dmyM1lHNO%CABI}U;s>EcYXiwZ$Oy_3w38`>}k&NS-U}AodzgxzVhDLwa&_{Qz zxw&9w$cPS8EqwW|_U7F;NXfej&WV`-e8FvmxcVkfj#>TZ^yeRwZ`TnmmL+SjoP$_*`;)FW5euO1)!FzDszy3Ca+V*QVKMt7N_@c-O5 z#miA?+qoGmoP6Z;DS&6wIY3`uk2WPgO_9GqCod}Yz87n{zZu#T!?M~G2VOiWoSUYn zp(9B?!C53(krBiCW^^*MVfJk|^-M;!LOUhZMtC#^wOp2r1tN%tKLmfH8djC|ikA+D zmUyUW8(+^eegM;!T<@Q_ZE6@KT~PWx;(WUmDfN3o=j_dT&hU$w!R*Q6;y+cxX$K}e zN5acUc%xeEgHB%7)!~O$)Hh3p9}hX)yET^E@^m@}<8d?~hXjU0w^jpa>#X=SlVi>E zb?whCSzttnOa9BNYS>jDoK>YZetU)eyo;k9w>^CRFNN^6Otcuc9o~OpZ^9PiYxI#n zW0meIC{V0pKT!D5BfmvCayq=Bb&IicbBI)qs%1hMV=$sBYD)bVlDT){V4KY| zSe$=T)UtO|%yQXYgfp2z)>BHULB}7cb3GQ#o}f5fj=dV+M;TdXhA#f1&2Rc|&=%~J z*VCvEevbYrm7T~yFUEAn-O=|ehXp2_ZT31aTwau=AeTPeZSH=;;lZt+zOmJEskhE5 zUu?@ce*f+BeOVt4rp@&>#(1A1t-T`RdHp`GI#~X}x0TmfF%#~HxtwWj^(R!L`xm*0 zN5hMW%a^<#Xf5%xPBmcWC!2o@sI^*pPo9cQf%>m5w?E1ogrs zGu^aJ!tF+_0R=U*aNb2J=q}2&k~>!VclI~CA`&9d(j`Q%qcQQ@?x4y~=tT70 z17mtUMfxH^llN75s-Q3k*I>9PGZ!T-pHLWZTanE?F()P4Y5HU&5!%rD#`P31#^_8y zFjxtyx*L>-^weyN9tykV1=B#Q_<@o6dtcu7mtuXuw}g^!yS8m9Gh-cNA)jtH4f;Zu zAL4fu$s9kLo1STYL_N%4P(IPpvIMYshoywPS!9MA0his?H}XR14BylIoMCUOT9)ou z5UPAA)W!%)YB&8Bb47B>xUg|g)m~54lM}|aOWei%$6hCOeVR;Pb1FJmhf!6RU4h&- zQW(nZpQEERoY9s3laO-NqmG)hwLjWFy+N6 zzw(!Jdjs5f0%tIR9O(e5XL-`kW8`Bzr*9S4EXnT-XqqTNETaTHs4iR`sz(tyBf*$e z1gB$+-@fbWacz3^qcW7~KmD3^ylJ_fFjv_?3jX#-0?>L+*4LNZ0<^~cD96vGO;EgV z%;`pRUrYDQ_tEXaF*e=XrT2A7>P?+YkVZQ05{KAdg{HMqjDSjLJx3pi#U+zeTCU+ z$i9Li!`DL{w$d4Z@_&o3P4|%1=6Du>E;1gRF{)RYKB`xKkLBN_3k3M)8LJf|LT(a0 z8kHe!Yfk#Y9wuW7ok8|27sT!3dstfMZdFaeNNtQ|$Y=7;6B#&^fC>z!|7B{#{Oa#2 zd6>>rzgcmaf2}t^vXRxg-V>b(Uq0eGhOrF3Gqd{4QLhJD2f$7E3PJrCcCETS3KKG; zzuA#J&=VvP*)xW$z9Cqlw-?W|aa>}9wei-FbXNF(1fpA^_soS`dMa>eur&xCmnxDM>cO)jT@U#EJTQ*x{agJ%-q~?`@env`y;q7ODFhcmg#@BYnT61=zgjH5ckvn|23XIpz~nq zQ`gc`MfQKz8JYb<)+3jzv;#=IeiAOZADjxwi~eck1rOmH&MiY)9E~@s^4}x}#}rS+ z46AZ1xs|SUKdlb@H^2|)!_M*Yg#)O}yO&!+3VTVRDD|mzT~`;DO!vBm9_mFeIIUez zRB*DNgum))i|8-+JQvPqC@$W*^*?4ZIRqEj2yY9P3xukuidM6#w&m$}u82bT>FoMT ztdkoqR-z_N93a*#xP{%yqXhv0`5P+0*}OpMZ>Roh{8AiBgJ(w-4`sDWcky0B?4h3D z_wKsNKe;h(N%2_+x1UtY6OkH;M&n~{*Z=ohZi#my*+3zfu`FBFGc_q~Q3Q$4qWy8a zu)9ng?(Cyf8#3Apc0nr>dPhP~qgK|=f>lgc3mtS`xJKgP>UaDf{hV8)3sSCZl8_Es zM{ibnrjsc)xXBZwH^{~rL^ReDa*>HiLs$!j?I~nxEX z92o3g{Li1tI0v7A{mw?r@XcxPD>U!;_q&(pj1v|>19@-z6gS^h+%Y{(o-cTn7|P>d zvNW`f0uhXlFewwR1GmnFXCP(*8SFC;r)X~-@3gZr5C6(lG_LO7(V2(>zZI&4y9qJ? zaw!o0Z+#}ua3wY|cA0~`LDc2yMdQqsy|QvZZ2^VR(tObJue^}=TRv=Auu-So?p>5T zo__?gTyRZsw@m;-=&D!u_-joUEI$>DclJi6m0#0~b~;EMH;P#Lm=gjO3%iB}Ch~g! zF#!zA4=#YraS_I|3$`06LVrud3<;37Zqa5u4eYuBc%q8oq@@wkv2 zeqntc(r5~DjcABQMHI|eTU78TxZWw*#%sMwdX62^+rg?y{98#a-JwZBvh?&wC1YWL zNG)RVAT8mZsh&tngCz}FZ)B{S)cZwuZ>);3YOz$=j5a-;<)iQ~yM*mqvrZEeo3_Ev zEpm@i3681zo~^9OVj}DW6N&=a=$R^M9E&hkdLcT&15V)1eeF)1IR0Je9QI`0^UlnL z{re>)@^L;!2xq?%vCA z|L0YD!_(xCa!5vYt-heItpCx6;=e|o4;TA)g#rlyuNgn{=RMJbye;Q!sGj^`RGj^q zT2$nEs$=lg2&}iCbeC8sKY2)M6wsDX$cf*_=`ozP2s;;jc3p>43eH+lO3a!RN^b(B zfvJT@vVR$?nI$)w&wh+0V;udGj&EE$olVk|ZZS87pVw!k;Gp$43kUi6;#|yFEHwB|DHv|pXWxfQE ztAacaeBUy?tNSbM@fmqJ7OZ~zOm+E`io0%0_qsGWKnZoK^&FTBm6gI1PbUj=Y+}e+ zg}br}%1kzQA4w2B#>6ue{aCfb+cfun(RS_Hlw+=fU&l6`>F%1dhCrYB*tK!yC|U3xnW}U=E%;jyBt+yZcl4bG zFDA5ye>cs?Z=*R)z-+<3#dJNE)dZ#Gh;$X0B$yd)9_zz6X$Y6<7-sqU8sfj2REbuq zVavRAaq`Tr$Iihm*CS%*z23db>WTB(l=eDDH z0-&)5cuxe`IHY`OV{q5z2$r6Lj^`e8l5uS=Owq2jiJw0dw>(56d~pgI22@E;7yV&= z?FTqa(^PYyrP>TLapXDQ5wZJA%xE1SAZm3X)+@ig=_ z-!wXq>wKaa;I*1ABQB`DK6;Nm*}?Trl(LM=v$oJNGvbgC@24ABaRDc2qb|o50Ab)X z9sf!Uuh|IVGiU3vsWgFoh>ln&G1*f`4}V*=(e6;$!%HPm4!_ zaa@+04xewQuM#5fhfq1R#oKy!WqlEn&FBGQN4y+;S_HK{gp5nK6dMLZ@q`&%=^R|w z@$N6~Oa@@V;pY;z7&G}pkBC~KwAN_(^J{|VVgaAi@*jej4K4Kp%b{*}ibOe(73sGz z@VmFLrZ&a@8lNPbB;n{nOpv`DoYV`$c_F)mz9yIu#m^vl&n&oFfSf47|m$8(s9?b%ryTl0Cl@`P@z@o50f$q^0wY=Z1o9=p zF+1|W{WR2eu`rBu6*6JHZLHR+0Tj3MtIx|JwD$o81lR}hsYXla?1j`;h7U%B1 z-sgFVJ|Xqgl>ftQ=MnzSGnqlu@bW7a**eW;`fPO3<|Krsd~=29z?oJ_7S?aY(^0Y& zRHwtA9rngF1&Hgx7l=!`^DzdJyGkKtcNdEE$^rLgRS%bhHqfeR z=1JuM^DSJ8Ah8Yh@ElrGc!PL}UniC%<Cm_%nR3}W%k zROPscn=XC>qnf*tEiSlZK`ZWZ$8H8S^$8-DySq@Gg1E1DC|85|!Fe+0)Sydyah{|E z4O?p!W2EvIbz*69rYeQ!h01Uy#}1Ozm>-w6W_gG37)^-#6I^)#x@nat z2sV@qy@2WVuWIeYh;iNUEP~#6_|tf{$%U?f`s|>8rp)7N?I=ESX6})nbsmP9OmwmYC>n73Al0L9(t1+c3_VpvXBa;7g9c+h@wR(n= z4o%P6-8*)VK6c`t+@6vB`_Ka1KqeA_J`>r0*Z+``_CY7)048Eu@xuOfMwY=YgPVIEDs25W{Dx_K zfYR%2k*NYnre4)GaXeygrU2&ViUZ z2}+<79wde{CV*)1-?VFS&|N46oLUSVY?(9Iu}4@Q9W{_0N0Y=8?TRKGXx@f_4<9#= zIVuPG1e}+6jFyJCx7K-k?4KOg-1byHBcTuNz7kagC|g}~jJ_5Bs&5U_v!**@di^S=WltxIP(=An**4jUDF+wIvv%*zKps0P1!yeT4JW!B7Rrf*UE#}g#HR+ zOrMBMKdvJWmq7TyiVBfub)3#smPlOG zV#P=xo+Vb=GCk0u@vR1e4+CS}$Z2U={j66m_d*hniqMtK7D!%?reFc|iD6nIV%x6B zwGFUBALa*_EAw;oKEHaL6HJT2*)H&K9qUzJ7pV8ZW9o@52V%prHE(HyZvq;`@o=^g! zY00-uGR`bN)!pKFt-yrYh2k|R`l9YsC^deuT#Yz!q~)>n4#I_wtkHv@@2s<5N z`9XGUy@8x!lfLyh_D+&e;Oy-@@!?VVmG4Aq`$on@v_~{hZ(dj82B8oquwV=pV?4v;!PQRT_=w2FU6=|(pO#-#-+sm9 zgQ2t`G`3mXMo6Sy+3oXHikGA3c2fiRzs}aQbyge_EwpD0C^p|%xgzwfr6!QxkO4^i zh;mlILC*^#!+d9uRzs-^Ye{deKSPknV{%XzarNBeo!5-UE7qN&dBaVE9}J_SEF;V5 z&#+0Q`*l`>^;raw=Pm>_9X}B;Y#1D2|9L0o-xHprJE+Fy3j3b6uS*1%v9_XDt?uIQ0TikQd^L8Xb#HXhE{4;@T4r)jO)@3Jw}5A@dK=#;lm6&O z-d$FZ_sx27u*w{0z;LhGc)8O$hBS|rv9`!y}8t!4e!D(&& ziuH}osfSx-KP+|(VSvzG!qPE`Oe9bT0DLluQBJ*F`3q*GP_vwItf&X`HOhR zSkUg{)tFYB*C;xV6>jxT@mg7+!tqALZCakY%jK;NxGDS;_vxgb@Wzxa7RqcH&7dTY zuI}t58GJ=_;K2ENGq-X!p00S>$M^Xiq3ydw)*x{GK*usl_q;?5vYcE)s;F>BnqGs| zQRjOF8VR=&6iG0j7t81EodSSW^`jcuh3VSZr9wx1(FS0)gM+7gIwI2kQ^~~J|FN@HrvHB@YyZFDk1tb_R30$rb!vTHD;x}+>JwKr)ZEjbEweaQ8%{t+ zV{)KSD!w;-8+omzim599gspf6k$@hv+c2tc{BlJukARur|Ld$Bn9i3gVB0Hxmo|zp zvCbJkn;o(AMm~Eg_U@1!=5TL@v@vv0j#ow7CMvDBvHyBGY)2#)=uFx|8$r53cEGug z4x=;vs=_8#FhU~7P?LKo+glrWb!UIK04_cfm9k_MZkeQ%^6pA{YQl2La!1Y8Hn&GB zA;upyMI8qJPp2Owl7{YgP{fW8GC~^JYoFu{ix6GgJ1Oi*aHgRYWdK-Yyh8yTkmuhF z1rtzSRK&tq0ws&N1N z@HH>rY>Ov(`AJsk|6jR%PkE_7N|&uRr1pq*bu$bjV=*mJYW?lxkkF6O0JXnMtg=a#63LeX${%75k;+j z>gUrmQdb2nQ~!p$18^K|vUggGw&xoJoX3Xt(7oROVHSq!>$WVZb%*!bZPYpCHghgM zfF;T>^Cgt(m!rOEf*G?#O8(;ltqo7-$D{}ZezXyi_LL5r$ZxU3ekk&CDF10ZP%)Mx zdvg>E*oVR1rY+HHK=|C5L0pt@#w{$#rp+eoyu)yrW{gNGBp{Fy2hor+EM(sx|) z+J;2Pbr}LxGrWdz?fdw+am4wFQwcVs#JAt2U$SeyvB$Qw8`zH`<$rIRaBeh4FZ(yJ zc0PU==q!DdSEcrZ6pp46N#SWpSJBuKr`Pa2SB)!xy$)LwWqUE$)SpSPLJU?W@s*;F zuP;F>XR@Wcm6X(ZZ$PnsDTGiryIT5@Vk1wSsgE?959xrCcM0>d*)k|7dxZGPU{s50 zadi#qvr2GS%|kRb~MAA-7d zAM55mfwbU2__Oc*^`>{i#|Mz%5pq(ly6%JwOdCtsYoy-YxyeNa3sw5svpITDw`9?b z`LY&iZUh7@Pqq8657L|K{pOgx0hH)FKL(uYR$;wH=SDt}yb`bC<4s||%C<90e_=l2 zjTt2|@dirm44uW7;LL3H?aV&Mh_3WOiekFPyq=FyfA`uf*Bg2I)Qi4ss}_IK&sNtY z#c<%+&k-v#8f;lXW?0uFKR(;>^Y@yEfuxr@2x9#ox$fxI-1!t|sU?flwxrTbvfV)Q zl2+NJZxV&GWg6H}DgkRp!MYvW-Q*2&$AN^`bntsiIfkQM8QFH+_uPp+!4Oj*lqylt zogmKcMzHi*=KP6I?Up6ZbEwpt@ADSrXyHhUBYyuAdfsu@DF!2$fcmE^l-6{$yNiT~gY)Z28P;T<}9=qSxh- zq}z*W%rS`Xnf$s$PU~-uOPr5D!ToG=W5X|nTEvGEYO`Y)Qw7?=C~6DcNNwL-tY|9@ z)jFTAWhIj}0Pb}U-R*Ia_+nYD{98?_Hz|hT#`4~H-`T`ouR-_$bq^V|q4o?>U!QUo7`X@3Mri7uTzpKxY4dPAw5lN9JFd94V zd0a|jQeM^|BLey2Aw}9=@3IP*`*Le=2uU_}nhKuO<@m{f`!MDTda5`oAbUf;HD!calfP(tJ|Zzxv)Z6D^$j>8o^u!nXqx zKVm_bc?!_Uby!70nCs}<~ms?3=og|=NS(Aau|bMueI7Vs=pQH*>|trx$fYiQIzm)Zuq5r#s|i% zMkdX^=h#pS8%iQ8p;)DRF#zhW_G2U4^s^#~G~E?8>UZB3~4) zWOSfEse$1JC(7KR4F|21bH(hrp;wlQhJIkWvRpM;73HD&E7EZKAhh`E4_ZaL9IiA{ zF<_{_wm~8NQ}D-6Me8u9NRW&jW)SE)Rbeh%8dqfU@^gC#?jop!3|{I2`EINhvtJ6{ z>#x3#L26?ede^ET$ewZ}w_N0b)KLNR8@<^nw?S!i-4KPtS~s&`>HaL8Z0|aQjXgSnPKx`siqb#k=}h-#;hj|ogk0l$x-?c$`gQhKuI8g@ z7&Q^ff|adhB`Bn5!#I;Em9sqXjrHIXY4bY8W)B5BaNZaW#PrSg>5-QhRxpZE*QF)K zvADa0hn-05@cHqPW=PtX`Bn{b&gP*x<>>XdRK#Wx$4FUv5nQqIenE>Z3#CMoNWGz@ zzMg44Yiew7>rH5}F?q}tuAgpCFdi#rd4sR(-Px-SW&)hx+CGl&nxE_dx08_(szH#A zQ0yUgRL~^1bc*-2Zw=aK0Y7vREl6K)b|JByMf!*t*%GP6psn2}uOV$@%MitgaAN8c z^8Qnd6D2}t3l{ixp+7*hElTw&4m`176?)BD?(#|Tk&yet$`du5>YS{~LcLRM{hfwO z+kgf5V#K02>fR`4UcbUPc3GmAJE53rAG)-*(qs!;p2dzt?BbXPk(1iWEZ;Gn!_A?Y zUXNVZG75=@s5LR9&YebvqiA@pfv(Pq`;E%W5Yr|=r6@_IB5caQE>w$zww0;i6wO&H zDsJN*y6r~prT=mp=cdprye1xe45bmdGEz8a5TK3?^`F4TpqrOE-;-(lAO0xr}i;-?yX02;bLNw zuSwA+<%>Q9PzKv+?}xMaLmp@JI6K8YsH_@F`>B09HRu&+6H?i_DSDY_I!^Ro*iglP z04@DoR@#4uQW*cs`5Cd9{eR)xhyVMHU(U-ZWPHyOAsi+`pECd93lw{(Ho8s~;OP@^ zux!2Ok+=JLvmMiYCTB^H;Esbmvi=%CX_{0!ml9FB%&b2?9l4Z+NjA|QWy=3!Qf>>p3-R>fJ!v|PpJuq_Sf?{5_H}K(JvE$ARX2b#4z1;Co zo?vHn*nX)K5gthjAt~ZXx*N_YQF5CPnoypAQQym1C@V#)pO+@6#1X?+8kcMW)BAD- zKBF3hxLA38P03gyyEl4dC&qpwv;39TKZ7@RCrBDJAoJgY+p^d5y`;N_ZvL8SLUlV^ zm#h_;k>8>toccSd8Cw;-{R%1A#JugzgeKH-il_K`_q6MDt$Y{$?W`S}S>KwcpL~2A z>*Fd1gjVwTILg6)gRflWNese%0>P4_{WhUsurn*sJo&{o#Vx&tqW=4Vwj?KJd`{8CT}m+L4mi>R?}? z-c%xXUs}?W7R}S#7*QbF={ie%M$LtOlNZP1$`*HCSQWhZt#hWVmBBfGr$GCOTe5l7 zv9s(1`4k?rxUqG#J`JV_H?m|Kt<&_%@h!!;%MGMFfC!mc6#E+kM|oEz6~9q3=G#2%KOdgh-KFE-=IyKIv_j^z(z z5oCp1W$EW_hmFU!5To+kvL03X)b11^GsST}rw43*sOQ(Y8u@2%;Wv)oB*hEYQ!+GA zWYANuL^?GU;lQkeTxuqL{ex$RY;0%U+Zgm}nfq6SoQo)zj+9vEyxE>?bXb5Jjs0r$ z7gn`ZW_piQoAY}N{|8hFE`*{+$BZ@e2>~b}L4-$GKNc^-<9;V~z6;!V$@56DOOZ@N zC(|90M^<9V0Xm3r$*w{l%z8vX6F)ZWYoEU=Yo>7`?IF9Z?6Q=!kq;`-7TXJe{`u;~ z7@P;bqqk&?7CH~?X_@vNsjcFTa1{qJQ><*-U`dZ!gU#0B_F9V|_i@cpgk>0>^aF+W z4!N6Qpd7vP4Pd#4YdKS2$~h0R6rOgZ7bbCESP57WE$#25rr*YHPo5{5GHJG^<4wyA z8kngp+g&=rW+iR|E&rg?U^NLqv~ydA+oxU%?h)QFo&Us<<9m}06`mTT)@~ZMp?%Dy zR}1kzH#cY~zRiBRthh) zgO%G;61$%f+n{l z(_lC{EhsqGrzuZgMVYV!;IL*7{%<)lkl$BSn{YU-KQF4)>JUWw3gIKg#|bL-nvb9CTbPrE8a7$ zo-*yJnH#wKnw-b?Abk2cLm&!fKR&C?Zy+b6=MEI{z9ES{irj;y6YvTOe}v~F=-pga z+p=6Y9Uq80u9|1hT5@kX6>E5#?tTcU=nl(a#GV?okv+_fi61 z-)xIvipV1vkkdHH6+`zGZG5qUk)b=uE$jn?hj)fFY^ax&eGpoorbc2(t(#n6HFWRt zxa-tx9*U*e>cbW%;ZG=wGV!Pu1(5styd>e#S)I73ZCmy&%4Meo&+5r3XmNb9%1_WSwh;peP=O0%)}@xl3l-1Kwd*631o z0)NvbLlv>&zZFP*N8dlambp*eI!G#^N%?(zEjVZ3Q=L`Ok~nJXprG^@c$y!2!>V#b z{7LseA|ND~<&smjhI?b5j~Abqr3W3Y1xiC|6xAh3%xay$5)Jzz1UEoms$Dy;d7Y|X z1A5smeNMW4SmyeI>^ge8f9ZXeTuKf!)MFVZxPI+mwq7<(lgCny}!+|OS7#33c??se>0WFp|!d8ZCQw2=!i6!(sY=| zaYs7Eq^+3?Exx#{hFcND2FAzq)c52MXE`+W=WR@gH`|!Ss0HO$17=^>A@%J=-?}!e`p_C?$Gqvv9Jr(4^eW)pCSEM)UZkNDPG;5V#@^n zQ~LuPKNu_56+4uSsnpX#OgIZ;i*%D^wI?fo42$+4+U102_}C-{@&+Wm83*T^JPI;+ z`Gs58WC)BbbC}8Thr33I^z4*~SV>=r+pg2RPLR)cen}ggCg>W ztq)r0*uDh>RkVH<*A;A$qizfB_Q{7Wr+&-^M2spPfJ2L{7z@Sk-Z@|fEu@lx9-WUi z;@-GTukifj%3ndGQ!G`FZ2g0lM!#X=5;GS3hh=5MlP?x(Mq|$ z`nCL4TLTP8i%)2N9eke1>j$seq5ZdxEzLDKmk^RHy!?f7ewNPgmDJ{&n0}JRvL-G^ z24Sq*^olwvFA^3n5;ka3^gcS`jR-hRT_fF^nhLOvm9fgB8;9UJoU^nY;G+MHxAzQ-s#&82 zRa8XMCn(rN1p&!OlcNHHAUWrpb4D5(P?7{eBsMwIfY9U|1SB?@CN^1eRG>lf?Djh| z_ndRjxpU`vX67f&PF1^h)q2;v-c@IojZ2f#8+LLe-n{A4&}mHXa1+K0;&DJI{OF4Vp3V$@*kn(OSnsm=14KrQ$u%IOez2QJ%hHHSowS4W;Rt zWnrmC|6{xJ(tAfWd|q!VB`=d^@N4;<6yHcd1MD@$?TKN;Aqo{I>J^#b;7|tdK7Y7K zt{)da(z04UZ#9Z(=gvsVu^$V+xHJ8czM2H>G3u-s&!uH7)Hd1al=!H0n@CVAe{JTY zG0bs-JXSon2 zbDZZjrAJveDfn3IpV|7~)pOg!%(&QGoqiqvH9hkT0YL$18r>&mFoFcDJVE7k#y_WB1 zIU8;F2sI62RfiCbqzZa0Toy%Qk@(1?Ac+35_E+ddQmW8bKRlR$kcpxHOZMg;KLH`^ zJ9-7ahTYVS&lJ&NqBO!NJIqoULPHpFEXo``mB{m62uL}Qpocy{qj7K*;oZWhHSDKECN(+K;^);+ zpnnXc2+tgUhwOP1+!)3g+)W%H-c>aUa$ncR=sUgBCuvB?*;~DNwWw zux+VKY7ou_LWAco1#SnV|8O*V`pI1i2dLMH2K-?}*JiJvYsooHLUZ zX5%ny+Q=8`w&Jk;y8uK%=3i2bZ+|9te4^xUD4Y=TKFIx3fKjH+wq{3!7s^gTMzo$G z{5;W6gdwKCN$QM_B_*)fCKpq{t*$b$F zqkjG@6>v%w*-}}_t*1^)756`qTXYT(o7>%$>^{Rl8f=z^{WpndP0N$McXyey>>AD= zj($m}h^?DJTtGj`vb7`~SE^VH;=3uz7iyu*tRmE^mGbSHq&7P#-|{CrO0w*UD*5gD>jBvQ;qt#z4h;VVwLk5^fRrhwS@G3g0iq0?wdPY zSf;0kzh&co9@v2gQ$El0oZ2n+<6|hqtIj~D)J0csy@aVVyi=Ttl}ID);C{SqtOK+@ za}{X(qkHcdk2WoHN;lyY_Mft#gNiA*o?K%C593$bY+&g`1Zz+$b4%CnLAR*W@0tzR zOeBgm$dHf~W)V(xokCZ+ zM(}05RD@eOHrYGc)sL{1mhE^aEk8Pir zW8zKFV+yS-S9OeBL(UQ)Pxr1 zUN{4|b2a9*l7tOv3B&Vt>W_I5-=r2%iNk}`WTDs@iO+!7w1B1W5o#(=Zfzr zoG4NO)0VV5McTDQ(;&mnlYY(&y1fSEPD|m_{0WU;N#yJW!jDIh@ms4^C{L8%#Q~}b z7)-{@hizqgICM*8a~0LWe7`pX;5bVtj3|w6-Yu@8d zMz^AZ_AV^{*m00Fq;hQCM`|czejVyoVV~QDg&=6|@n3kM4taL?(4Tm{QbkL;RdmFyEm3bmQ6?`IFtOmG4L5YQ@YV?Wi<~`YIXjCK6^U#SG%3C2yg>LR z?1gZq*VD-{D-Vm&Z#Aj&^gfL4mAdDlA@Y{`MbUlCvIJ+kT%sG!MeWBck@AUeLwH*Y z?zaTuVH`c@+I~15E5#SgpO|7ev}7^eL$>3d(NQk9om zY1^Ng*MWA6Y3?Y#029f<^(1F2!uc1*7pJ20c6uCY!b!Grvi8-)_*kyHZN`+JJ)=bf zT%l-2dW<>ZzS4QS9k+}p`ALu>fPir9&3pN57Vof{sjx`MNg};S9KFak(MA!{Y4dzS;a*cr`5lD;^#!8ex(O? zh6*rLeS8m})(fZIL>TtD0GIZj$4k_SV3pfIt0&zP{}7^&yDP%)rvLg)mWs7Opb2B# z_4r_GB+owfZcnH|m&XknxQ*HFfM}H%qTJb3EqnHP^YgZ55(u}|Q|-j`Y8ooIbM5tx z(t#N(;#J|3DTkXe&QqEk50k&G=aZA!U$}vWqfo7o_S^P6f2-W1EQD9R<#xg@cG3B&dSfRaJ2Y9TcU%YF3{>@_PuI#5D9@R5oWtW=};?bpAh5UDpgXB2?kNr)r2 zLQH%Q4u*vzcF^Ii0LIX){Il-L8R2eKvv>8&pCQ)M=t6#f*DF!K{owbx|7M=5gPp#F2GNvg6!1z z7XDV=ixFJ@>dRh>bFih;1; zUpj=PD^R|_lj!HR9r6)UvL~qF6s;req&A?D!w}CwTGEXEqV~?P?xf;m{Bv)U?