deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

update capitalization

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-09-28 17:09:01 -07:00
parent dd48997d65
commit 33839645fd
23 changed files with 323 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
windows/threat-protection/TOC.md
View File

@ -150,23 +150,23 @@
#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)

2
windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -431,7 +431,7 @@ Examples:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
```
- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMETs Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMETs ASR protections.
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMETs Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMETs ASR protections.
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:

28
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Attack Surface Reduction rules to prevent malware infection
title: Use Attack surface reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -37,11 +37,11 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
@ -49,13 +49,13 @@ The feature is comprised of a number of rules, each of which target specific beh
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
## Attack Surface Reduction rules
## Attack surface reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
@ -125,7 +125,7 @@ It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/l
## Requirements
The following requirements must be met before Attack Surface Reduction will work:
The following requirements must be met before Attack surface reduction will work:
Windows 10 version | Windows Defender Antivirus
- | -
@ -134,9 +134,9 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Attack Surface Reduction events in Windows Event Viewer
## Review Attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
@ -150,7 +150,7 @@ You can review the Windows event log to see events that are created when an Atta
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
Event ID | Description
-|-
@ -172,7 +172,7 @@ You can review the Windows event log to see events that are created when an Atta
Topic | Description
---|---
[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.

14
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -34,7 +34,7 @@ You might want to do this when testing how the feature will work in your organiz
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
@ -44,10 +44,10 @@ You can use Group Policy, PowerShell, and configuration servicer providers (CSPs
Audit options | How to enable audit mode | How to view events
- | - | -
Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
@ -58,7 +58,7 @@ You can also use the a custom PowerShell script that enables the features in aud
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audie mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force
<location>\Enable-ExploitGuardAuditMode.ps1
@ -76,7 +76,7 @@ Topic | Description
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)

26
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Protect important folders with Controlled Folder Access
# Protect important folders with Controlled folder access
**Applies to:**
@ -38,11 +38,11 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
@ -52,22 +52,22 @@ A notification will appear on the machine where the app attempted to make change
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Controlled Folder Access will work:
The following requirements must be met before Controlled folder access will work:
Windows 10 version | Windows Defender Antivirus
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
## Review Controlled Folder Access events in Windows Event Viewer
## Review Controlled folder access events in Windows Event Viewer
You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
@ -81,19 +81,19 @@ You can review the Windows event log to see events that are created when Control
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
5. This will create a custom view that filters to only show the following events related to Controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
1124 | Audited Controlled folder access event
1123 | Blocked Controlled folder access event
## In this section
Topic | Description
---|---
[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created.
[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network
[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.

18
windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -1,7 +1,7 @@
---
title: Configure how ASR works to finetune protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,7 +14,7 @@ ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Attack Surface Reduction
# Customize Attack surface reduction
**Applies to:**
@ -35,15 +35,15 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by Attack Surface Reduction rules.
You can exclude files and folders from being evaluated by Attack surface reduction rules.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
@ -55,9 +55,9 @@ You can specify individual files or folders (using folder paths or fully qualifi
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
@ -89,6 +89,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

26
windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Add additional folders and apps to be protected by Windows 10
description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Customize Controlled Folder Access
# Customize Controlled folder access
**Applies to:**
@ -38,20 +38,20 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
## Protect additional folders
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
Adding other folders to Controlled folder access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
@ -80,7 +80,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
@ -115,7 +115,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled folder access feature.
>[!IMPORTANT]
>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
@ -124,7 +124,7 @@ You can specify if certain apps should always be considered safe and given write
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled folder access.
### Use the Windows Defender Security app to whitelist specific apps
@ -148,7 +148,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
@ -189,6 +189,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

20
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -1,6 +1,6 @@
---
title: Enable or disable specific mitigations used by Exploit Protection
keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
title: Enable or disable specific mitigations used by Exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,7 +14,7 @@ ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Exploit Protection
# Customize Exploit protection
**Applies to:**
@ -35,18 +35,18 @@ ms.date: 08/25/2017
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
## Exploit Protection mitigations
## Exploit protection mitigations
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
@ -180,7 +180,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
## PowerShell reference
You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
@ -295,6 +295,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)

14
windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Compare the features in Exploit Protection with EMET
title: Compare the features in Exploit protection with EMET
keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -37,10 +37,10 @@ We're still working on this content and will have it published soon!
Check out the following topics for more information about Exploit Protection:
Check out the following topics for more information about Exploit protection:
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)

26
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -1,7 +1,7 @@
---
title: Enable ASR rules individually to protect your organization
description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,7 +15,7 @@ ms.date: 08/25/2017
---
# Enable Attack Surface Reduction
# Enable Attack surface reduction
**Applies to:**
@ -36,17 +36,17 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
## Enable and audit Attack Surface Reduction rules
## Enable and audit Attack surface reduction rules
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
Attack Surface Reduction rules are identified by their unique rule ID.
Attack surface reduction rules are identified by their unique rule ID.
You can manually add the rules by using the GUIDs in the following table:
@ -60,9 +60,9 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
### Use Group Policy to enable Attack Surface Reduction rules
### Use Group Policy to enable Attack surface reduction rules
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -71,9 +71,9 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
@ -84,7 +84,7 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to
### Use PowerShell to enable Attack Surface Reduction rules
### Use PowerShell to enable Attack surface reduction rules
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@ -120,7 +120,7 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis
>You can obtain a list of rules and their current state by using `Get-MpPreference`
### Use MDM CSPs to enable Attack Surface Reduction rules
### Use MDM CSPs to enable Attack surface reduction rules
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
@ -130,5 +130,5 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

34
windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Turn on the protected folders feature in Windows 10
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled Folder Access
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled folder access
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Enable Controlled Folder Access
# Enable Controlled folder access
**Applies to:**
@ -38,19 +38,19 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable and audit Controlled Folder Access
## Enable and audit Controlled folder access
You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use the Windows Defender Security app to enable Controlled Folder Access
### Use the Windows Defender Security app to enable Controlled folder access
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -62,7 +62,7 @@ For further details on how audit mode works, and when you might want to use it,
![](images/cfa-on.png)
### Use Group Policy to enable Controlled Folder Access
### Use Group Policy to enable Controlled folder access
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -70,19 +70,19 @@ For further details on how audit mode works, and when you might want to use it,
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
### Use PowerShell to enable Controlled Folder Access
### Use PowerShell to enable Controlled folder access
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@ -95,13 +95,13 @@ You can enable the feauting in audit mode by specifying `AuditMode` instead of `
Use `Disabled` to turn the feature off.
### Use MDM CSPs to enable Controlled Folder Access
### Use MDM CSPs to enable Controlled folder access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

26
windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: Turn on Exploit Protection to help mitigate against attacks
title: Turn on Exploit protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Enable Exploit Protection
# Enable Exploit protection
**Applies to:**
@ -38,27 +38,27 @@ ms.date: 08/25/2017
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
## Enable and audit Exploit Protection
## Enable and audit Exploit protection
You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
You enable and configure each Exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
The mitigations available in Exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations:
See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations:
1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
@ -68,9 +68,9 @@ See the following topics for instructions on configuring Exploit Protection miti
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)

32
windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -1,7 +1,7 @@
---
title: Turn Network Protection on
description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs
keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on
title: Turn Network protection on
description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,7 +15,7 @@ ms.date: 08/25/2017
---
# Enable Network Protection
# Enable Network protection
**Applies to:**
@ -36,19 +36,19 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
## Enable and audit Network Protection
## Enable and audit Network protection
You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use Group Policy to enable or audit Network Protection
### Use Group Policy to enable or audit Network protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -57,19 +57,19 @@ For background information on how audit mode works, and when you might want to u
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**.
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains
- **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
>[!IMPORTANT]
>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
>To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
### Use PowerShell to enable or audit Network Protection
### Use PowerShell to enable or audit Network protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@ -88,13 +88,13 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable or audit Network Protection
### Use MDM CSPs to enable or audit Network protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Network Protection](evaluate-network-protection.md)
- [Evaluate Network protection](evaluate-network-protection.md)

38
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -1,7 +1,7 @@
---
title: Use a demo to see how ASR can help protect your devices
description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,7 +15,7 @@ ms.date: 08/25/2017
---
# Evaluate Attack Surface Reduction rules
# Evaluate Attack surface reduction rules
**Applies to:**
@ -37,18 +37,18 @@ ms.date: 08/25/2017
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[!NOTE]
>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
## Use the demo tool to see how Attack Surface Reduction works
## Use the demo tool to see how Attack surface reduction works
Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
@ -62,7 +62,7 @@ When you run a scenario, you will see what the scenario entails, what the rule i
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
@ -93,9 +93,9 @@ Choosing the **Mode** will change how the rule functions:
Mode option | Description
-|-
Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all.
Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction.
Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine.
Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all.
Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction.
Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine.
Block mode will cause a notification to appear on the user's desktop:
@ -181,7 +181,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack Surface Reduction events in Windows Event Viewer
## Review Attack surface reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
@ -193,7 +193,7 @@ You can also review the Windows event log to see the events there were created w
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
Event ID | Description
-|-
@ -204,7 +204,7 @@ Event ID | Description
## Use audit mode to measure impact
You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
@ -214,19 +214,19 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
This enables all Attack Surface Reduction rules in audit mode.
This enables all Attack surface reduction rules in audit mode.
>[!TIP]
>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
>If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
## Customize Attack Surface Reduction
## Customize Attack surface reduction
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics

40
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -1,7 +1,7 @@
---
title: See how CFA can help protect files from being changed by malicious apps
description: Use a custom tool to see how Controlled Folder Access works in Windows 10.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
description: Use a custom tool to see how Controlled folder access works in Windows 10.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,7 +15,7 @@ ms.date: 08/25/2017
---
# Evaluate Controlled Folder Access
# Evaluate Controlled folder access
**Applies to:**
@ -34,27 +34,27 @@ ms.date: 08/25/2017
- Group Policy
- PowerShell
Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
## Use the demo tool to see how Controlled Folder Access works
## Use the demo tool to see how Controlled folder access works
Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
@ -62,7 +62,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled Folder Access:
3. Enter the following in the PowerShell window to enable Controlled folder access:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
@ -79,7 +79,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
![](images/cfa-notif.png)
## Review Controlled Folder Access events in Windows Event Viewer
## Review Controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
@ -91,18 +91,18 @@ You can also review the Windows event log to see the events there were created w
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
5. This will create a custom view that filters to only show the following events related to Controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
1124 | Audited Controlled folder access event
1123 | Blocked Controlled folder access event
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@ -113,8 +113,8 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
```
>[!TIP]
>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
>If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
@ -125,9 +125,9 @@ For further details on how audit mode works, and when you might want to use it,
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

