deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 00:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #4228 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Tina Burden 2020-11-13 09:42:43 -08:00 committed by GitHub
commit 0db4068715
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 45 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard
2. Click **System Summary**. 2. Click **System Summary**.
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**. 3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
Here's an example: Here's an example:

3
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -140,7 +140,8 @@ The information below list the proxy and firewall configuration information requ
|------|---------|--------|--------| |------|---------|--------|--------|
|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.blob.core.windows.net |Port 443 |Outbound|Yes | |*.blob.core.windows.net |Port 443 |Outbound|Yes |
|*.azure-automation.net |Port 443 |Outbound|Yes |
> [!NOTE] > [!NOTE]

4
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -249,12 +249,14 @@ To offboard the Windows server, you can use either of the following methods:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
```powershell ```powershell
$ErrorActionPreference = "SilentlyContinue"
# Load agent scripting object # Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace # Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID) $AgentCfg.RemoveCloudWorkspace("WorkspaceID")
# Reload the configuration and apply changes # Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration() $AgentCfg.ReloadConfiguration()
``` ```
## Related topics ## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard Windows 10 devices](configure-endpoints.md)

72
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: medium
audience: ITPro audience: ITPro
author: denisebmsft author: denisebmsft
ms.author: deniseb ms.author: deniseb
ms.reviewer: ms.reviewer: ksarens
manager: dansimp manager: dansimp
--- ---
@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/> 3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/> - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior |Enabled in **Program settings** | Enabled in **System settings** | Behavior |
-|-|- |:---|:---|:---|
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/> 3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/> - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@ -209,41 +209,41 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
- | - | - | - |:---|:---|:---|:---|
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available |Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available |Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
Block remote images | App-level only | BlockRemoteImages | Audit not available |Block remote images | App-level only | BlockRemoteImages | Audit not available
Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available |Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available |Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available ||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available |Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available |Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
Validate handle usage | App-level only | StrictHandle | Audit not available |Validate handle usage | App-level only | StrictHandle | Audit not available |
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available |Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process: <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell ```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
``` ```
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification ## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics ## See also
* [Evaluate exploit protection](evaluate-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md)

3
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Lasse Trolle Borup | Langkjaer Cyber Defence | |Lasse Trolle Borup | Langkjaer Cyber Defence |
|Jimmy Bayne | @bohops | |Jimmy Bayne | @bohops |
|Philip Tsukerman | @PhilipTsukerman | |Philip Tsukerman | @PhilipTsukerman |
|Brock Mammen| |
<br /> <br />
@ -158,6 +159,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/> <Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535"/> <Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
@ -896,6 +898,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<FileRuleRef RuleID="ID_DENY_KILL"/> <FileRuleRef RuleID="ID_DENY_KILL"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/> <FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/> <FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_MFC40"/>
<FileRuleRef RuleID="ID_DENY_MS_BUILD" /> <FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" /> <FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_MWFC" /> <FileRuleRef RuleID="ID_DENY_MWFC" />