#f+) z$i7!8iw*_CTg^u;otSe%BIM>uF5&Ose`>`?050T*D-$;e7E%ux)SG9h(K+h(VzwvU zUR69`esl{b&{3jD_@!)e3M4wQ$!hM~MpeIjRMO%X)g?PqQ;F4(+-Wf7rv=BZIm;hipDcY3R%F4BH5J?bj;(|tFmK_g zBP9Ni2*c$ibabKME^pM)$y=ignzP&?1(~BN5ZdH80VpOf)fq)_7~6KCD_BwHW_i#|$x z<$oTpX%GzqGA6(S&U{LiGp)}9AXa}rlWS!gdA@AO@Kk86%hV0TpXPIJ(N^aP7kBcS|Y zM~H;t#KGQityYKR&uhHk-R;@|dHUnz4zanfN7RkGkQ-)l%P}UfkHA*|QNKGodzNRx z#`io7^-EgLpt6^p~o|JL=HDl^x}Ni$#}vx>$Q`g?Rhu37($~$ z@;a*IKXo#Y?VzN+tks572GnQ8$XOG)3YI-j?b-A8!qhmmigfIBM{Qx+hU-G*B$Kk5 zwP__w^TOuB$W|!(xfYu!nHw@F&IlscwS46*{9V0X%g_mPzPuoQlvL2YQ~oh{C&It< zyZ7gG3ODLU^-swX%Lh-=fu1RQ4vb26Jw5Bd45E)heo>9uLXa|N|QxT4`k&q;Pjwk@W3?Fx&wp{cYKJ6 zicb{7qy~JV;U{loZI?fbO?C;j9d7b6p6!|!$>mDPLh~fkBsxu>d zR{Gyvu`?g>5fZ&Ml|Tq+(G-T6fFgHe!Fv|3ZD$h!h=6i4S^uOvJ|bz$%-|t?KLaxq zoQ7+qu}DRw*ke;|w03DwxgI1GwX_OE+yT1o1_BrFmX!`es);YEK=;>i6E~?LdeEO^ zV;s*Ll&z(=Vqko(hjZe){B`rby+Z{~n_O&+M$fEJjEczLzw0RS$E%t(U&K$P+l332 zy{>_A9x#0Pbf3n@oiCEn!m88$@w@#PS(wTy*kRsh)*TK8*DFlaYfUtzDdgRnH*UY1 z*1PC)zKhDz!$q|xH|rjA1`&m@s9Oe_7+Q(lLGu_W({P*2*J@LrbC)UdZT$KklYJ=+ z>1pi^qGG=10k-OIeB;8W{`BYPH?Gq0-BnPhIg^pddM?dc-+U_rpncLF1_EC-MUn2Q zXLJVIcGfBJMKRvG*V}NLb7k?(e1v=NB~`(3SV>ZH+-7#E6t1~@Eg^mw^eW{#z`lHw zi;J^+lI(S@L!mGI$)Zm*@uOxxV{0DrkGAuJYqHV1DlXD0`=aR?!vu4i(S&@Y6--Hr zcGImA4W2`{JK*wlRRV`c8;GE|L|)41zVo_F;V_&5TJJPbm4jHXWB%scOGw(?0XT`Y1pOF9+P+^P;{ zd~$Z`m_E;m=@~ra=Jvmmjj3Os`!QIq@KWQ(v`%)ilXdZByWg384Ik4vLyNh>=*OMX z<@86@JmMu*!YQ2-0rB2W4Co{7;n|vmOQczH#MX=`H9?2dwTerMFQL|m?m z_|;QmshX&nlRi6J5s&Xd!#~AIg2owb#e#qjK2t^CZA!6in=o)d4*CQ|f0*G{LKt#p zL>utWu-(379%7Ujn^0MR5nu>wd)fWOyQ8ecrte4VcXA$v{)sq;fmS|_IRAasS5M*d zyY_dl=PAt%>YKJxfI^@O|C@!970nV{Um+>ss7B6k{Dt}(8&`iBM^zUq5TSnO4N$(e zKqn;gVHFq(fKGsk^x$X_Cu`mlnjtAXd11$N>%eLwU`nxt(N6LW_fP7)II5aeBkFbG zeAvC*j__(91?6qe#xAz);O*iRrS^#mnO9)=W%=+l)sU_=SEJ?u6@h%@Vu5 z==m~&*Q2^Kf7&_|@Bm|*5htr#)E@9C0G`Dp~ga$;lVPPaKre7pIAw-yGa zHEPqQquy00c-o;`eQ~&jL~T-B7~363mO5Nv2hNihtHoYMZ2s)oL;?8;0{g@_OAE_e z*2bE>v!DWAmcc_UWh%EWBHPosp$Z zfrf2bGMDJ-691RU?T?}Jbaah7S^oLS-Ow%WKg$JGbV@J0{68=FJ?nRJFm@LM1@V2bFPeHv2TG ziyf$iLNr9@XJ-c=3`GO63wQ4zuGA$LedT(qRl%cXPS5rzT~>y$U6$Kju7R7m7S75c zOsZePqmq33g6A5(h5Y4px%e|vSCJhdp{Y+;p0u~|8qvYSO|WDep?aJS8Cg-}Eg-8u znYj6Uzj^$an25H56HGBZ=*nm=pzP=^dF;3oU!#WmV(z_so5GgeOzU4br^xl-daNIq zqhMB4^Ioou1H#ZrKe2PMELBl4IlmCwqJeRde3W3Gp&DvBvOd}pu>R^*)+ms|zVdjW za74x2({n;$e7`4#-m(dL?g=hk*%--j-J7k~=PHUJ;vp9Mok>7U+$gx}Fk3egsgy2a z(>0*!c{%i{cr?8>konlpdkLmC3Yg?xvMg@7sp=fdNZ>m?QQyKJhZJE<|Uy^**zH7HL< zG`ld;U|W0qs-8O>8;@k#I37=s*_N-!&qHZEc7L>phRqW0&p|Mj=*!~re%9T$$L~T* z__gxsW6z==IC^RZAHIZz%c%EodT{`Fn`fvqf_zSW{da%0$F?Te5fEG1&8m|Jb$D*u z3(O+q^Z+xw0AN9A`Pr|=8`=R_su^e^4A}wrSPXuG1v7BmrLw!tBt&}bJX9?QgfaYs za6IzAJc{RQnfm|G?F|d2M4`>D<@3wV|7XOIEMM9UoO)x}`)%o38LK{2Wu=ozqt_^w z)l0-AIdoJCt0LR*Ls4bdYtAyeD(RcA>cUb|z?Ju~lgbStAa-TGESB24xD$&?~{>f|D`lVg}k%X}>G2BqM%k->auui^S zuw-oT1lw!6fdCKi{&TIf&YkZO70YY56}*92W|t7rxeDi`Kjz7%FCIC%e{%_hP(?)d zPN~l{6Ai55Sjcy=JaU1^o315A7Uluh`IBocpD56@Z>G|~;zRrMXv#=Q06|mFWnD0PXgmB~L1DUEf#*@8$z`y(5M3`-b2=wMy*3ev0JBniKAMiZ3MASVx1&D$=NNuTr)PTze zTA<}OfFAVZ*nkDV1GAdfhVQ-6MFak)Y3yrXxfjSj}+OqEDWRoLS_T;d9Z3%>rZ(&3B4pDLfb88*L&nM zqRvduS0a6MUOY0EtaNog+% z04FIwcw-+b^xnhrNXSB>{UDdHuw$*>TGi{jT3PDgo3PzGXw`im4SFoJ+BKM3oNv@_ z^Rzgz(2uv1wq%q+frWmqP1da0Mq^s0CZmg?qvsVq5zv8e!*E!uTZ%&Hh=XwDHVwPW zCl=uGA(TsHY4XEJ1aH-V+<1>j$+ZWn3JT9~AJa;o08?<$=P#E%T!^bQey&!i6?hY* z(UvWsMbJY=`cl=^vTLw6R<1XscQc!@Ol%RZ{%|xa3W5lf{S|NMoqrr=!(5n3lV3Ik4X0mG)c1BRf|F4Y9_iN=^N|VZh^P+ujS^eb_Y5HT4yR zDsfI0Tt{7Ot%1wG~+z=u8;w6;x4?(|{-Kkw+klLfpi zOO*L;m)aHUHV>Fxx~?X>5}{}6z7p|wvKRL4QfL<##yA-tWy&Ypu`!uzCrai;y#sDq z_6!I_dxJzof4_v|WVZ}urP*ColioZ9yTANuREoErm9tBTvsu2oHyJwZS^za{hX5yDxxXbDP16v66aZBkCR93tJLkxk%s!G6VI>*0(ZJ47JOC z4OzStR=wWBBYiSJ(A{4Z>(R#tmft~c=jK+Ax*mOYyd_8%dzOE8$7aX~N2`&9H&c2F z6OU6dsGbABamC38ZwpP_;ZNcw&J1@|9UJ40bhIQXNh)wdDyT=y?MP~)3v&QkB_I!= zIW>i*R+D3rZD6&B17_^}$7<3l%3sI6!IQ+ar0%?z-W%a}c_yN-NX=}WP#BM|)Z%T< z?%TtvhC|UneFbUMwN>2qM@;mM-@*lS;Bi1Yty!XT2@~ik{oEk--S9C*icn4z8PIhJ zbO6hL2f>dTi}CC2H)8FBLWIO|@6xP_t0ZRql0|QZ*UK0IySUg0QY36tq#;&L0&H>% zo{3RW^yYa zoEw&`oxG;)F7pBB1Kzfk84sq@c3~P`_Z}Y0yg#VUC>$;|2Rghg2}^Y`3Df?C>4@x4 zzfMontf;N9mbk&@^rmZ0^s*xDixeFRxH+__&Ap%dIbN)Hc7 zdED>e`JlQLBG@bn(Wz9pqXF}1)hb>+?xc!XY=N5zSWDQce*yp4oBup9E!x3t9aRf; zn00?>F1!qa_4}7Nh1lPMdpFOVe0~B5A_C@tHH}H_H5_*?6&1B!s$Vh0{D8l7N`1^60`x#aVYGV!H*f2bDHcN8| zPZNFO`w<&AHP6P6KwG4xzt~>>Sl(+i1UC-0?|y99eLfbc8r-}IdbEN1pi*7S40z?L zGGnwI##ZEiK_3Cri6;2m6anf-lY7X^s9W=Pb2=HRD{C#yA4{4U3BSmSsuP-zwH5sl z+^vfc->=J)B6Bkm#m+5BgY?sJFNB4+^S8WKdLDr1TcC{~uM|KEk^HMSmT91Fy07%Q z{*v#p<=U>mC?}`LVcgNliL8GH1xjFaffEXaY{ZK3Q;&>U+K2uVlq5Cyft|WCMHSP8 zR`Z2^wBgeBTb7pS)h4^pPkhz+k)Pl!U|&7#{JW1|YF;3RQU4|CQLU3w5;m*@Y?eBy zh-@@x6lx9|4MVRGxCzEHT3VZO<^P$izk%_AbMqzX{@h)Gz?5 z8SJmm|K-QB+xu>HE0 zRxWm}l^ZagV;AWgRd2de;%P)7>gj%GHagnF)fUxb3NL8i0R^-b77;0GhE~A8U7srL z+AS#1T^6ry<+-_H#+_0abG--T&(9pdV;`H>%9H>X{%*%c8tfIR+jv8H;k;B=js7S5 zE5EvFy`r}&{jdE_tBuZiPvA|1Asw9c&Ku!PPVx6Y*7oFCUB%*mIBt+6y^E<1as0|? zukG7iuYH&9xj&`D1cCiRRj!P8AbzH`8i&V{x(|5+(*cb9sqY777e zmR~f|fWMoPWUy3jg9pIpW@Z!7q#+D;oG=4MK-!yDRI)Zc+-D6 zB+7Zpae79A^1}Tk>isZ*7(w!B8`tC1y{`bZtCo`>Gd{0V$HWBBqlxH90o(9)p>9KVXQHK!P$9kjtqGn9{Cl@c%~=D zoE|EL_lxe+@UyV=299xy8dw56>`{2!SCvERs<Q?Ia78UKb9NSy~uP?t-KKT~#xE#cWlg%IP{-Z(x$N3qU34guSIA6F}>QnN5W}do( zu6r{D&uI1O=`m|Z9kr7d}^oS`$&ZI8%#{}VhwhS?|oat3Oq#iR*NjQtL-fAk5Jo}my-fj=4 z{Opm>@`45J*)V7)N0=kI^opzhoAqy@E|~~Ku={-<>yoM2N7xttDySm>NFh$}pcHY1 z0S@#H3N7Zep3<%BxKj|BojGOGBAJ9Yor5-O0ABK3PF|pHFO4F!B*)P^+3uZC-MmzV z{wITi70j>@qYnjM8*s^&iCYasHd`Qw^iPPSDD`Gy{{=6YwT>Jjb?SRJokuljfw*{!SXu)N8#3cT$<0~ zr?KKOoc^as4?@UvwcTVxwTB?}Rexqm?98v(__xP`49i{d`mKJVN&F5 zye`?(G?@x!vwvd;_xLFJ9eIA7m4d#0-8suZI|Z6p0{V%|gLbfztiON8(MjQ}PxP0U zqmu=pVw-Mb4@4chJd>JNCoM2r;}!PP+-{U1QF76;_FPX3tyL}a-x@dxFt|X`VHF5q zV!qL^P^eZgt8OLodoghOpE)-a2~j9e%uHl-8qz~)g$ly|*sy%Oi+8AwNDi0j$9$lV z1%WtqT;5=T$G7FOqz)5={?}T8+2aQqXS6ld*qvI^y9O44djxcv_Ks6|1{ZUNH~r3K zIkj^IMB?&?!==`Ax;aPM@^?v@!x*j18+L;Ify_BpZ})D* z9NgwCckV4Bc)c3lswVKM~cw#d4BC9b2c)Q$@+mfPi8XS-}Ntt6=m_j;z$+ix~9{=#zf@ zFb=A_1@yMQ*BrHU*azR#280cEM2TM`kJ$AXiuca~*z`OaA?DYykym=}o1?Qp$Pb{D zwt-4)N;aS~$hppZvy7i9=8d#tgD@k~sbL{Vob>+OXB}s=!zqqfC>HR1%a*7d4H)t} zuH+UM-=`TbXl*qDGUIqysKdu9x*{?E;mv}AZHE?e{O$V6R`CL#!kfcn*f9oeng76N zz$C*_^DJu4Q}o8LTmCZ|Py!w(rnkS2puYab4fR0FythCeP-u#mn}>n}ErTn0;`Kfl zX}iwZ7oI}fGeHm%h1tfq@9pCOq>8q@R|sh=ux+4*9KhN=z|2e~>Dq3-iSATCg%h!Y{D265<1bXtF!+E^<8Q3={!-cO zny%KU{_@bQYUW#l1Iaiksf;>R@iTTA;=F!T&xG!_gsSU?HD&=dX69qwu3#1;r_`%0 z!dRY6GJ7{nI_EUdM;fJmJ=r|8fCE~1YgH93P%*$dF|T1hg*PieirG4A^GVT9J%292yd$}<&Ly4wN*Xn6#Z zs(v|}13AB=qq;~UY^?Ay@d*`~wzl?j!KRa(RBENEo>egKWO~!SsT93AaQf&9Z}N1Jh-YRsb+4#W&G@~cu74+ z2luNA>vpHIcX(CQT+pYlYsMZ<#)Jd;1yNqcU-kuT5I^~4wbf-6tSq<2EmaQrThYBA z3*K5Pqu#|2@Tb`(C!8_njX0>v@I3@k#m~{(rpooSxKgg$0xI2Nf?klC8fY+Ht<0Xj zD77mefTxFP=qXobF-8{+=+xF;^$1{A*%aJWeAIW z$C>W{UyO_Z+h1hAFaC67`j-;+sx~EDDe8LziyfITT7tl~%|VJ8*jH^dug7=K6q1Qo z$jCDi5rI^$x#{Rg_|u|^1i9YtKaImU+s@uzV6mk7^HGHt7}xlO^897ndJ4osALz46 z?5rF=d)iE5nSxxcg9@TFnsX>jG|wlfdKCmnH(d#}JbG9-3g8f)n8yii+|4QJ9^EVM z$4PKlA)YM!fZgzG)XB(usPmNJ+k&WC1L@Xa2-H3!yfF{uzq9M@shbw$2&#m#IB)Kb zWvMtQ?NOnWiZ7|z#$&B6(JCI(rRW47!-$5-ViU9wKjKk8t=eo$-bKr1K9ac_h6mEL zAc1V58ug!3=Z`m_PGb(vcg4tw(%21Z0OpkO3hi&{=~=V11eC#8ZoD=#GlK!!a9W14 zw;uRw0YGnL8$NNqaP0@KlAFe4T$?f;E?>v@HvROsz}RUTpWzo_Jc8`dxc*PmW$^^k38~HOBMUGR8)(4Yn4ASgW$H zp04J=%pEPinM*_WIkme6z#VTaE1c_r-Rz)`2z0C*^>SW2X_^XOG-Rvra#VjBKR}n% zOb_%jpXdt)qYbh|F0Uf%ykJx+2ttuT)ol)`y^~`q0H66TG*BuJ?qxFuR+E|N1?+0}RRM%lZIfrSeNnNZ_3mVQ$V!Le5!HC&KQS&7{kt9U4Vzy|-1 zEN(Irx*1y7*31!&PtAyXz$i13**=_Ex+*G&Y8KQ;BKSxJ~G-q1nu^ zCrYK0RQ~6XK+gX?$Ie=d@pDWk6wpby>Y;QZ_A@P{JjtOk z6LJfCPtR8`j;8Go`@#p9FFkK3^s3&>v}f&SA)I#CM(tGUk4+~N?mj#>fGGJ@b{!=p z`B~e}Bv#2Qd;%5$j$hjS`owDpGkmSBq~FH+avu9;t-limL#FM74|&~pECL^{5?DAl zLvx13^$EVJy?tb7FTBN$K8C-ue|YT%vX?g8cg_3#gS(u`u)8|^#*HJfc9ZwU?8Zxf z&l?Y#=7(>8|7J#g57To|U}P7Vbv22*_{LI^Y|y_=-b*u#f_LH7Ti|tWKtO-$Vp9uN zcWguzWlgz;Wna%{A}EVv_Sp)opSv`}t`9P_kYENr$_X#04%2$w+C_z5mk!+0p5&+x z!4=dHsiSJWKVbPa{eu&s`%FS;B#JIBAhAYv$dnOj@S$aCD zczb1N_+~k!xv(l;t|a<)h3_W`(d^R7h%b`b(bSX^!MH{L2y>P${eC~8y6321r<(jD zg<{PyT%6(D-lwbRmNmq_ao3kAIj$F^m*Z&b-`#Ctr9G~nHiHo}H0W-*189TE0Qnh3 zMnZqTc?~_q+(`7^czoo&8`}4QA=G{=gSP3idzO9+A-@`Z89Jj)!&23r!3{%&iuM zN_MJKdTkv`GwcS11r3^LuaZl<#?QqH^4tqz!KzK#5mC?q;4yUzXUkQ>{WzK-iL7SE zZ@LOJ-t_mc*pk#H?sbv_=IWJ3I@Z z&~5kj@%(s)TRQnTQ9BM#C)O!$&)CHrr09AE5w}~OUwQ<1ge-EqPTK6oLM;$;Y!AuG zL>36jK(_-(m1lA5hSjs~6(so=Ma<*A*tU z=$w|x-a9pUK8aFYAm!LW*0)@hj1C}Eo;oWmdY`eRE9b$EmYOzHV+xVnABX#MI50^r zi6>TbkSoS7pyJMImFvZ&04!36#UgiFbVKH|YRCVF8YF(F<*1*de*2dy-sGHrFc+zU zoNM5&I~`fXTYYF@)N49!>su07hWrkaxc7HtV~vVY;KMLk`ID%^#E8womq(u}Q#9E% zHET3E^Sl7&D%rqc<2RQ@pP7}%h_XW(KB6J@gGDjYD)5=YBY80DmslG*?)RYd(F;_! zle4xW6O#j>N{pl6@$OudJ)&9Y9qd43b-dzsDw?0#@9?;!F9SJ~fbZowR7Oy=dU2Y2 zGVOI_<_I-2x(fh|*8&6^`}>L5Fq4oFP%^mLZMzCxz+Uk)RsX1GP26#l`~Hcw-tQ8^ z@y1iT#KaQ$J5rueBO6t1MoL;k<|yUmsJfgU#G)@h1i$fuL}UN6YDE32>Xu9WYBKvf zWH1>I^T0uMD1D>d46y&D4GczAZZu^u9nO*g>#wsf=d=lj%y)CdRyD)6unkhTdkjmB z*&N{>AZlEjs&x@Q@>z{XoZ;D681Y*!?C|<|pOa~H%iKAE$=7Efg%Vh~pXj0R5M;=7 zB}hij$ODa1Ft;N2?Hg=2g>cMUr-%McOa9#9f1xGMyXE?ifR=^r1hbi?bT;cQrIb=m zZRvFCq0r!nSpbC_!wkEATO9H8KTEwJ;Pc3$^iGv4=b<2Rnk>2f(F z7}0pe+-G?bS^Jx@G|WILuB!CkB6K*(z~2_O5fp!WBmE<<@DI_-edNP^#-Y<5bd25Fvwi@hLx_$$w1Wya;#{-L2p8O$c|88W56YZqlfR1U}y z*MF{kGU^pO^K;x4Gb&hrwpFV@I@)BJ5525`*?c#2n<@Z=NM^ML#0g2vVKN~W64K_} zU=B$~N7lT8M`ONGakH0HqobCz#pr7snkXeW%;1E`L#t8jYceC_GR(r_OM7>nq;H z2yJX0aMGBT*F`FLypk<87652$6ZLF*dTtVrLx6S}b_Z5(q1!+(9#M)Zwt(x*=NIAP zYmHlrmC@Sn7_A($*82NJYEn*BD9F=_^tBJnZJ( z+8)nK-eTp~FT&z4kS}$+j^*Jlz+?*Wvtk@S#!wUhYg2W9sVsn421C?LUsht-NRHAb zww>9JNKZ@SBi=F2A0fl;7_JcNnyae#miAE!p-gTK5HrV)VQ)iw2$SX2f<5LSou`QX zQ_9NMA98R`I>)GYcLy-@x=}^6RQ9dCT|!cF|L0AmXoKf*KxJyEK6o`9s7oaP>Qbf8 z0X0JkkwvzIkUXvEGsd?JUVMg)d|c0dfMxX}-fe7rvF!uChOW8BG2Td+}c zne>*cw~Pkj-(I=n8No@sh`-}smoerjO4Ao%iMt;e*wxHj(1MD27QReEYt7@XE|WU) z&kQ>;fj7r_*d1g^`(Noev9cGh^f79uKhWSaQ_KGyKS=t9hM9XfNe0?W>e<*sfeBzu$+eWvUZ+|vSYfl>>xiTYwCjVJ5|6A;; zQ$PI!^8l?YCN8%TR)=y?7~ zgRpu*4Rmn08_@bUwJU5kQDT(2+2|U$7C$mF^#!W|!qk+ZVSReJBCJRTE9N2aw6Anb zVRbqY*y=MPL{Dsjw#`#G^*Rtk;`>RN>+|4vpHF^6C@F~$Tn}q61fj}i($wLPDk1NS znhmH++R?_afVI=6$^4{<=uO10<-@D}A7SDpw)Z&3gpX>@77Gdtl-;v{ z{m1CRf9g|{pXarxf%1d!8zQ0{ zKk}LSZF+xi?~tJJTUNGz=ClXQe6)6ze$-iIV5!d@3yaCsg}(!>AJI&MvjAy)TVwk9 z5ut+z^>-k?@;EOvEcdDM9^nGYI)iDeTgUGX64IB7xLJUA`=l9<&5@SI)+mwIF@v|D zxtg(NKYi&?lrSMdFWj$bjJM#EV{BU6I^iSKoZt&?kO<9>e91JJtbwjjRU$mE#9jXA z)WtfbAC5^jRK>V>u7~X9GI4*Elg_}Mc9Ur?m{#%N*k_G>1AO@nkC)0`ioQamTL=x_ z7Nx#tuz}=b)u2DDx|&oOJI?YORWS0_9kQl@;s;j*`WVm{<&a$kH>uWvU{s0r6F=`t zuNqG!UKB!2bzeov_qnUwU~Q#tuypBIsp3gMhnN>Dgmwa1uc)NUxR{cG`T@xqzS^n* zv0}p1A_Da{EG$aA3!d=UFJOfx=Mh>xs7P1Dg8C}bg?xh1TuIv$@lIadSwtY&e;)4E zp|Mz05bIiIyfot|49p?JP~d&qvwxs&Dcg@J0x<6XS~f4e$+`Sqk2#1C*Puip>kF@K zOJIWPQvT5{O@+~cQpNzER`r0|xaS^Q`R9eGZ`?X2yonxjuGkEgbmnp_pEios7i zysN89>n+@+zJOVN)@y0V+(8z;07Y~&&_uxOZeCUg5Ac|w8xzE6!o{Pq2BKJLVhJla zR;obmh;&Dt~Xc+lx(l6*J zjwmlT@Y23KOdeTFj+;m$i4tenCJ`+&w4`~XSQCz5xxS#Nk(5`}T57Lx>&`mG$ z&4QO?qNri8Lb-(cH!xSZlLMh=**7iZFj&54ED)&7MPr~uyZVQSw0k`nSvaQrKdHxV z3)__g88w7XQ7DmO%a7RMr-<%{Rvit?x{MCa(BDGRHL^Xr4{3wcTzd*S@_Crq>+r7X znrjeS`taQDn#P%~+~z&yG&MhitC{vv)vYApzHBCc;zdM4mRH>$MUp1kX*mNK;F)_h zPRjT)859MxVG-qI-I1k|(x6&acxTaTz^fZN7N{vqgWLCLEty|KK6 z)njdg!4jk-n3|z~Dx398-v6u1Lu}c042YB6pOdIpgsK^B!|5i^^gAScN^~;2O4SY^ z*3_}0pMnL8I*FTcQA zEiLbyNGPrEYb>fd99UF^S>Ip zlOqW@x7lnp6K*dds#$krH4=M0(MUT`p-{sMOt<8MCf&}}motHh2{cyghh2wm8L>+O zY{?c*wqH`r^x;C~n4G5(#4>Rf^R6(caaAhV?q{~FtYgyWrM8dXO-bwc8xtu zPcLx{aKZggRj?fwn0Jg1)m;eZ6MlhU@wh)j*_DdCj_(D^|7)faAC9fUY9obiEs6dL0(VPNceMX_@TsUa zork~d{~+$Gv`5%PyQ%C1<3IDFGxgZi7OyBR`=fN+J?2if6gIC zU+*25?)jJNoK^)iOClx1`f>#f@6pXX3Xj>(`>dXQ<$XI7#d5ThwT4>-Ky-$LO;1#y z$o>ZonUjz4MguMq=D~QOifs`GiPuq^^*?J{KiN+!2{u)0ne%vU5WcWWQNm^>+mT*} zk<*(k=}Fk8P{L(Rjhl>rkpBw6&;A;DY?~ed2l}B zEmiVhH1){;{JX4X`m3y#0r1z~9&0(|cY_=vW35bVZ3p{zfd0CWqKPJuL6nuC4 zLLv$L?)wHzbn?+w>GeTQLo@0tEMWI;5uVN{lcb@$a-kmyY-`lv@NmM1%B=(2Uyx*C?p}KyGaSIb4=hZl z(~ZUeis-J#t76;}yv~w{oSMc{7xT~Fn|ANrN^t|MD37Nrm@+u}#(v;c3}zsu_A)89 zefl3_*up`MDaqSGw*?Bgu-^GAS|Jsna%;!N%|J!ezGcjl;(L&x<8d4#$_~NW4lNj- zGz)AIU4|i9frl0=Kysqm!+@$ z#--kCg-)~1RqDza?$nQ!g|fjOFD1O-__lHWlcmT2`LGUbe&Z1Ma^SV-|J4Pjb6j}( z8ZYT@V%hN^D|Fy&U`?F?&Mu~|@SioaJKs<~+IBP6eRH>t?-A6eY3W87_(7@zRPSv* zh*b5*GHA@JQZcVH6-*7a(s9op`)In)dG>qVrn@h;{*+~Tkawm?