34
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: See how Exploit Protection works in a demo
description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
title: See how Exploit protection works in a demo
description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Evaluate Exploit Protection
# Evaluate Exploit protection
**Applies to:**
@ -36,18 +36,18 @@ ms.date: 08/25/2017
- PowerShell
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) .
## Enable and validate an Exploit Protection mitigation
## Enable and validate an Exploit protection mitigation
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
@ -90,9 +90,9 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review Exploit Protection events in Windows Event Viewer
## Review Exploit protection events in Windows Event Viewer
You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@ -104,7 +104,7 @@ You can now review the events that Exploit Protection sent to the Windows Event
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
@ -113,13 +113,13 @@ You can now review the events that Exploit Protection sent to the Windows Event
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations.
This lets you see a record of what *would* have happened if you had enabled the mitigation.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
@ -128,6 +128,6 @@ For further details on how audit mode works, and when you might want to use it,
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)

24
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -1,7 +1,7 @@
---
title: Conduct a demo to see how Network Protection works
description: Quickly see how Network Protection works by performing common scenarios that it protects against
keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
title: Conduct a demo to see how Network protection works
description: Quickly see how Network protection works by performing common scenarios that it protects against
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,7 +14,7 @@ ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Network Protection
# Evaluate Network protection
@ -36,16 +36,16 @@ ms.date: 08/25/2017
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site.
>[!NOTE]
>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
## Enable Network Protection
## Enable Network protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@ -67,7 +67,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
![](images/np-notif.png)
## Review Network Protection events in Windows Event Viewer
## Review Network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
@ -79,7 +79,7 @@ You can also review the Windows event log to see the events there were created w
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network Protection:
5. This will create a custom view that filters to only show the following events related to Network protection:
Event ID | Description
-|-
@ -90,7 +90,7 @@ Event ID | Description
## Use audit mode to measure impact
You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
@ -102,8 +102,8 @@ Set-MpPreference -EnableNetworkProtection AuditMode
>[!TIP]
>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md).
>If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).

10
windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -36,10 +36,10 @@ Windows Defender Exploit Guard is comprised of four features. We've developed ev
Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are.
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Evaluate Network Protection](evaluate-network-protection.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Evaluate Network protection](evaluate-network-protection.md)
You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
@ -52,4 +52,4 @@ Topic | Description
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)

