deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

copyedits

Browse Source
This commit is contained in:
Justin Hall 2018-08-16 15:08:00 -07:00
parent b5a7c2a613
commit 26e4f78dbd
2 changed files with 36 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -16,51 +16,31 @@ ms.date: 08/08/2018
# Enable Exploit protection
# Enable exploit protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in Exploit protection.
Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
## Enable and audit exploit protection
You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
## Enable and audit Exploit protection
You enable and configure each Exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
The mitigations available in Exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production.
You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations:
See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations:
1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
@ -68,11 +48,10 @@ See the following topics for instructions on configuring Exploit protection miti
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)

57
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -1,6 +1,6 @@
---
title: See how Exploit protection works in a demo
description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps.
title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,39 +16,27 @@ ms.date: 05/30/2018
# Evaluate Exploit protection
# Evaluate exploit protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection.
This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment.
This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md) .
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) .
>For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md).
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Enable and validate an Exploit protection mitigation
## Enable and validate an exploit protection mitigation
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
@ -62,11 +50,11 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
```
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
@ -80,20 +68,20 @@ Now that you know the mitigation has been enabled, you can test to see if it wor
Lastly, we can disable the mitigation so that Internet Explorer works properly again:
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review Exploit protection events in Windows Event Viewer
## Review exploit protection events in Windows Event Viewer
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@ -105,7 +93,7 @@ You can now review the events that Exploit protection sent to the Windows Event
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic.
5. This will create a custom view that filters to only show the events related to exploit protection.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
@ -114,21 +102,24 @@ You can now review the events that Exploit protection sent to the Windows Event
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations.
You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
This lets you see a record of what *would* have happened if you had enabled the mitigation.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Enable network protection](enable-network-protection.md)
- [Enable controlled folder access](enable-controlled-folder-access.md)
- [Enable attack surface reduction](enable-attack-surface-reduction.md)