`saOsf?VsFb}Lo- z?Vi~}isN5;5#9Qu;z@)C|0YqulB>bLU-x`U?yap#%JsJElwzM+SBhwr=lo zwdYe#EImOR`pMeH6|*On6nD!AK)+uKqO5H%)|=wiD+ca-|G&v$-LVn8G5Z6BA#WmX zUi;|qw{%ZZpOsEgmC`J_RDMq2-6)B%AyiK)EF3FOWWy1HSsTI5lT(cq@9u=CBZNM}AeKZ6uT1 zR)~z_IvoeH+*uOp{mR8S?@bk@o_%EloUc7RTt@9v^byXphav;W0-*CL?7?CQX4F}_ zizb3`0gwslR0K;!byBoQ{$~I9aNvoYSoWbN6QX6x9VFhkeXt$t``@kwr`T=V@L%%r zcYol{%&JXQjdRnbMrSWo7-GpF{_V(5rGr2q)$C(~g8B?Ige>&H^CS^MxU=qvfmYLY z`B~_hIT&{)Qhzix;3lWvx@KzTqsLM+n5!OL%QjN#cG{%`%X^8qEcz+;4H%If+QPo8 zLT+sgX|8dKgVob?VD&Vg9v7U-i$(e}Qq+Pxi$XhPj};f*@jU8?W}Um}Fl*1P9WB{qcZc8z*=`oSq_tPl`1;$n=Hb-OdO31G{ zE?LdN$Q=gu4Xy(>FZhqo;^o3-zXxhdpJ(t^teA43?`D{EfRT-_jB5M7=tLDB7Ob?V zbQ3d}Y#Hr@dYGFJH>(Mft&uipA{h@dLsEef@Du0 zT#o9#S?{1_y&m&D1)8m=ATh!I6*BYsVP9PBbL;5G9=4C0yyaqCp^AR&|m*ffSp$F*=AABQq>9Vui zv|_#(jt8a-w21GAPgF3SP9oHHPr4P3e2h0yFhpi@D_~hAZJeui8N> z$P~$jOCad1(6;~N)Q0pRGL!$5%X`PAF|DT0YeYVxaGzH1r~BM~1w_}0J#R_o<63ta z>6DM$vI@QEmcuVD7QOL4f8J}Ufj9%G#;oh}RoA%LbA*urzU7AfCkLUkW!_5_<=<3; zoi}*Sa+d{f-XKl5{%Fa$hsy}C4N2O-+I$Lg2s?e*PX1}$z60$9+4l(fghL3zL527h z;-C4}U(csB(?-2W9Bgr0o}ITZa+{Ofa#EG1R2ijj%+fE_u(zxi-!)ZGXb*`9wHmL` zpOqQUlk=7edT{aGbH(5K-ii3@lSybxZEt~X4K#Jr_$%%E*d=t`0M6`oVIz=E3$;W` zb{Dyv%#vH>i~@8p_liI3F%x7N_|^RQz9qL)mA7-=n}TZNowoMX0UVp5wN|Si=LPgh zJV*o6>AgxNcM3^m`uDB}DmY4Tsyf|sIsgZOE!__yALwy0lL=7Ku;C~E&I)tJQ;paY zV4;9)rmHS_r@KWIBP%3g!WVse0jn3F zs(P!CTY!iHkfp_WM5PSjk2m7=Z5>%v{ig_#l4Gxg3naiow_1d#XRR&bY*C5PA0hgz zW7Xz&xHDM4kw~=#&;{OtTXX#*Z=yr=q_pP!OMd2sn-dak233@$6{(RU;dc;8()TAx zuYqvi6}%V-(z(m60cp!<>dIN~Ogmw5PYEtEu6bO)=I=hfwpSaBDSpKaNP1825P?yN z@rY`Egg=gyAhEDz9seEZ^O5ab6V29x_4%KE5fVY})T&+$Ejh%an$`^6&&c&+k^_y> zvtG)JzD9OaXcySrY)__cvFGw4UUJtRtczcV7@FoJvPu(&0sq~V2J0QJ>{I}bX{t1$3X<^&2edh23LGI?S25bKs@>>l@u~f7; zMOs6Im!3+e*1FVL<)ZF5ocCR(r108xNwgmD5z%oG6=&8C<1&9JUkkl+2jU)R?j5m9pr}k`wIqR@A~g=st#k7oF4st3DFCZ-7Oy8 z>O}`+<^|}M;TI;xx$`dxOgb6~nLK;=W2YJnOvjf_m-Q9PvAnyz*V`=9RG!nP)p{>1 z&K@pQPQ^a7+~cDvkC$7@HoZQu!7GdJ6PjWR)2lt?%-gHc$g#po=KvM-5;Fi4L5(s* zB9^(Q@&-!`nSZ-YCIG7GfOInR--{{#?5a~#wHI3QtDHh5RAMzouN#mLJlBv_Q{NGw zN&DIXL5qPIWeX(A4+}_!MD4`my3Ai9V{#vo_iFuh46P{9WUlO6FU6rMQ*0^4>!Y_tsEKD)lL&GMFYi_9PJrm{sU!5-rgdgP;y5>{Y)R*S z#nV{Jrg15vM}KtAjK7-===jT`;&`1QV!J39vv6@z05rb(^+tC8hiA^WTIu0`c;-AQ zy?L=)-o>H+wYU!Ha2Pi|?lQgDdopubmwQgD?y!mR_#4&*rPqo-YB-3-Xem+Uuu>Um zoZYmZe|*ick1N?utH`BE%0iwczO_|Oa^KKX9{qNP%89fazLr$vP^*wcpM8!)=MAF8 zd7EBzLM;X^*m!3sJ$kxq_QLO1kd}P6n0osX^e+;FY;Nm6YjgK&+gLg5x*}oP-29x@ zR)wqU@r<95cRt&@VEvJ)rB1i;IAFO z3_yw}`!GmRYK*Xc=rskhEQ{2?l5%RE9glC(&@qY@z$`4sZ_}egK+S zP6n~fh4ZH_>OQ|sbmlT#;psT=mH6Z~I1HO-kk7#{vRnxM?Sx6RDEd4tnGjcS_)^P+*{{A3@@oYAqEBKiWqe)}MS zv31)A`%aeDS;Vw0Y`~~d_S_xzH8dbZN2vpJwPMD1a`h|W7k#~Ri$>tx`+mqBm#GIi zYbmTA0v85EPbd!n?@g2En1812jkOyBYTX8ol!VW@fI-=)5msoy)X$&e$}%v|$zF+l zH?Q6Sy7I{>ZHq*LP?>(B(C?U`QcbIV+aKscG&~o9A9v<$C+A~fSt|ThhFJU{O!}ab zd{|(TqV)^uKeP>5FO*<~2wIao@f!3*2Qg}A3|Q`2*>c33(-QeMC5bI^TI0txEbpNA zLB!ebucf*FBzK@=`XzUW+^JZJ=|skkQdY7zcKk`SxxH<{zqKaFLDv&`c2K=w3>59p z+<9SEn1Jw1I07~kFdLoUHkcn@@&76|p!{30A;&*WlCxgrM?SqQu~MW;>s`iYjE^}b ze&qPXq@}iioe5k43V`%p2MM|rKT)wNK>jV2kgqu(28my*{z3|2y){e|YWcZCX|6Dp z&K5vHZTRpX%M5c4(j_|Olt7)KUb-eA4v_2*s#|xx+%9CBst+M_reRds@Zfbwt-YLz z*Z%32WwfZxgzJ|2Lv*!Tw@X9rmo%e6uBbnd{i|&Nem*)emx)p`I7Xx?(&$YE(b!HM zj_X(K=r;l-9N7ft9bf14FR#8Oq0<6$g1&;eK>ingI;mV$92S=2y&sbcDH>LcVRZx} zHhd!af^M!C6cm=hMb+E#Zvv5JK0IHL$=hub)6dV3$1kk<%=KKOPc8ukVHfaOY?Sx~ z0939|s{{B5Z2=10=&-z05`t`Z#*;o14u>>wY{w*0gdtm_O+ZIk0CA-a#STb0Dv5_u z0VD3Gf_v$9OcXGT zM6!I_jx^>V4X>XaM}ISVC>PT6d?aU&vHv+eCK}C4K+pZ;``8-0U|Ha{1we8A8a1tF zpZvgkF3fPGo;qnfwN`e{%<;*{3D8oil6KD8oWz@bE^w}ax4?TX0K~deZ*5Ew%$nv}8mCR(^I6Ucjw>{5 zGbrrh4`kb=E4td3_pMottJckH5G7XVgMlDFOg6mOewE}MVz%S3dj3YalVv)kGoM zyukEK8V%VdOfT|}M1HkJuHD6#eK;^c=@PDxBb;!JD{48Jd-{gDxJawKHxQ;t0zsz+ zCnopU=f8g`(@lQ-p%ZXbdbVWT@_d7pwV`p)D4{&gvA|3SX=;wc9*_VBQr7`b*9L6% z{@wjXKO3*7zo#9_lCV8UuaphuH>Xoe#?fU7u&wC+&i75X`klo$V$Zx@PG91hYPaem z;?iemKQjA|{HV$wo0dsgAkGZqcL#P#%}uKA+kG92$B7jwG)gF4D9#ffx6|g@P+ams z{Y+A|5tYPRT^!5L0xVz!pY4MOImi_-1TlBs7aTg7ZzlQfiwfVN5@R;{9VSr!4%=l1 z6jQyBX{ds1>WgP9UY4NPVe!@pdJ$8!S*`hd1xv&9BZQX9T7W({Ore-8C!fYxK~mYq zl9x8K>#Op<9`<+*X^jp$#}%I(F_ujiS0o-x37z2syDY!Ga8OWQ-qoX;OYG=_3=wh? zR}vCkE5^L?sb@?>S}2ls0OAylx4P^P<(K`a!OgoOsx|x0#E~%s;-Td(3>F5QUc^^F zAyn$h(;`+3h%t6QlVEx+x`(R`gKGzr{-_pTXJNT?VF#p`6 zQuvn=e9%Wi^r`J5ZI>Ny^mZt0s`CU`HXOiEzO7THnU>jR)YDtNep znTp%AsHh-uMaAJ;N_(-reM5xzF6Lg;3}6j8hs`EP$;Os}RLI|YIyeb?Lrx8w>$C)? zAAdUJq>9C3bVyBX;q~|>QF-#AV4v%B9sdOghx;0A}yqj6#%a2PDB@zDh~i zKZGm>S$5&J{}8gUvNTPAt7hU~jlqY`rY8`duDzNgm*I5(x;%+p%82ZXN;7|p>=q{! zDCRhqC!)VtlW64G-O^v+Ei`yA0;&TK#=jHD(=+SqnaBCjf(ne58W?R_;fwJATY1Ya zCk^JA&6r?94aeK7Go3GctiGVM$8P)#zG_SCf)vqGvEt5niT_W^7pn}Z?eB35uKN9Q zloNLaUoDW%rVkXT*Gb+>qx7}uZx%!t>Sj(^CpY7;+Rcp%hRKrjvlJ(t8wuC!k+5CN z$<{+mUQ$);cYVHZ`g!pyAcW-*1l-Z_ zxwU7`gld7TwUk>Rl45<(3fV}!4E5KvxT5ht71y_ z_B$6^O#muID^DOs2Nsou^}jH({AB;AE2#EgtSmEc&p)^qX#lE6ut!^Dk8ENR5iIf) zF4z3!W4YBdCzv(Zi!rAq;(KeTUIkM7F?peS6% z6c9gGb^OV-QXMciqg$xV+1FJ@7Fj^tZmT(c1U!LooXEgSJ=Zt3JGIr|&i|Vi)RDWA zdn=9NjF>o!B6|D*EY8}*ME5hrBjBzb8SXf}RE%x2m;8Cg{y+-Y-5LH*VKdq9VEPXU zjluT9raeISvMs8XPZQYA1HKQ(h!YAG4EoT4^BCoS;0wVyBLJy+n5~amrH1P*i?=2Y zxV&!zMWLs?T4ppKF$3d+JNd}Rj%8=ju*0Pdb%09+mw}Dr#Iv5%QPV5ARH0UJRff@B zp;lWgaW2%exo~Ye0z?t=?bm@u-x@RV|3y#5lRyp}UDM<)pM0*DcUW58z7XnZu@jVP!VYxqH z>BCkKSV^O!!90@P8XFMT9aG|(CJ?z!`OV#FRQaW4VO+Eu1tvFGR$igcd74#lT`wTd z(a*=8hg^-c!6Oc+3cV416y#FCf@dkXy#1{;&0Y`WXgDnYcO|i~THY!aK2eRIV3EJO zV<$*S{P#fEKXedGkfMT!ujWhXWlJ+j`tPBj*dpGUS&<7o;aJu0GV+6xrXD(hllAVg zSKTASiuyTNPIv}O}{E~sU!#k|q^nRilNFB9>j-w9}`Q={dUZHUWjUJv*6HwRVi12+VvPQiehK^Q;uU23N zP>0@&nMwtTke;6^(viKS!K42RNwRHoCH=GQ-7@*U;Lo26UR@+bC4B)TBV;MGyEPkW zQ&|URmeX+>kSu>$YnWMOR8)aym=FqW?wm0R(j;< zt1y6WVdxHcQ{xvLcjtW2&Ei?>HF%+oG!bj_6uVbvCdX^$bAhsS;S0I$qYQK>AcZbX zT0BYY3)~u<7z5JJ|7#BYrDEF-;ND10G4@A{4A7*Ov(grftct4qGL;}VgEr^&TQ#ZY zXO`U)-?y|8P?OOGvwHBW`Ns~p#weHkzh<4ZP>$_`&t`d?Ch}j#`(>rC+2KFt~Q>* zQG&N+&1_E|%xJ5?kGD`e=ZH4#Q%zt{^3*ta1GEN%MH`86&OA*kfrRTAcgq;-WK6r zyT`2TbYmYGV&U-@Y(ym9>PxOm<{EbxAJ;sXs45M!mdVZ{ul*KmYp>t|)Y@MsECrrU zyH*ZRM6Xc=M7o!myLrhOyIe<;%w@kQd22}%isEHpKL7FHOA^rI>zn2AF@VH{A&k(Z z4oCQJKw_2ksUn)+>}zbyTQ6>fpjUskj#S5wEX|}d1{xo9ssZSW&ry`BzEZRbf7UW! ze!KEvwU;y}T`o?g<=kXoO)hz^tqGeRk(cTt4ygUxh|hrX!8I9GBsp3uw^vxKoM}#W z-;nE?!%3W`j@=~t@+=pfxb*5x_4)6~GgmMA@USyp->1H(P4Tgw9iFxN4q_%r;{BwaEC@YYwcpPwz{AO8iI~#Wr_!B5FD$ntjB)i9%%kPK*4w}h~ zfJNw&UFr^K#SGbQ@5HEDvtYSfFA;DTe&{G^e}CCc5y8ogXZc%vK#cikA`8o>hCw-L zbVE>+^&6T}bEP*^HB}QCCERL0pq%z^J9%pu!1HGh2%imv$CH5C!ha5TX;8cQR3@Iq z+VJa|(d7n?Wa1$E!G>HhgS116Pude&Om$u+q-g>}v4SwPp|kJO&GEB4#kk}=z4=9cOE-kc3B#vLkV!Zisb znljF)YdH}lMULLQASEy`A*_#r$p2e{xh#s0V=d3ovDR$(f*2L$(G~UPF}+>waDsR( zmGym+mGtU)VBl&w2hpsBos`lE4i?|AjmFS(Yp2;ILZwnGx91Dqrk?NAUUBZV1bBE; zSE<(vmM4b;LJ+uK3ZQX|ysIGDP7r<~=pMvhYHVjR@&le#wnjsim=R!@bQxg{`OJ|< zIk*jhygQt{?OGF_AUbe$zHJb}@{V>Id-Dx#XD;sKS|bc-8&Y`jgxE3Dj^38vEQHz( zY^(jWj@QQ=GHR|IML6yh@U)V-k|i=2H3`sdKYeqBg9mjq$qvxbn;EbE`+&%aYNG#B zIEqC7T~;A{+8{FN%VX~@h{64fD`=vWRJiDb6_79(E>Bb}SBsE{V&@(E={Yk|$rO8D zPC$32ml@!>ICWb1)$OYRqJOoAA=LgC(SCxVzoyVz39>`4q4LsF_oE4RSg)j`vMIX@ zNxm)L9WXnzQk#+1y+B7u7nL)9$Ms-*yQP+e&y52BQ+nVM$R3)`TboSX&-)OfazI>( zw&QWr+@-Is{~(xbAI7%`{*!;>9#boGu||2ENncz@3o%?=7Qk+w6E0xoW0VD`G z8^_;-3Bi9RwO4-tC<`A0J2YCzPk!QatsrET)p>ii3p^YTglU_H9|K-2qa{_Tw%5V* zx4&acAm#+ZH$N&3r|IWqEwm@A(M9X!J+b_0tOFtzFFwt}Qn0{||GVj-Um7RnTHW64-u6i^6~WGj7ovo%_#O*6%>8o~_d(=Wd!GCGSM{f>bRouI zs!`lX$($inZ*R*K?o;HnUEH$>0^69DYoCr%faMA_A;Ltr8fIAes>bCBO!jEJiQ!#? zPRmgYqfR5GHy_-UZ~`utE)S}_#Q5c%uB{ksEPRG+K_X?m*2VuWupZpB?2RyK`#i7= zo&f@zKYR)QuYB_NINR?kN3$g&ddC!mm{3p}YD!!i=)i~=0%Y1X)(%d+yVjMXBFyWB z-usPGIlk38&Cc>=Emt;UA2`bsE%aM$ObNbC5uI_uoBi4&=A9Jt^4?XStcBb*p{1vmGVvq@9zk@xNBaeLCqf zl>BIX>jW61>uNKrV3Ep7N{ayi3m?KE2r5NrAvqno>Cd5*m~5PKjn<>p25xRt-KXd- z1Nwz4&7`-)zg1Z)h-oB^inNfONR$BAUQjvG?MEfRpb^evcKj)uOG{4xyWq2^3Zy_| zXRjD534m|ViF=+x>Jf_W%{Sce4gZhm)pQRT@&vA#-ut`?){tvU{{QBgF7LBR z2g~6;{&>hp!EB@go$|=-dJC>^`(U#Z|4XavrJJz(p#uP@4T$0XE(G8P#xt*Z>k!!= z``7DyuF(5hw^lY=or~rp-}T-Q!eYNKFC>+#zL|V^LiVVZB?pWBUO7<24Ho z#*L}&g@03EG;^{k3!`d%ApCRYj8*@BxfPi#`)aui@Jzcu37HJSL!FNAx_S>Zx#?a! z3Xyz+b`&Zs-+#`` zG7`@62@hIpl9fbNVH#3l>b_KQuzf_S0Db#WAe745eUm{z<7Ah)u|-~Ww#oYb+q-?0 z<3Y1;ql(wx+EarT*@>ThlfA0Jy(J)w;dPKkOD0SPb>Yg_S*btfN&k_h$9;6Q0V$5t z*e!l6(xTzH2;(w_N#C?z2n$tv9bmW@dcapckY*KcLI$ z_tVg$E~?GNGa;9Qd*cE3qp|pupnV}H*QMLQneKue`B$lj2od!&+bNE``Sa}2Vd}hQ z;Mmj_%~bdLyV#hx4(?7t$bM7HZFMjD5<-!eeI4tU_)GV&NL(B*uUAnlyS6j$`kicQ z6-iU(if~U|uOZllP1omEQ(T3upZU6!x0vA5)?!dnBK*96fG|4x_>>b*iJUr}o(0!h zmA#Uxe?60pI{#Lu(rh|#&^^@l*!4OeSk`63HBdRX zjg6Sg-IbzmJgvsYCx`-{o27cwaQS;z2R3NZVT@ZtEspB$XgLNhn|qpuzS;YH)oAbE zabG1AEp*%}M#IZ;h*Y)u{yMb=se!M5c*lLlGFloJRAi7O$ESvIK+dMDC(+ZFK&d&o z-}`W4C4?wlBZwvuN`H*T9Wk-xuVFJbd@`uy?j0-BOI0adG%Z>tyX(zhh7+$Q_k5yE z*{;yhU89&YVE~nhxsO1uVR2MNoXs)ut7t1m-lhV&vY3nHi}*>ain+U3NM!SfGv8E z;Gb?$TN0_3Ksl9?^+&m9rfg9ciJZQ!)F$CDl~Zh(Fh((1d2%a_k@U-dDqh%y93m<|_o;??}M#ay=4*=#GoVcGEI!(`QQ|1#) z-E=Cl7{4opxCy_^n<{ww-g*U3x0ceMW+KVX$YFByCc4DZr_&8YLm7 z^x_66$fM}0P(sIpM)EyRsI|oNmY!m>NZ`U)Wnp15umrUw^v=mNR%G!@_rw-1jxxcG z_bnHzX{ij5U__%1Xw>pxMmZdUO9B5Muv`}>mxeP>l`9MUNVrIR=va{(Ushx|knefZ z84MhF&2QO0OIEP}L6Bn*sS6+*~9}8x$$fca*>9MJ0hlXwZdNRyA}(V zqr_ZeITgL1+XN3?*QZ+yEw`v~AEEEO)Gx8CPm|%;t2FIN{Ky^|7fa8VW4dYB$EH`A zD5lKzZr|Uccb1Hpka_HF4jLMrwn^t&cehg#5#=m_dZCogv4& zN0yX=1MTvydHfd3v{1HT9*VcbHOE9aQ?p-}Z{JehL9V~jJ1Gt3$)R>wXhL7-(}#t5 zU#bdszfj93;U8?GnFw%63?7JZ^>{yHU-VQhQ)uSMldk=l-RJ5<&cb}*qbHdLLh(@Y za1AI!G zYc#(4@o=HUX-3V3d+<=fY>p6jJFBn!_mC`Q-U6&!tmGG4fP~5KPndz2F?g zBbz@4^3zM9oJ&B%nwf!966C9L+NAMF>G`(x6qN9MVe0vj+}kv}_o43et_LUJ!ddnq z?jFeNLV=B3Gimuzj@+FuIdN~)Mlg?0u)Ms+ay-2pu@{}Z3S&H!>K~A9sB?)1QLGtT zrRGSgrkeqa@R? z)3tP~r+o%*W^A{9#B6mrtoffV&o&FLd(DMgJvqB=2?SP9^gQo~qHt0nd5toiOzy>Z z6zWkf>0T#NmDO}KZRygZDXJKUOV`3fMsyrR;Oq#&9i*r+vPx;~8X2GZkr@7gG#{#W zKE?7IufyXlPMQlCRn|nP+i|!14x{d>SWpUw_I0)7S#qSzof>ZlZ8-4}OC-xcAF2M@3-6^B4L3hwyL9 zEI7EJBT$gpU<#YjT6J@?&Cg$-E@$v`AM%RY^HA%xtsD$ZZU;0tdGrIKnO?9g0g@$>E z-wmfSvTpRcH41FE*i?**KkoGJ z=y-?tRsW~zBoUq|uI0Ejm{x;Uk=!hg)KX`X{>`9@$CI5jR|+*3|8iSX+7Ot==W&DAGV z(ctn>fmhH@$l+zjA|lCN5!o=3e=3=xcbuPY4|=|01H zoK$UXM%1gNCrarDb`z23Ueyh%!bRnNjCye4h2uoDEEDA}kg47fEHq0bj(qD@5cx-h zeh2@~Gy3IaBYD}vk#><>vT3FY4Z9^zm?{d!U5gp6v}!bqfbZCun;!UOp(evf`;$97 zc(}2LZ7ZVn2m;Sfr7D%ioMWN^#0fdAyUK_rNSEIqKv6A9^c}zeT7n3AuEl8Q{n&1% zAqZWDunxVd@Up8hcd_itef7gS#O|?^YC-L|o0nB6qL=(5ai= zJ>k;oq1US}plYIm2n=!tP9gBzy-%_MI_<3 zQ_56SHW)p%q{e=eT7Ke2;_C$e-ok&`ewA{Iqr6D5IxuSdz8MsI5+lE#2}OmgEcRYY z!bjw30=qa%Ru}7`6%abB-99u)j8hBK3TwitT*{q4S$&42jz-Tsop-Nxa>b7c_nlM3 zp2vZDSOq@oLEu%Q2r*pmck~Gbt}KbO)8p-Z0Wl%rLyvcY`Z>}|(U2MuxLaK1EK|BU zO`oF~{ISPD3u%lxayyn>@S)sZXz4@%{h-}re|;4*5+f!zGRv6Wz@S?ZGvc)aE|+w*l%Xm$|8#~Mz`#X zwf;o<=&{(V@vjK)@Dz!?$=cI%C^o0h)t=>PxX1|fP(O_&(i`)P0ILm(anJwLbLn>J zIZMElt)e?}h{u7Kv4Z1tXW0T?e`BfcW`^AacW~7ZA=rGT(#HG7i&_~l`>3?{`CvNz zw7fdAwWIXIAUPb7Ij}sGs%RG=3O&Z8B2(=_3b1V8$8(N|SVB815e+F*@_SOl-ESHu zjiPxcA^O)~u~qS3!Qzj{e+d?|Y_Y6^XckNyy{d{J0VVT~68?@BTaLfEN6M>S2CDx? zi*}z+1^Isi#!-ruW%n;$lhP8)dMvej&o?IAK9p&-Mddn*I6Oy zLpi_5o@6h3wzgI>E18vSZ92=asqol`nPPfPC!(^7v552k^7VovYpwK0r zK~LX-ZI`t3i$NA&MQ7IPO|MmmPrf6XsLnXz3|r1nJQbiFt|A9->udA?tadLb13it zBBz#y5eRsPZS3bp8li#g4h@8&fS`?#uJx_vrGQQvJ=7+w*@>OJJ+N)jU2X~Zb~8glXmbvcprcQEZ2pYU$BusQg7{^YgtBpmSOEq zKjrMpT;N}#YPe5>3NZWV2F&S!vqt2sc?#Y@EZ(loIR`uZ8O6@^r5_%%5tg{WWFXR7 zT;vw`D-28NE>$I9WR%`2-QH~yb;Mh-PHop`QSaaRus07Wc`1DDdhD?^GJ@+hqlVug z#=J24sQX%OGfII(%G%c{wf)y@ud#K6nhssA3E^qce48JC@*4;e%aN%4rcVB?^qH&1WHJ#g;DerUKka2I(F2N5As6g4$iV<%R zoV@`#PYUG)B#>U%**osNBGQhKraE%q$=D=qUdnZq+vc35*UKuY`^Z|U+>%}R%QVWN z0=ah14HKfhV>D>!*{}hVaEa|&rSU=J^|U;8Mb%fuEalRlwJLit0=wBblHVWn8dE09 ze|e*U%ruqPh#2CaTlw%D;*oiz} zm#Tozd=Pw+CIV8s9j9P!#-VkQWgD zOqF<}(C0?Ay_8&IdX`l5cDJQHi+ii`RZd}u)0ydxo6X_Hp_{jk+-&gVq5!^#Pte+u zAlxHZoRFBI_|VJL%T6K4ml|mt@s5sy{=F(TDwk5k;Dc+8@jpN}M@!EpRa;MDUeo8X zFJRey!n{dCN5AC^TgZ>AxZQfr4#DEs6ir&}LP{mKwzAEyKi>_^l2BOT%BrZhCPNI{ zInxP`d4Mq!q4L%Qs#&h8H|a&Q$y4ZvP;B_hF2xQ{-CUNnrGX>ip$^E}R~UE|Z|;?i zZpuV&ZijixM#VH3-qS|idAq#1+edt#L&lRr`*^QmKyrd-e`kBAatjET*fD7b1HEq< zEYmG|WlsG03BK_Who1_4^Q@Vw(zd+zg(UbwnP28zMgkLGpTi#e^uq^4KjjKJ7F>nwn;T zfT^IUG0m*(C-ipP+H>uNE@!n$M>^>qfgVr@ZOI}<_O*R?woLGhF-)S#idOFqxqM%# zg@MSp1ofq1>`jqODNXC$PdBt#gDnD^OK0}%X|j{qz=MJDP3ZTLlSElfO~^#tZfahW z!q83kIfE*rD`NM%sag9qe&9~W1nzX&kUi`7w4}td^$={(AYXY!!YbUbOg=X^6gljk z9B2`yx_86Cp)e8W-XfJ&E44v4bpPl%uauoCHPyi; ztR>dmr*EZC*XkTzdD!pkkvg{6bm2dA-+!