86
windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -48,10 +48,10 @@ You can also manually navigate to the event area that corresponds to the Windows
### Import an existing XML custom view
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
- Controlled Folder Access events custom view: *cfa-events.xml*
- Exploit Protection events custom view: *ep-events.xml*
- Attack Surface Reduction events custom view: *asr-events.xml*
- Network Protection events custom view: *np-events.xml*
- Controlled folder access events custom view: *cfa-events.xml*
- Exploit protection events custom view: *ep-events.xml*
- Attack surface reduction events custom view: *asr-events.xml*
- Network protection events custom view: *np-events.xml*
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
@ -87,7 +87,7 @@ You can also manually navigate to the event area that corresponds to the Windows
### XML for Attack Surface Reduction events
### XML for Attack surface reduction events
```xml
<QueryList>
@ -98,7 +98,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Controlled Folder Access events
### XML for Controlled folder access events
```xml
<QueryList>
@ -109,7 +109,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Exploit Protection events
### XML for Exploit protection events
```xml
<QueryList>
@ -129,7 +129,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Network Protection events
### XML for Network protection events
```xml
<QueryList>
@ -158,38 +158,38 @@ You can access these events in Windows Event viewer:
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
Exploit Protection | WER-Diagnostics | 5 | CFG Block
Exploit Protection | Win32K (Operational) | 260 | Untrusted Font
Network Protection | Windows Defender (Operational) | 5007 | Event when settings are changed
Network Protection | Windows Defender (Operational) | 1125 | Event when Network Protection fires in Audit-mode
Network Protection | Windows Defender (Operational) | 1126 | Event when Network Protection fires in Block-mode
Controlled Folder Access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled Folder Access | Windows Defender (Operational) | 1124 | Audited Controlled Folder Access event
Controlled Folder Access | Windows Defender (Operational) | 1123 | Blocked Controlled Folder Access event
Attack Surface Reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack Surface Reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack Surface Reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
Exploit protection | WER-Diagnostics | 5 | CFG Block
Exploit protection | Win32K (Operational) | 260 | Untrusted Font
Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode

30
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Apply mitigations to help prevent attacks through vulnerabilities
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -38,37 +38,37 @@ ms.date: 08/25/2017
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection.
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
## Requirements
The following requirements must be met before Exploit Protection will work:
The following requirements must be met before Exploit protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## Review Exploit Protection events in Windows Event Viewer
## Review Exploit protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@ -82,7 +82,7 @@ You can review the Windows event log to see events that are created when Exploit
5. Click **OK**.
6. This will create a custom view that filters to only show the following events related to Exploit Protection:
6. This will create a custom view that filters to only show the following events related to Exploit protection:
Provider/source | Event ID | Description
-|:-:|-
@ -118,8 +118,8 @@ Win32K | 260 | Untrusted Font
Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network.
[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network.
[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.

42
windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Exploit Protection mitigations across your organization
keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration.
title: Deploy Exploit protection mitigations across your organization
keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,7 +16,7 @@ ms.date: 08/25/2017
# Import, export, and deploy Exploit Protection configurations
# Import, export, and deploy Exploit protection configurations
**Applies to:**
@ -39,19 +39,19 @@ ms.date: 08/25/2017
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection.
You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML.
You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
@ -59,9 +59,9 @@ The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample
Before you export a configuration file, you need to ensure you have the correct settings.
You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
### Use the Windows Defender Security Center app to export a configuration file
@ -98,7 +98,7 @@ Change `filename` to any name or location of your choosing.
## Import a configuration file
You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
@ -112,15 +112,15 @@ After importing, the settings will be instantly applied and can be reviewed in t
Set-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Change `filename` to the location and name of the Exploit Protection XML file.
Change `filename` to the location and name of the Exploit protection XML file.
>[!IMPORTANT]
>Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first.
>Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an Exploit Protection configuration file
## Convert an EMET configuration file to an Exploit protection configuration file
You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10.
You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10.
You can only do this conversion in PowerShell.
@ -149,13 +149,13 @@ You can use Group Policy to deploy the configuration you've created to multiple
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**.
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
![](images/exp-prot-gp.png)
6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**.
6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples:
7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- C:\MitigationSettings\Config.XML
- \\Server\Share\Config.xml
- https://localhost:8080/Config.xml
@ -167,6 +167,6 @@ You can use Group Policy to deploy the configuration you've created to multiple
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)

28
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Network Protection to help prevent connections to bad sites
title: Use Network protection to help prevent connections to bad sites
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network Protection, exploits, malicious website, ip, domain, domains
keywords: Network protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -36,33 +36,33 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Network Protection will work:
The following requirements must be met before Network protection will work:
Windows 10 version | Windows Defender Antivirus
- | -
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review Network Protection events in Windows Event Viewer
## Review Network protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain:
You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
@ -76,13 +76,13 @@ You can review the Windows event log to see events that are created when Network
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network Protection:
5. This will create a custom view that filters to only show the following events related to Network protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when Network Protection fires in Audit-mode
1126 | Event when Network Protection fires in Block-mode
1125 | Event when Network protection fires in Audit-mode
1126 | Event when Network protection fires in Block-mode
@ -91,5 +91,5 @@ You can review the Windows event log to see events that are created when Network
Topic | Description
---|---
[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.
[Evaluate Network protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.

22
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your network
description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled folder access, Network protection, Exploit protection, Attack surface reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -33,10 +33,10 @@ Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrus
There are four features in Windows Defender EG:
- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
@ -58,10 +58,10 @@ Each of the features in Windows Defender EG have slightly different requirements
Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
-|-|-|-
Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Network Protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Exploit protection | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -71,9 +71,9 @@ Controlled Folder Access | [Real-time protection](../windows-defender-antivirus/
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.