From bdce156a229f89854ec66ed766bcda89d05904e3 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 19 Oct 2020 15:27:54 -0700 Subject: [PATCH 1/8] Added mfc40.dll to recommended block list --- .../microsoft-recommended-block-rules.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 06d6ee7d8f..4561b40720 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -158,6 +158,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + @@ -896,6 +897,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + From 0b0786fd866118df010ca7b23b25b1ab7de04736 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Tue, 20 Oct 2020 14:32:35 -0700 Subject: [PATCH 2/8] Added contributor to the acknowledgements section --- .../microsoft-recommended-block-rules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 4561b40720..620cfbcd0b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Lasse Trolle Borup | Langkjaer Cyber Defence | |Jimmy Bayne | @bohops | |Philip Tsukerman | @PhilipTsukerman | +|Brock Mammen| |
From 0e4ce05d012416e2daf174d4cb461397a1f956b8 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Fri, 6 Nov 2020 15:18:45 +0100 Subject: [PATCH 3/8] Update enable-exploit-protection.md Audit of mitigations is not always available via PS but is with other management options --- .../enable-exploit-protection.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 2d44c8da7d..373ad6ff74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -210,7 +210,7 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - +-|-|-|- Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available @@ -225,20 +225,20 @@ Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreS Disable extension points | App-level only | ExtensionPoint | Audit not available Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] Validate handle usage | App-level only | StrictHandle | Audit not available Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] \[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` - +\[2\]: Audit for this mitigation is not available via Powershell CmdLet. ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. From c1e3ce52385ea06f99f49dd03cd7817c3d7a4422 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Tue, 10 Nov 2020 15:24:20 -0500 Subject: [PATCH 4/8] Item is missing from proxy/firewall requirements Should be the same as this link (missing *.azure-automation.net). The *.azure-automation.net url is also called out and checked in the defender for endpoint connectivity analyzer. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#firewall-requirements --- .../microsoft-defender-atp/configure-proxy-internet.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 6abe8ff951..48fd0bee7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ |------|---------|--------|--------| |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | -|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.azure-automation.net |Port 443 |Outbound|Yes | > [!NOTE] From d291e049b1454d0121e74058450a1f368638b1fd Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 11 Nov 2020 19:13:24 +0100 Subject: [PATCH 5/8] Update windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 373ad6ff74..d32e84b405 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -238,7 +238,7 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` -\[2\]: Audit for this mitigation is not available via Powershell CmdLet. +\[2\]: Audit for this mitigation is not available via Powershell cmdlets. ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. From 78eaf0bfa833e9f160ebc18a366886df93882aac Mon Sep 17 00:00:00 2001 From: Anna-Li <70676128+xl989@users.noreply.github.com> Date: Fri, 13 Nov 2020 14:27:49 +0800 Subject: [PATCH 6/8] CI_125045_Update_credential-guard-manage.md --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 742dd80951..1d0b90717a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard 2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**. +3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. Here's an example: From 57d4a81f864e20be0868457bc01c3c9220fed7e3 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Fri, 13 Nov 2020 17:28:00 +0100 Subject: [PATCH 7/8] Update configure-server-endpoints.md Use the Workspace ID you obtained and replacing `WorkspaceID` updated script as it did not work :) --- .../microsoft-defender-atp/configure-server-endpoints.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index ad4b3d8853..0af0c2d391 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -249,12 +249,14 @@ To offboard the Windows server, you can use either of the following methods: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ```powershell + $ErrorActionPreference = "SilentlyContinue" # Load agent scripting object $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + $AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() + ``` ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) From a8bfdbb3d3ad86781d5ed8b0c041c354b0bd8652 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 13 Nov 2020 09:29:31 -0800 Subject: [PATCH 8/8] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index d32e84b405..60e02d7bb1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: ksarens manager: dansimp --- @@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. @@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: -Enabled in **Program settings** | Enabled in **System settings** | Behavior --|-|- -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +|Enabled in **Program settings** | Enabled in **System settings** | Behavior | +|:---|:---|:---| +|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | +|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | +|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | +|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default @@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -209,29 +209,29 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet --|-|-|- -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] +|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +|:---|:---|:---|:---| +|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available +|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available +|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +|Block remote images | App-level only | BlockRemoteImages | Audit not available +|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +|Disable extension points | App-level only | ExtensionPoint | Audit not available +|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall +|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess +|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +|Validate handle usage | App-level only | StrictHandle | Audit not available | +|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: @@ -243,7 +243,7 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. -## Related topics +## See also * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md)