-Xjj*aKqI7cTYtwaIMtkzwdokHVP1>xP z2X+g-S|GGgA?aFYgmPKD9C+bQ-kh)m38Yx(_*PNDUe)jeKFdN}M;RJv-)`C{=xe@hAyc7(z@!(Dbr^2{c)4irth7^Chigo z5C7bKPyKZV?zP^B`}9;~ZaqgqWtR4PmchkRjg%k^Qa(>lPt$BAX!F*zorgv<8N^#J zMw=xe{^2g?5yF!C!iq1gXI!L>d&`6QmSMMLs;hQ5lp!0<%nDpTjP8)w%Q=AHNcc_)CC)y-GML81tfa`^E zZ7bFk_+oSEV)o^n;{eKCSzT*+ikV)XukN9h&9r;?v8NMlqr#xZ@Z%>gsRWTH__ZbN zR_TY!D$3$?LHV=Zw|q`KPl}JQ?CNI@WFWP(#yDS0A^ZP2qJC zN2{%^onW=_o4cQ}(wS9usw)mEmB!Nd$-X$a@XFF>tCykm4P_0=Oj1AJX zN=rnLB)LCr429X`xx&X={NMnwl*0?@Yt{TemGs^!)aKi;%^8=J*>RUAc{`22uRo zHU-$TfcJy3_a296t0v{uWwi7Coj2EGKk{EcyGQdN=-T8!DQhT2E%J&YLf|d+@3hGt z#=m7YFn^b+;owC6mf3g&=+R-@GG@!>QGX(bsdZCLZS4TwuYVFfLxzHa9-()2GVsjb z&hU93-3cl6&g81{i5049Ds@EK^2JpDzni5j|81a5A4D}SHJG{*1w!QN23>dtmP zt!$N$Ah|^Y04RmTsuM}2$gGM;Y(Hn}uS3B7guQ&EzPhC=(*==S>!gvm??LDLEMIdho?vNFwvz1UFE>}8IT zHRy&nl#lASQHGW2VxI&>uyV|z6+MH*lrNV6m;L(+$MYeg*=1VWB;vBBA}=S!UCC7k zPe%57jxxcmoS%kTRSfRvPppU#z_6^OOll?5>}*udkbbdRemh+yLjQ+z@I(5Ed9LrU z5e9XsJ_u5VY{vU+V(2ONSf$BTb|AfD=X^!Je?o(ey2Hki9{qqwAWx`c-254xb`)He z@Yy7en#N{N@rF4yu*&ZgZ32Q8;EGvroN)!kO$j8MhCcAd8cxcT-nm~)lXm|^Fq;$i z{&p&3^>tVfFMVy%yR=^!JM_OxKMI&~$ue0UC zJ_+c@XT``t1)dYa51AyI)$;Y_16iY&IoCKv>l;py9VI@dLY6*m&2PmfAr!>zsAbVC zJ7%{8Vj!j?e0Dwk(k>`rkwYvcXHL7jRv0m!2WkHLOrs<(S**#)Rl;dy_`=zz1EV!Z zmWJA7mZ*!&3%knE+Qlyr!VA29chY&%O^*IMzUwHLn-e^5{ZZLB;B5lKUnz%{i`f;g zZjKOF?I<2nuMpU?+b{4SD0;GxY1}XUK`<6(k#WE)t_5P$hAtX8|1d_Tn0|=MM}&N$ zB@lOE&6hLuhS}%6X1J%7+PsbE<;vO_)^{&-xkJxJn+whlX}Z!asq}_8?8n?yhVFXG z#`zvr%U9OCN=~VUR zQdtrd=P`LqVD>!)Sxu0ryIUHI)3JU^(oSWlOev%m{~6(~O`Oi|N1j#+q7JmmR;yd+ z`mK98?ivB->%-knN4J*l#0_4ibk;G|;U4JnZiB^Ua>Z=jQ^oJF%gxa#{$dc=y0=Gj zW#~Vu6{@B*x*fWXu9DvB7Od+@)I6Qs9?MrFi2uI71Pxznx~~m~Kw2GAF7A@Xb_Mni zQ}ypMw)U)Bmv62yT35Y}hJ5$DF4v-*4zJSrE_^G%0+-t|gB|DTyp4xG9oELGO!+C% z5MBEn(@#Q;jJ)-ZeX^B%O(|pi#Rv981(S5+x0A=SLPHEkRd;G$7i+!RnS<#b)jKAY zOs!{3(Mvk+2802DHdYB46_EnC<4tW9+hyEehSXI{QZ$54?gODo zM1Vgss9Q3_E_jpE*we&71>!uQ}Z){C4Uv5B-^OQ3RGan_A2Bj{E$!H zrMl=wa|ds#HK(og4X;*|jO6Sxfy5j(OZleBWla}b^oRM=;|A<(-5m@F@8m~9j!@hl z#D}fdOB206dK1R{ZZdGAplNZcP0loSd?iFDaq@al#neGF-fh3g^6hr6;sveS;z2{N zObmn&jQ4H=qKzo$$Wgp0MJ%o|b?Mq!hqUlw-zs?0rRP!ltzUHd$_XJO;7{;ZaTC?j)8d*vW~{O#j9e0}N%?#iYN?W~lqvm9@`slmXv{Pn(J6Gi zX$BL!61)ZTAhF~Vn}j{8=W zprdZ&qrF!d^qy^m*l-E@*fcoE1;XmDsdhm9wPj$S3_IUc&h0cZ%B%rLTD53`=Ydha z&XAwW^z9|`%Vuj<#q8pPt*^~ed@prYsoJ}TL#7XzP&Hq^YSTHOG#M~|r^(J1R-0ji zzE0(56ihkD#Uq$F;Zjs=Mr>6@2F0JX02rWf->qNS^GMNmM;jx)?rCh=R8&wCIt!LL zeDD~PX2A7yHMs%g+BsQPQV=efV`1E!YxQ9QWdlHqC}ozYKU`&1oWz2{LaEUC{jJ)r zwr8`cZA2|19#JHBa`ET{f{V4+t9DYu&2vPEwr`)Yy#S6!^Z-aA_CEMXzs#|g;`{tA z5l<20GXHY{oU$D2xG0FvwI+^HqR&dL$ngs}8A%U;bbPNu3_QXVZwnc`it|?g+9$Zn zMf(~eKbKNHR#o+?;m0aFlX$_#9%mw>?x}Ym%k&q4TDt^-G3)?2QJMj6mT0~}rLs1* z-hLIA&;Zf=iBc(@k@5$y@Fl@Sg_NiTnp$4G&NY-bL++RQ_=(yVTKA=iu?e#g;#oEm zGDV`+t!m?QQ$Yjb>$LAAdhppM$v6!z{DsH6!Nyw9i-kvD&EKRlbv8JLM@Q|?{ zK0>9@Nt;V1YlxGuXEtVc1}0nM>`E>f8#Ng3`l^z6mxeQ{;00 zr?u}4YpPqf#e!HtMFpj*^hi;9M-UKDLPuIq>AjbPY6B6aLm>1TdXy@VP^8xY0YXP= z=#efE;4JXl`<{Ehv(J6@bI$sghyLKDZyT)#XL50(wUrh@>gu^_0A8o*ca7#inNGC%>aJgv3po z+SP4HdaO@vylKq>Dm!sxIzRppa5q_RS2@;-0bM0CZ?C2ZTyU*q?+%VM zr7M1XPn?dqO)=1YmGmT(U-Xt_8pSlLpm8rVDo^S837z12 z?jG-1V%~sD&FMP#;Zzvo?Ar2aBM{#0Wq4Byeqv0F34YoIO;BgJk zHXhsgMp$f!l}I*jO=U2|a?i}tE%?k6T!tDXnZaV>*N)E#`QU z#v1K2YBNatCKMW0$U30c6!KY?q;_W_&22PQ-%3Ykh~_Yk*X+DWYSu6p=}=_y>AS+B z*kikX#Ms)QBQiK*?IhFuMlFOOU?Z68WG!@z)rPLYLPu`_W?-zH!vP$FS{wcV3og^a z#NSzTySUhdZaoFhmqQ=KXlBY|T9~7S4@Pyt|}4yUwhOF9#GV65%_KoRh@O z?(deFwHUx99GORl?|Ad3IwYAvExt-L+kI=><#g$@Z8PesnW)fa^SS)6ux`-QSQ391 z9OQVtlUdTYQ3w(lrP7 z5%DTGLj*N|?7Bp$swis?e@2=bUU3`VozYzYj%jxVPMM6jlRMO#l9p>X8E;KVV)F%$ z6{<-YOvwbC!5-GGs68Z1cEgX|VHp8{XC-K|-`r%VqM~9g^2ww*B<`CWJ$*>Lh2!sb z;UHhPM8#+R95>5rj5LZVzxYsg-D!-1#T2S}P(tmfPLNiA5lUxA5fIf9!{uaHfXY#D z_LaGSGRkNG8J{_mE%`{`9bP!OpxM@Brmfv!XxZ|+=b@z9e# zm3Lf?bgr-Me))XJWp7svWR3JID>Q1&OA>G~gKn>V#YZ1kFafF*Q})rz7D;X2PMdge z-G`)9>339(aOFEKw*o83fYmH-YUy|EY?|t2gZcPo{Iy{4s3h)w&@B;Ked*0VAy+N) z-y$x?vl}H@Fs@GZu5B%S8;!_!vLnSa8Od9bwUv?3!N@tojk%A0j(cY_{g%KTF(>W3lx7zB{8Hy_y;J`(x&4vxL<(jsbiUqi z_u7gi$-nnH*|7gt_NM}Msa_I|^?(|h?sz4U`5*Y}>dDB`D>Ff(LVUM(=3CNh>XJA8 zW}bR?nYcgovd)f(%c4GMpw{ywv9`Uc$u-+;lH88FAL;`k_v7LaXdU90+tNef;*RYU zfKIdRkLSC(xJ25Iqm{h8Gz@Mf3N%Xil0>+9co3X*O+ERW;~1|^o0@GKYl-iA3jr6_ zf4{(mUh8DYq+mj;P#vx`=U%V^^W!!X?9CCqSo*9?y@hGQmOJGaA?^)t&l8(!PpFy+N`edYfK zuI(>N-@EWVgP&drnp@I2qjpD2YsraAsH5bdc2}+Ws^C$Nz^AeVl18}8NmGt|%U+Hg zf&tghemM@&LfXy+OdK8VbVl8UO^F|V-SMZWN}LX}0F~*GJc?4Fd2l8%KuGq3JtALGwA6 zDXT|W((K%dAKq&D^v}!2>Ss5}b2&YW0NwC>e%wnk5zDOVx$bp@1&*bW>N59*J(d(f zx#&Mg?hU~bCGPP2NR@W3ZX0`B4M)$xtTu8hHT{$g751%@_?ApW?H~7Zunb1tXqtbM z%J(Me;#F3@J}mtrnc6w`Y~S2#lDSBBt}121B?;S@`PXVA8k#mwKd>T@OE*Tdzdiq= z9KOC9VgOJGgiikeZ_p=J6~n#1UAy{qIK&Ap_Wt2M(Y5k^(2ntiVMs(8qu+N@8K}~` zXz@u4XS;h0QNnMqaQ?;T!QIj|9O@w$3Q>)65RWh z>|tDOn49$_x1a0)#QdIX=%w0o4~loIYo?v3Xzi6(E3%pFv`#jL(falD(f9z#SL~RN z=2od%(_|Wmf?KY*e)CA{OL|0AEf&63o_WH&^Ozf=l)P<@*O}wa2j4CEqeG~T7HDm| zX}sRLZ#pz=g1Q}6ZHJ4GG;`CJdX>eRqCP|Nl)}+&4YFMAAF&=rD^p3KNljO3K*yCi z$+mHQXa6wgA zIs&ejVRk_TK{qqx#7W^$DZj9LH?ihvO0f)A6R2Ed#6YV+N7Qc3Gq~+KO_a_aM6&MG zld^`oa}L#AOSW4Da)PCpr>Zxz$EV0fN(;D){X+bke=i1$G-GAwg!yZ7=TJG3jr%Vk z{O!6{Zc?cbXra+hm&Ej<8O4L}AMW3&4+d?qW!AggiC8YC^ap-YqadZ@E%W7%EFO`| zpf0h4nZ_-@UAUi8&3;wQ5*;%e4eg_w^GY(7Z>v>{H5jvp)^R_b4%E#NYhKfy$tD3h zZX+68&=PJtLxH-H-Z1@oRUA&t?#h$!@%?%9op<;g%CjQquFAsx%c1y5W>Y?$w(hhL z{{@%|_(JGLf}3ElYi81L5pA<{5-B8QC_~dNl<}nry}?pte(g76P~9wn{|p5n(gfHN zFBio!cDEaOw=z5&4rMYA7gpUAuH9f}yF<$rp{rClEPIoAc)=V&Pvh5%dl2YO^oGwL zdd<1Kox`JT25bvn6+W}6e_j9TIhX){Dto@t{oOK;E7`TLAqD-P^PhiF_`ub8@8$+{ zOCs4vhc_l+e=K0kwXNfpQ%DVHlGHTok~B?ku$>|0RC-DNB5d@;sAM>lZc$v@Wo zZsfgAc{y$$D(6wGL3g!H=77C@u~yA@m`r4L6p0a^(3x&s9MGyT{xmT@`jhj?hmAb+ zlQ5yN?`(2M`ej&(LA3%hj+UDgAC32V;SpCZf4I2LGUTte&O;RK)9eRJ zPW6gEKHcEdlAokoDm@0D5}r@9S9w~mA5}T~jGeQZvvpi^uLK0DCSM)k>Q^ArG^Do65G>)6j`S*c;?RK25BsnRdD=UuThH*P?3&psTnpMN;pg zw=tRX7m_&2HXQ28{a(nOvn&;qRT# z$8j#%zQuncf=02>F(2+GA3=Y-Ne!#*0s^O}QE1|S!k^f9i!F^m`GxZ!YG+9@6fEPL z{N|WWjdw#S_g^M9X@_RT`o2A_G$P>aoyK%TyJ1jeZSA-JgbQ0Z-#jO8eI375T+q4X zy?NX)pIug=972TC>N>M>ac@IKvT)Q|AH8T5RX@v)dW$Dfy#hdzp6WDJ-)uA+ko9!?A@W#Vi4r<3!;jb7OqF)tXr$*!hKDbE$nTViD)fZn79@4QC6`xA;cC{pQ zfj31WO?vLbzB1X?vUQ#htl1m~EEV^LtPd18Ng0XWtZr3;O=u++_U+}?i_jY3wUsK1 zsTWF~41~`XUve!l#0x%89aMEQJ>nck4wVlRIk^HS)Sjt_N<)0@R(MdR1Cx)Io|tWy zUKa~nim@1vvd|-k_Q*?@3-dfs6Y7`bX+^Gl&r(AL9HyTbz-L|6irUSgOh}M!VK35LkkYOT2qwVZB|$QEA36uXd@a>ls&qpP$4OtjU4hn<(? zpnfy_?(qa`MR;aVn=LOd$A0@=2*KnAfIuK?5xcGg(e!|kkrC_IlG>G{WkCj7u_{R>v_m zP1~VgDq><{`W$aGhcNJ)1d52z3uAx&f;(J4SQHD5B~$0J_p8bux2fOOA3WOO=&|U^eR=?tf_zAQ(jM71#ovgU|9~_6@BY8+PRH{TE}nB8xA}!2 z!0ecxY~5s(pWcy@hkJ+w`f@;plBm|fQ3N=(z@D$o$?tWOdkAcPf3?{MrK z2L^tx%l^#H{;9fGXN#}Xhvb>_I_@9som*M)eZq9u9%@OPq=pu5h@^RV)%CTuq zM&HAPlcT!H$d&^Ej_XuheULMU&y2d*-q1w){m{d6e!WNG_t!*2hwiTAq$-;uR8MA% z52TzKar@FO_X;O~%BFsOc?_x5mf9=@M=CPzqc0w6saZx8TLdf?Ly-JTCwG{)eXVuS zKP~r-2tXRb!V7bq@g?Q#rDi=!njO>4p}483w7BcGe(}-vvCN^Nf(Nucqw26US)2zQuk;boQoaxeiY%Qf^^E9Cg4RN_nkP6#|FLG7Oyqo;0LYEP zch-66v)h$;BB53Y6kYr40}UjF#@PEIK#w*9vI?i=sDp_Qw6fK2d1@bW36ssHAlWwcAj~ErhfVD*#H0mxv13=w{ZV9 ze)nwyuorOxMQ=pGVzV3axdN0+@VjRZtFxUK4g0362S)m`Z%}k;awQ|DYP;ArF~Ke? zvCecWAcjl;dSm815PXl*GO+}9r2pfcs~Up6o0+y5f4wYsp?~!J5LdjV2G%t(kIi7S zvkj=ZW~s}g*7;dZx;hTcoEe$!Y!h6TtDS3KVSQ!g`Ol}q5D{bC2Zyh_30Xw|X;Vp5m*IOJ^grX--)cWR@Va1y5!yF@8q7e!5F1_bE#ZnHOeDOfgb^!(iYKm z{t)8Wd3=|5^dfoM@M$c6K{9G0QGx=j(FZhfWMiYrO9q)vTQK->_jy*rmO z5Z*Ao{le7Q!qBH%=?gpR_MSq@^LV=4f{aioWdO^B!3-4T(OoL6bQ5eJcS|y)1_OOO zb~c2oVuL(A9Kl*$r$Z1>oQ0|QSd^EQxkeBj^Hj~;kjCjBY&+<7&nQ!<8QL%9&Fn1Q ztFTEt(_e8Id&>Ju)nyBhQB?8z1s&(U@E>j2u;BQ||H1@ZAuJV#2>z+sy zLb_&C-0xR}GGxOR!5~x{nR?-(63(xzUPHV%A z>l5uyU6i(H%wzcyP*%M_l5)Kt8*SgSh*ta<8HeoWR_tGIff}^viaa2@pvI#-d9w@H zSvY|yb&4);*l1tU+7bu%YbRU0i#!@8GRg>amxVC$?{kKP417oLHp^S zI1$Tyr2oKWZH=RyZLK!VzHYYCCq=3}+MKT2VFWuRLw;O`2!#DNS zJ$8EEe;3grmrs! zJB_n+^Z|8AeoT+BqlT(`;w&|3t)b{}G_HW)Hm4Z1yxU8VXRu+Ps5AtE zv(WhRud}r7q8H}Q?eLlzfwWgZ?Kka4;Be6!qO;L$ZeT~OU zZan>Aui^3}o0KDu-3ZS16f$kNnV%>toC3(c2o=0ZHM@V!0=Q;e7kXKvf8=U$b&XYd zh+D0N9`a~8qwbHKU;1BVo&wrM3h!zc)r#4z3h*(tw1)EL;+_j81x2%8k-qxN=OTcP z#m0|GiHbsyel!KJp`4K*cjF3rD$Kgc&STZoVh!E)xdL9Q0%ujC-^+L0Y!D5-n#<#+!UxQ zymcd?+f_HsAda8I-#VY92fetJZg?iCroC#y0p(_k8yQ`{ z$7{us1Qc5N_3z_t)TZ%wwsySng<-yK#&J_+99#B`0`IYhuHDy0ZQF(FoQ3t;lA<`B zJsWGywVcYOoh~GxQlI~vgS#ry7G~K3Tg$Suk)5>wmlo%(oLFogfog>xVK0XTn}_#F zS|p1!Bff86QO*U0DKUb3_dku^RsK;EKSL#9pxSy(x$R7CbfP0&% zO(XUJLqG96PW5F*p{ASnD>2U7g1jc*-HU)yF*Flji)itJFO%Rif?j(=3w>8Bla&$! zmadZh{3Y|R5WVKQL)P;BB8v^4q9>=TKB^|tI!E5rKE~-5$+2Z7Hx_D{qp1vv1$`pK zjLTe@fy3Z!R0o|emnWc!&)u$vgETRj2B)&&PP%y|bK2x0X_n24C{6z12`^JJIvEzI z9lM*vt7p!}2TeOwO2)`-qqnaRpF$Dv1{4GCnTKnA`@I3dtBx2Cv0bO=#;J=vVgzVDMUQ z&6u>5*-}41(Y^gFVN?G&_yAPVXIrqjBPH@A z4PO#s%5%6P@&G_hob(7^iESsa=$UKCO5f*rQH~e)$($~AA5J1>J$_Y#yFbf1X=7o?Tj~Lq zpTf&1I`A9OS$YX#8H@qpUCKnC+f!=x&dUH1`cV?%zQs-|Vn*uXZK5O>9yxxywMdw! z^G=Sg><3SpA-=H?idzyBa{VzOPh}6iq`eK~ap6Jx=Fi2%*A_oG@QDPKA6WkASA8$= zV|P&~wEdg})eG0e_+xum@gQekvYKJp?iKsKQ4f}3>sx0xA~U+qCTk2Rt)S~kO?VL) zk1Bii6+{f4cEgl`pl!&f7I`vT))PYut|`+!pLrKfHuFK6a>WD2&yEG;v}@ zNyT#kCtkTan=U8r;hWYRM<2}C^X}lKL+$LjSDS2(uYufxmu7ON78e+LsEBUiOjcHR ze}Z0$sdw-mputJD~df0Z)^d_}E$`-+$rLVX$}VDnw{}yMA7XeY#e2_CC1r z?5gQhGHUf(F5%QzbDMBxZe*;!L&1}iMO7decHjZ;%sWU*E2{KbtrwnM+AGxecy^az ztYw?EW{A8}r*J8L^;A!&+xN=__CxVN*@Hg!SrN~X2v5WHjJJXG6Qf=b{<2HHE*Q6v zz;+b|u-@2Js!uKwk)yg-Hxy6R-02`&Lv7h`5uKmslG=B}O|jQ_!$BxTSbv>m4SVEw z_xCxkm@ETsv;3K@A)4JKnUNaks>t!eJYcz@-nx|eQC+hS{?m`>HQ`dd+v$)?Gt{h9 zv^qDJH8kwFzjvKj0CZQaha~=0$HpY)U$166ZkJ2}Si8Kj`D@QY<2a~}* z0Lv8H^^T5LlqrX1@`%QQH~{LZ52Q-OU?husvIEfmvHh1MCWr-X)x3ypub{FX>$TkV zN3VSfa-!OE;Bg*BJxBMfq#VPt=XM2&?eOgRDY>$}u6HA)KHZ8$QxE zg`V{h9zx!R9z%^@YUt70<$YCo=_IAq_RymW23)EA#;O!k#P4Fi!)6kOU!l^ygP2eU z|3UFl`<6nK4f8V5`BghtO1^kgG~j-HJf`I!oiJym%@l4VSv5^n!M1Ym6z1n=PnL+f z%zeIN@8FR4suz%P7URE{WX?JMJ8Ie8V1BZX=Wc3WF?+KZVrZ7l zS?GnXJqr6~rjZ>vjWfJH7-oZ1k1|L0Mx5gHq#%ne0Vq<4ZwDqOg_)VGg7l5wOqx4r z1KAUruK&gGto_ZxaH6L@j@N-WL?P&}67T>|LjMU8Wkg3Qi_5NlCF!E%PH8Ou+B3mFZvj8p`XEW; z@!dq<7)bS|&{(xkJix3-i}*a@yMJ9WZ>m9eJ}3KFX$i*scvWWw+wQ#yV|+9D#%*b< znEnQ2fUq~KvRP&*UcTk#I{WGKL{|B%{@z=?Q6%eX-1JVxz zOFTzGpz%DC?bGzkzMbVOmNn(`2^TLbkq4lp3XnfeZ4QXSl#QNZdo#;-4W*9+pa%>; zFI2=pe8ycEJB0rHZ}IZL(&j`)DRQ*i__llf;aSOpMOKK$R6S}}+FukXWz&T@j8UYX8;3l0YZflt>Pkw-pYcM6cR8Qi zVP%-TTxho5uNQ*T>!N}6t-U{anO_Es+2(YIRg)Tjd2E80=EKIV#I%_&dUC~iJNdCY#wuU}}hgBcXC4 zBFwwEIQkN24b}Hy(L0SxMthIkii!H$W(z4f@u(3t<4J@L6VIQ=Q9H{}`M{%ZSwQh( zHowHPdxznv(-&Y#XHa#78_6lWzIvxI9xbSdy&)9kw(ow!hOsubu~*zj@Qs7ETeFHr z{K4W&3sJBHP+F2|)r`WrTC~Pk8$8|%>aX9c^m6#q24xOvd5$T)6O4P~Ut{8-kaR$Gn!fX%7RU_Zk2Z(V7PjL5I__#sK)fb07=h46iRBV6! z&vFp2?~uT$f?WLR%R9Fg1|2=GbWmfBoyb4#m7a0rldlQMH`olF(4^YQ*|FW0_Q>|a zJ=ciUcQ&AgA*u}p7{-3HCes`+>72iP3M5QMb|zNo$z!b(If3~QH8yh5;2jUng@7LC zB+U8d_-B^&AU^)7Y6(T;9Esv3S#{MY1?>(dWUrTTl zhl2EC-Hm)hlEl110DrG7=eW`pfI{SLZ#bZE>pevA24jYJk! zHf369l}fkbcK~^jhaPm&2V1l#!r~XCZNo_W*Nb?z;v1aiP0cfGl2oT~Be7eYIM0HG zB>L)j+?v|*{q9&PJmM=T?0B_B{1U2r#KBnOaoWX(4mTEfuT^zfl264B)#b&ZJ{2s& zj2AcC4iBP9D|e_-Htq{%Ap{W?+D063tkJ?<)I^o-osgNOUcXGoClQru{c)ew>oSO0^l>*h|x>S-i>(w#4bMdYKsweF=ZNacS7H7xaYDrLS4#4#PYPvU GzWony-!3u$ From 6d3d52491e711d0632c2dc78924667c720a3c482 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 19 Aug 2019 12:22:34 -0400 Subject: [PATCH 35/49] fixing image links --- .../customize-controlled-folders.md | 6 +- .../customize-exploit-protection.md | 88 +++++++-------- .../emet-exploit-protection.md | 46 ++++---- .../enable-attack-surface-reduction.md | 2 +- .../enable-controlled-folders.md | 6 +- .../enable-exploit-protection.md | 12 +- ...tion-based-protection-of-code-integrity.md | 106 +++++++++--------- .../evaluate-network-protection.md | 2 +- .../event-views.md | 47 ++++---- .../exploit-protection.md | 46 ++++---- ...port-export-exploit-protection-emet-xml.md | 6 +- 11 files changed, 181 insertions(+), 186 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md index 792faa49e8..3216d16b87 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md @@ -78,7 +78,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app. -![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png) +![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. @@ -109,7 +109,7 @@ An allowed application or service only has write access to a controlled folder a 4. Click **Add an allowed app** and follow the prompts to add apps. - ![Screenshot of how to add an allowed app button](images/cfa-allow-app.png) + ![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png) ### Use Group Policy to allow specific apps @@ -138,7 +138,7 @@ An allowed application or service only has write access to a controlled folder a Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. -![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png) +![Screenshot of a PowerShell window with the above cmdlet entered](../images/cfa-allow-app-ps.png) > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index b8afb82a4f..64a77031bf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -48,27 +48,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r Mitigation | Description | Can be applied to | Audit mode available -|-|-|- -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -76,10 +76,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > > Enabled in **Program settings** | Enabled in **System settings** | Behavior > -|-|- -> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** -> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** -> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** -> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option +> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** +> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** +> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** +> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option > > > @@ -100,7 +100,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > > Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. > ->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. +>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. >CFG will be enabled for *miles.exe*. > [!NOTE] @@ -130,7 +130,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - + 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. @@ -155,11 +155,11 @@ Get-ProcessMitigation -Name processName.exe ``` > [!IMPORTANT] -> System-level mitigations that have not been configured will show a status of `NOTSET`. +> System-level mitigations that have not been configured will show a status of `NOTSET`. > -> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. > -> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > > The default setting for each system-level mitigation can be seen in the Windows Security. @@ -203,7 +203,7 @@ Where: Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` - You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. + You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: @@ -215,7 +215,7 @@ You can disable audit mode by using the same command but replacing `-Enable` wit ### PowerShell reference table -This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. +This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. @@ -227,26 +227,26 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available Validate heap integrity | System and app-level | TerminateOnError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +Block remote images | App-level only | BlockRemoteImages | Audit not available +Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned Disable extension points | App-level only | ExtensionPoint | Audit not available Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available \[1\]: Use the following format to enable EAF modules for dlls for a process: ```PowerShell -Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll +Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` ## Customize the notification diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md index 59435df273..73df2fb5a4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md @@ -49,29 +49,29 @@ The table in this section indicates the availability and support of native mitig Mitigation | Available in Windows Defender | Available in EMET -|-|- -Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" -Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" -Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] -Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)] -Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] -Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check" +Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check" +Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] +Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)] +Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] +Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] > [!NOTE] > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index bd67eebf80..80c8e25156 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -127,7 +127,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe * Block (enable ASR rule) = 1 * Audit = 2 - ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md index ea03b88559..9659522e3f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md @@ -60,11 +60,11 @@ For more information about disabling local list merging, see [Prevent or allow u 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. - ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) + ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png) > [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. @@ -100,7 +100,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png) > [!IMPORTANT] > To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 138efd6a68..76bada624f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -73,10 +73,10 @@ If you add an app to the **Program settings** section and configure individual m Enabled in **Program settings** | Enabled in **System settings** | Behavior -|-|- -[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** -[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** -[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** -[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option +[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** +[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** +[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** +[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option **Example 1** @@ -117,10 +117,10 @@ CFG will be enabled for *miles.exe*. 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. 1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: - ![Enable network protection in Intune](images/enable-ep-intune.png) + ![Enable network protection in Intune](../images/enable-ep-intune.png) 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 0f4d7ee1dc..48b2116666 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -14,16 +14,16 @@ ms.date: 04/01/2019 ms.reviewer: --- -# Enable virtualization-based protection of code integrity +# Enable virtualization-based protection of code integrity **Applies to** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. -Some applications, including device drivers, may be incompatible with HVCI. -This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. -If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. +This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. +Some applications, including device drivers, may be incompatible with HVCI. +This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. +If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >[!NOTE] >HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE. @@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. * HVCI also ensure your other Truslets, like Credential Guard have a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. -## How to turn on HVCI in Windows 10 +## How to turn on HVCI in Windows 10 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options: - [Windows Security app](#windows-security-app) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Group Policy](#enable-hvci-using-group-policy) -- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) +- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) ### Windows Security app @@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a ### Enable HVCI using Intune -Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). +Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). ### Enable HVCI using Group Policy @@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. - ![Enable HVCI using Group Policy](images/enable-hvci-gp.png) + ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png) 5. Click **Ok** to close the editor. -To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. +To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. ### Use registry keys to enable virtualization-based protection of code integrity @@ -185,64 +185,64 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709. -The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. +The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. #### AvailableSecurityProperties This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard. -| Value | Description | -|--------|-------------| -| **0.** | If present, no relevant properties exist on the device. | -| **1.** | If present, hypervisor support is available. | -| **2.** | If present, Secure Boot is available. | -| **3.** | If present, DMA protection is available. | -| **4.** | If present, Secure Memory Overwrite is available. | -| **5.** | If present, NX protections are available. | -| **6.** | If present, SMM mitigations are available. | -| **7.** | If present, Mode Based Execution Control is available. | +Value | Description +-|- +**0.** | If present, no relevant properties exist on the device. +**1.** | If present, hypervisor support is available. +**2.** | If present, Secure Boot is available. +**3.** | If present, DMA protection is available. +**4.** | If present, Secure Memory Overwrite is available. +**5.** | If present, NX protections are available. +**6.** | If present, SMM mitigations are available. +**7.** | If present, Mode Based Execution Control is available. #### InstanceIdentifier -A string that is unique to a particular device. Valid values are determined by WMI. +A string that is unique to a particular device. Valid values are determined by WMI. #### RequiredSecurityProperties This field describes the required security properties to enable virtualization-based security. -| Value | Description | -|--------|-------------| -| **0.** | Nothing is required. | -| **1.** | If present, hypervisor support is needed. | -| **2.** | If present, Secure Boot is needed. | -| **3.** | If present, DMA protection is needed. | -| **4.** | If present, Secure Memory Overwrite is needed. | -| **5.** | If present, NX protections are needed. | -| **6.** | If present, SMM mitigations are needed. | -| **7.** | If present, Mode Based Execution Control is needed. | +Value | Description +-|- +**0.** | Nothing is required. +**1.** | If present, hypervisor support is needed. +**2.** | If present, Secure Boot is needed. +**3.** | If present, DMA protection is needed. +**4.** | If present, Secure Memory Overwrite is needed. +**5.** | If present, NX protections are needed. +**6.** | If present, SMM mitigations are needed. +**7.** | If present, Mode Based Execution Control is needed. -#### SecurityServicesConfigured +#### SecurityServicesConfigured This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. -| Value | Description | -|--------|-------------| -| **0.** | No services configured. | -| **1.** | If present, Windows Defender Credential Guard is configured. | -| **2.** | If present, HVCI is configured. | -| **3.** | If present, System Guard Secure Launch is configured. | +Value | Description +-|- +**0.** | No services configured. +**1.** | If present, Windows Defender Credential Guard is configured. +**2.** | If present, HVCI is configured. +**3.** | If present, System Guard Secure Launch is configured. #### SecurityServicesRunning This field indicates whether the Windows Defender Credential Guard or HVCI service is running. -| Value | Description | -|--------|-------------| -| **0.** | No services running. | -| **1.** | If present, Windows Defender Credential Guard is running. | -| **2.** | If present, HVCI is running. | -| **3.** | If present, System Guard Secure Launch is running. | +Value | Description +-|- +**0.** | No services running. +**1.** | If present, Windows Defender Credential Guard is running. +**2.** | If present, HVCI is running. +**3.** | If present, System Guard Secure Launch is running. #### Version @@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1. This field indicates whether VBS is enabled and running. -| Value | Description | -|--------|-------------| -| **0.** | VBS is not enabled. | -| **1.** | VBS is enabled but not running. | -| **2.** | VBS is enabled and running. | - +Value | Description +-|- +**0.** | VBS is not enabled. +**1.** | VBS is enabled but not running. +**2.** | VBS is enabled and running. #### PSComputerName @@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png) - +![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png) ## Troubleshooting @@ -294,7 +292,7 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. + - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index cc1e37b1af..6e3840831e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -51,7 +51,7 @@ You might want to do this to make sure it doesn't affect line-of-business apps o The network connection will be allowed and a test message will be displayed. -![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png) +![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](../images/np-notif.png) ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md index 8d4d80534d..2fe08915a1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md @@ -30,7 +30,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities @@ -38,45 +38,43 @@ You can create custom views in the Windows Event Viewer to only see events for s The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the feature. +You can also manually navigate to the event area that corresponds to the feature. ### Import an existing XML custom view 1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml): - - Controlled folder access events custom view: *cfa-events.xml* - - Exploit protection events custom view: *ep-events.xml* - - Attack surface reduction events custom view: *asr-events.xml* - - Network/ protection events custom view: *np-events.xml* + - Controlled folder access events custom view: *cfa-events.xml* + - Exploit protection events custom view: *ep-events.xml* + - Attack surface reduction events custom view: *asr-events.xml* + - Network/ protection events custom view: *np-events.xml* 1. Type **event viewer** in the Start menu and open **Event Viewer**. -3. Click **Action** > **Import Custom View...** +1. Click **Action** > **Import Custom View...** - ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif) + ![Animation highlighting Import custom view on the left of the Even viewer window](../images/events-import.gif) -4. Navigate to where you extracted XML file for the custom view you want and select it. +1. Navigate to where you extracted XML file for the custom view you want and select it. -4. Click **Open**. - -5. This will create a custom view that filters to only show the events related to that feature. +1. Click **Open**. +1. This will create a custom view that filters to only show the events related to that feature. ### Copy the XML directly - 1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. -3. On the left panel, under **Actions**, click **Create Custom View...** +1. On the left panel, under **Actions**, click **Create Custom View...** - ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif) + ![Animation highlighting the create custom view option on the Event viewer window](../images/events-create.gif) -4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**. +1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**. -5. Paste the XML code for the feature you want to filter events from into the XML section. +1. Paste the XML code for the feature you want to filter events from into the XML section. -4. Click **OK**. Specify a name for your filter. +1. Click **OK**. Specify a name for your filter. -5. This will create a custom view that filters to only show the events related to that feature. +1. This will create a custom view that filters to only show the events related to that feature. ### XML for attack surface reduction rule events @@ -133,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature ## List of attack surface reduction events - All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. You can access these events in Windows Event viewer: @@ -142,7 +139,7 @@ You can access these events in Windows Event viewer: 2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below. 3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking. - ![Animation showing using Event Viewer](images/event-viewer.gif) + ![Animation showing using Event Viewer](../images/event-viewer.gif) Feature | Provider/source | Event ID | Description :-|:-|:-:|:- @@ -173,13 +170,13 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP Sim Exploit protection | WER-Diagnostics | 5 | CFG Block Exploit protection | Win32K (Operational) | 260 | Untrusted Font Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed -Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode -Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode +Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode +Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed -Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode -Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode +Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode +Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md index 1e317f2160..568f45096f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md @@ -98,29 +98,29 @@ The table in this section indicates the availability and support of native mitig Mitigation | Available under Exploit protection | Available in EMET -|-|- -Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Memory Protection Check" -Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
As "Load Library Check" -Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] -Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)] -Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)] -Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check" +Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check" +Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] +Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] +Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)] +Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] +Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] > [!NOTE] > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 87f3077150..c46302a04f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -49,11 +49,11 @@ When you have configured exploit protection to your desired state (including bot 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**: - ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png) + ![Highlight of the Exploit protection settings option in the Windows Security app](../images/wdsc-exp-prot.png) 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. -![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png) +![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) > [!NOTE] > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. @@ -144,7 +144,7 @@ You can use Group Policy to deploy the configuration you've created to multiple 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**. - ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png) + ![Screenshot of the group policy setting for exploit protection](../images/exp-prot-gp.png) 4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. From 1771ec8d5cdca9b9e0c11d245221e3e209c08378 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 19 Aug 2019 14:51:16 -0400 Subject: [PATCH 36/49] fixing some links --- .../overview-attack-surface-reduction.md | 6 +++--- .../microsoft-defender-atp/secure-score-dashboard.md | 2 +- .../enable-network-protection.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 594a869390..ce4b832cde 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -30,7 +30,7 @@ Article | Description [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. -[Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | -[Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) -[Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) +[Network protection](../windows-defender-exploit-guard/network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +[Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) +[Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index 58133ccf02..b90cb5e54a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -159,7 +159,7 @@ You can take the following actions to increase the overall security score of you - Turn on Controlled Folder Access - Turn on Windows Defender Antivirus on compatible machines -For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). +For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender.md). ### Windows Defender Application Guard (Windows Defender AG) optimization A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 29ba7eda9d..97a6409ed0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -39,9 +39,9 @@ You can enable network protection by using any of these methods: 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. 1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - ![Enable network protection in Intune](images/enable-np-intune.png) + ![Enable network protection in Intune](../images/enable-np-intune.png) 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. From 1869b2de46d39f4da647f5dec40a9dbd4859abc8 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 19 Aug 2019 17:28:58 -0400 Subject: [PATCH 37/49] removed link to rm'd page --- .../microsoft-defender-atp/secure-score-dashboard.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index b90cb5e54a..75423bc86d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -159,8 +159,6 @@ You can take the following actions to increase the overall security score of you - Turn on Controlled Folder Access - Turn on Windows Defender Antivirus on compatible machines -For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender.md). - ### Windows Defender Application Guard (Windows Defender AG) optimization A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. From ae43d721933fdb2a82c2fd8a7e8e4890abe24319 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 14:28:15 -0400 Subject: [PATCH 38/49] moved attack surface topics to mdatp dir --- .../attack-surface-reduction-rules-in-windows-10-enterprise-e3.md | 0 .../attack-surface-reduction.md | 0 .../enable-attack-surface-reduction.md | 0 .../evaluate-attack-surface-reduction.md | 0 .../troubleshoot-asr.md | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/enable-attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/evaluate-attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/troubleshoot-asr.md (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md From b47e96c95c28362d84e5e5de506c246a4d3275bb Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 14:42:25 -0400 Subject: [PATCH 39/49] moved exploit protection topics to mdatp dir --- .../customize-attack-surface-reduction.md | 0 .../customize-exploit-protection.md | 0 .../emet-exploit-protection.md | 0 .../enable-exploit-protection.md | 0 .../evaluate-exploit-protection.md | 0 .../exploit-protection.md | 0 .../import-export-exploit-protection-emet-xml.md | 0 .../troubleshoot-exploit-protection-mitigations.md | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/customize-attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/customize-exploit-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/emet-exploit-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/enable-exploit-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/evaluate-exploit-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/exploit-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/import-export-exploit-protection-emet-xml.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/troubleshoot-exploit-protection-mitigations.md (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md rename to windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md From 3a57871553f58c1a3bd0cf29bb662ae1fbe177db Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 14:45:21 -0400 Subject: [PATCH 40/49] moved controlled folders topics to mdatp dir --- .../controlled-folders.md | 0 .../customize-controlled-folders.md | 0 .../enable-controlled-folders.md | 0 .../evaluate-controlled-folder-access.md | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/controlled-folders.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/customize-controlled-folders.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/enable-controlled-folders.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/evaluate-controlled-folder-access.md (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders.md rename to windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md rename to windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md From 177e739728e2c77e61caeb1ea63d58e9b3ec0db3 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 14:55:14 -0400 Subject: [PATCH 41/49] moved network protection topics into mdatp --- .../enable-network-protection.md | 0 .../evaluate-network-protection.md | 0 .../event-views.md | 0 .../network-protection.md | 0 .../troubleshoot-np.md | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/enable-network-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/evaluate-network-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/event-views.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/network-protection.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/troubleshoot-np.md (100%) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/event-views.md rename to windows/security/threat-protection/microsoft-defender-atp/event-views.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/network-protection.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md From 9f615a25abc52d8842bde95d4acbe1fedda89347 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 15:22:14 -0400 Subject: [PATCH 42/49] rm'd unused files & mv'd remaining to device-guard dir --- ...tion-based-protection-of-code-integrity.md | 0 .../memory-integrity.md | 0 ...tion-based-protection-of-code-integrity.md | 0 .../audit-windows-defender.md | 0 .../graphics.md | 11 -------- .../windows-defender-exploit-guard/oldTOC.md | 25 ------------------- .../prerelease.md | 9 ------- 7 files changed, 45 deletions(-) rename windows/security/threat-protection/{windows-defender-exploit-guard => device-guard}/enable-virtualization-based-protection-of-code-integrity.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => device-guard}/memory-integrity.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => device-guard}/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md (100%) rename windows/security/threat-protection/{windows-defender-exploit-guard => microsoft-defender-atp}/audit-windows-defender.md (100%) delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/graphics.md delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md delete mode 100644 windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md rename to windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md rename to windows/security/threat-protection/device-guard/memory-integrity.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md rename to windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md similarity index 100% rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender.md rename to windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md deleted file mode 100644 index 111bb99fc5..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -ms.date: 09/18/2017 -ms.reviewer: -manager: dansimp -ms.author: ellevin -author: levinec ---- -Check mark no - - -Check mark yes diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md deleted file mode 100644 index 759d9db64f..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md +++ /dev/null @@ -1,25 +0,0 @@ -## [Use auditing mode to evaluate Windows Defender](audit-windows-defender.md) -## [View events](event-views.md) - -## [Exploit protection](exploit-protection.md) -### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) -### [Evaluate Exploit protection](evaluate-exploit-protection.md) -### [Enable Exploit protection](enable-exploit-protection.md) -### [Customize Exploit protection](customize-exploit-protection.md) -#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) -### [Memory integrity](memory-integrity.md) -#### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -#### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md) -## [Attack surface reduction](attack-surface-reduction.md) -### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) -### [Enable Attack surface reduction](enable-attack-surface-reduction.md) -### [Customize Attack surface reduction](customize-attack-surface-reduction.md) -### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md) -## [Network Protection](network-protection.md) -### [Evaluate Network Protection](evaluate-network-protection.md) -### [Enable Network Protection](enable-network-protection.md) -### [Troubleshoot Network protection](troubleshoot-np.md) -## [Controlled folder access](controlled-folders.md) -### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md) -### [Enable Controlled folder access](enable-controlled-folders.md) -### [Customize Controlled folder access](customize-controlled-folders.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md deleted file mode 100644 index 6e993c8c0a..0000000000 --- a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -ms.date: 08/25/2017 -ms.reviewer: -manager: dansimp -ms.author: ellevin -author: levinec ---- -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. From 2993285bc1fb63bcf0763ea3686d42d57cfc073f Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 21 Aug 2019 16:02:08 -0400 Subject: [PATCH 43/49] updated links in non-TOC pages --- .../configure-attack-surface-reduction.md | 8 ++++---- .../configure-machines-asr.md | 2 +- .../microsoft-defender-atp/evaluate-atp.md | 17 +++++++++++------ .../overview-attack-surface-reduction.md | 8 ++++---- .../wdsc-app-browser-control.md | 2 +- 5 files changed, 21 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index a9e67f227a..d0dfe6add3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -35,8 +35,8 @@ Topic | Description -|- [Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes -[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps -[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains -[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)|How to protect valuable data from malicious apps -[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware +[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps +[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains +[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps +[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index d6dd489b05..69c4df40de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -25,7 +25,7 @@ ms.topic: article > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. +[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. ![Attack surface management card](images/secconmgmt_asr_card.png)
*Attack surface management card* diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index c589b30285..9ccbcfb220 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -19,25 +19,30 @@ ms.topic: conceptual --- # Evaluate Microsoft Defender ATP + [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). -You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions. +You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions. ## Evaluate attack surface reduction + These capabilities help prevent attacks and exploitations from infecting your organization. -- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) -- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md) -- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md) -- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md) + +- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md) +- [Evaluate exploit protection](./evaluate-exploit-protection.md) +- [Evaluate network protection](./evaluate-exploit-protection.md) +- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md) - [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md) - [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) ## Evaluate next generation protection + Next gen protections help detect and block the latest threats. + - [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) - ## See Also + [Get started with Microsoft Defender Advanced Threat Protection](get-started.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index ce4b832cde..eeaaedc402 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -29,8 +29,8 @@ Article | Description -|- [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. -[Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. -[Network protection](../windows-defender-exploit-guard/network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | -[Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) -[Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) +[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. +[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) +[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 33fff60684..001c490193 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -25,7 +25,7 @@ manager: dansimp The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). -In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md). +In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../microsoft-defender-atp/exploit-protection.md). You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. From cc19d20713c2e85fc796cddd095edf76ce546b74 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 22 Aug 2019 09:15:16 -0400 Subject: [PATCH 44/49] tackling TOC & index pages --- windows/security/threat-protection/TOC.md | 38 ++++++++++----------- windows/security/threat-protection/index.md | 8 ++--- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 044df42819..2a9fcb3ede 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -28,10 +28,10 @@ ##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) #### [Application control](windows-defender-application-control/windows-defender-application-control.md) -#### [Exploit protection](windows-defender-exploit-guard/exploit-protection.md) -#### [Network protection](windows-defender-exploit-guard/network-protection.md) -#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders.md) -#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction.md) +#### [Exploit protection](microsoft-defender-atp/exploit-protection.md) +#### [Network protection](microsoft-defender-atp/network-protection.md) +#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) +#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) @@ -155,10 +155,10 @@ ##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md) ##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) ##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) -##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md) -##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md) -##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md) -##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md) +##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md) +##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md) +##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) +##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md) ##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) ##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) @@ -184,20 +184,20 @@ ###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) ###### [Memory integrity]() -####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +####### [Understand memory integrity](device-guard/memory-integrity.md) +####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection]() -##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) -##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) +##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) +##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) -#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) -#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders.md) +#### [Network protection](microsoft-defender-atp/enable-network-protection.md) +#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md) #### [Attack surface reduction controls]() -##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md) +##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) +##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) @@ -533,8 +533,8 @@ #### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md) ### [Troubleshoot attack surface reduction]() -#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) -#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md) +#### [Network protection](microsoft-defender-atp/troubleshoot-np.md) +#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) ### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 96e2406a26..ed4ed90c14 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -63,11 +63,11 @@ The attack surface reduction set of capabilities provide the first line of defen - [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -- [Exploit protection](windows-defender-exploit-guard/exploit-protection.md) -- [Network protection](windows-defender-exploit-guard/network-protection.md) -- [Controlled folder access](windows-defender-exploit-guard/controlled-folders.md) +- [Exploit protection](microsoft-defender-atp/exploit-protection.md) +- [Network protection](microsoft-defender-atp/network-protection.md) +- [Controlled folder access](microsoft-defender-atp/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) -- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction.md) +- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) From adb31d47afa94965ca836fd34fad5424eb3cf237 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 26 Aug 2019 18:19:31 -0400 Subject: [PATCH 45/49] round one on redirects --- .openpublishing.redirection.json | 162 +++++++++++++++++++++++++++++-- 1 file changed, 153 insertions(+), 9 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d3069c4d21..b3e3ba1e5e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,11 +6,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", -"redirect_document_id": true -}, -{ "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", "redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", "redirect_document_id": true @@ -636,6 +631,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", +"redirect_url": "/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control", "redirect_document_id": true @@ -726,135 +726,269 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np", +"redirect_document_id": true +} +{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/controlled-folders", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders-exploit-guard", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", "redirect_document_id": true }, +{ + /* Where did we put this one? */ + "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-views", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", "redirect_document_id": true }, +{ + /* Deleted */ + "source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/network-protection", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", "redirect_document_id": true }, +{ + /* Deleted */ + "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", -"redirect_document_id": true -}, + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", "redirect_document_id": true }, +{ + /* Deleted */ + "source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", + "redirect_document_id": true + }, { "source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", @@ -3092,6 +3226,11 @@ "redirect_document_id": true }, { +"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md", +"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security", +"redirect_document_id": true +}, +{ "source_path": "windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md", "redirect_url": "/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard", "redirect_document_id": true @@ -3131,6 +3270,11 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", "redirect_document_id": true }, +{ + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", + "redirect_document_id": true + }, { "source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy", From 4d3dfa2b92c010c92a7ef825f3337b29e2dacc35 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 27 Aug 2019 11:09:24 -0400 Subject: [PATCH 46/49] round 2 --- .openpublishing.redirection.json | 200 +++++++++++++++++-------------- 1 file changed, 107 insertions(+), 93 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b3e3ba1e5e..2bc60e63dc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -626,6 +626,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", +"redirect_url": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", "redirect_document_id": true @@ -781,214 +786,214 @@ "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders-exploit-guard", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders-exploit-guard", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", "redirect_document_id": true }, { - /* Where did we put this one? */ - "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", - "redirect_document_id": true - }, +"q": "Where did we put this one?", +"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-views", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-views", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", "redirect_document_id": true }, { - /* Deleted */ - "source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", - "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", - "redirect_document_id": true - }, +"q": "Deleted", +"source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/network-protection", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/network-protection", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", "redirect_document_id": true }, { - /* Deleted */ - "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", - "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", - "redirect_document_id": true - }, +"q": "Deleted", +"source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", +"redirect_document_id": true +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", "redirect_document_id": true }, { - /* Deleted */ - "source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", - "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", - "redirect_document_id": true - }, +"q": "Deleted", +"source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", +"redirect_document_id": true +}, { "source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", @@ -1139,7 +1144,6 @@ "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction", "redirect_document_id": true }, - { "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configuration-score", @@ -3271,10 +3275,15 @@ "redirect_document_id": true }, { - "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", - "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", - "redirect_document_id": true - }, +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md", +"redirect_url": "/windows/security/threat-protection/device-guard/memory-integrity", +"redirect_document_id": true +}, { "source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy", @@ -4566,6 +4575,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md", +"redirect_url": "/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity", +"redirect_document_id": true +}, +{ "source_path": "windows/device-security/get-support-for-security-baselines.md", "redirect_url": "/windows/security/threat-protection/get-support-for-security-baselines", "redirect_document_id": true From 9ae8bfd70b3d2116d37ab7618804cd85f5b3d272 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 27 Aug 2019 11:19:22 -0400 Subject: [PATCH 47/49] typo fix --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2bc60e63dc..a0b083af90 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -759,7 +759,7 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np", "redirect_document_id": true -} +}, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard", From ec6b83efb341bd29fc7df6acde31987643fb9b17 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 27 Aug 2019 12:26:13 -0400 Subject: [PATCH 48/49] round 3 --- .openpublishing.redirection.json | 52 ++++++-------------------------- 1 file changed, 9 insertions(+), 43 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a0b083af90..6c00205974 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -631,16 +631,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", -"redirect_document_id": true -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", -"redirect_url": "/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control", "redirect_document_id": true @@ -896,9 +886,8 @@ "redirect_document_id": true }, { -"q": "Where did we put this one?", -"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard", +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-windows-defender", "redirect_document_id": true }, { @@ -927,12 +916,6 @@ "redirect_document_id": true }, { -"q": "Deleted", -"source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml", "redirect_document_id": true @@ -958,12 +941,6 @@ "redirect_document_id": true }, { -"q": "Deleted", -"source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr", "redirect_document_id": true @@ -989,10 +966,9 @@ "redirect_document_id": true }, { -"q": "Deleted", "source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard", -"redirect_document_id": true +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": false }, { "source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md", @@ -3225,16 +3201,6 @@ "redirect_document_id": true }, { -"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md", -"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security", -"redirect_document_id": true -}, -{ -"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md", -"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security", -"redirect_document_id": true -}, -{ "source_path": "windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md", "redirect_url": "/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard", "redirect_document_id": true @@ -9800,6 +9766,11 @@ "redirect_document_id": true }, { +"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md", +"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security", +"redirect_document_id": true +}, +{ "source_path": "windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md", "redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus", "redirect_document_id": true @@ -12325,11 +12296,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/requirements-for-deploying-applocker-policies.md", "redirect_url": "/windows/device-security/applocker/requirements-for-deploying-applocker-policies", "redirect_document_id": true From 607ec3c43e2a005c1dce8eb27963b2219b153acf Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 27 Aug 2019 12:33:05 -0400 Subject: [PATCH 49/49] correcting path --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c00205974..d27244616a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -966,7 +966,7 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", +"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", "redirect_document_id": false },