mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
further adds to library
This commit is contained in:
Iaan D'Souza-Wiltshire
@ -19,7 +19,7 @@ ms.author: iawilt
|
|||||||
|
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
|
|
||||||
- Windows 10 Insider Preview, build 16232 and later
|
- Windows 10 Insider Preview
|
||||||
|
|
||||||
**Audience**
|
**Audience**
|
||||||
|
|
||||||
@ -35,70 +35,32 @@ ms.author: iawilt
|
|||||||
- Windows Defender Security Center app
|
- Windows Defender Security Center app
|
||||||
|
|
||||||
|
|
||||||
<into>
|
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||||
|
|
||||||
|
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
|
||||||
|
|
||||||
|
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
|
||||||
|
- Scripts that are obfuscated or otherwise suspicious
|
||||||
|
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
|
||||||
|
|
||||||
|
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
|
||||||
|
|
||||||
|
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
The following requirements must be met before Attack Surface Reduction will work:
|
The following requirements must be met before Attack Surface Reduction will work:
|
||||||
|
|
||||||
Windows 10 version | Windows Defender Antivirus
|
Windows 10 version | Windows Defender Antivirus
|
||||||
|
- | -
|
||||||
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
|
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Enable Attack Surface Reduction rules
|
|
||||||
|
|
||||||
You can use Group Policy to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
|
|
||||||
|
|
||||||
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
|
|
||||||
|
|
||||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
|
||||||
|
|
||||||
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
|
||||||
|
|
||||||
4. Click **Policies** then **Administrative templates**.
|
|
||||||
|
|
||||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
|
|
||||||
|
|
||||||
6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
|
|
||||||
- Click **Show...** and enter the Rule ID in the **Value name** column and your desired state in the **Value** column as follows:
|
|
||||||
- Block mode = 1
|
|
||||||
- Disabled = 0
|
|
||||||
- Audit mode = 2
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
>[!NOTE]
|
|
||||||
>Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console.
|
|
||||||
|
|
||||||
|
|
||||||
>[!NOTE]
|
|
||||||
>The tool reveals the RuleIDs. How will the IDs be hidden/how will the experience differ without an E5?
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Exclude files and folders
|
|
||||||
|
|
||||||
You can exclude files and folders from being evaluated by Attack Surface Reduction rules. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the files should be excluded from individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
|
|
||||||
|
|
||||||
|
|
||||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
|
||||||
|
|
||||||
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
|
||||||
|
|
||||||
4. Click **Policies** then **Administrative templates**.
|
|
||||||
|
|
||||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
|
|
||||||
|
|
||||||
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Review Attack Surface Reduction events in Windows Event Viewer
|
## Review Attack Surface Reduction events in Windows Event Viewer
|
||||||
|
|
||||||
You can also review the Windows event log to see the events there were created when using the tool:
|
You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered:
|
||||||
|
|
||||||
|
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *asr-events.xml* to an easily accessible location on the machine.
|
||||||
|
|
||||||
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||||
|
|
||||||
@ -118,162 +80,19 @@ You can also review the Windows event log to see the events there were created w
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Event fields
|
||||||
|
|
||||||
## MDM policy settings for Controlled Folder Access
|
|
||||||
|
|
||||||
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
|
|
||||||
|
|
||||||
## Audit/block modes
|
|
||||||
|
|
||||||
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
|
|
||||||
|
|
||||||
Component |Description |Rule/mitigation description |
|
|
||||||
-|-|-|-
|
|
||||||
Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
|
|
||||||
| | | Allowed apps |Apps that are allowed to write into protected folders
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Audit/block modes
|
|
||||||
|
|
||||||
Each of these components can individually be enabled in audit or blocking mode.
|
|
||||||
|
|
||||||
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
|
|
||||||
|
|
||||||
Component |Description |Rule/mitigation description |
|
|
||||||
-|-|-|-
|
|
||||||
Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
|
|
||||||
| | | | Block obfuscated js/vbs/ps/macro code
|
|
||||||
| | | | Block office application from launching child processes
|
|
||||||
| | | | Block office application from injecting into other processes
|
|
||||||
| | | | Block Win32 imports from macro code in Office
|
|
||||||
| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet
|
|
||||||
| | | | Block obfuscated js/vbs/ps/macro code
|
|
||||||
| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client).
|
|
||||||
|
|
||||||
|
|
||||||
## Policy settings for Windows Defender EG
|
|
||||||
|
|
||||||
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
|
|
||||||
|
|
||||||
|
|
||||||
### Attack Surface Reduction
|
|
||||||
|
|
||||||
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
|
|
||||||
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
|
|
||||||
-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
|
|
||||||
|
|
||||||
|
|
||||||
#### Rule-GUIDs for ASR
|
|
||||||
|
|
||||||
Rule description | GUIDs
|
|
||||||
-|-
|
|
||||||
Office rules |
|
|
||||||
Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
|
|
||||||
| OMA URI : <20>./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules<65>
|
|
||||||
| Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
|
|
||||||
| 1 = Block, 2 = Audit, 0 = Disabled.
|
|
||||||
Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID
|
|
||||||
Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID
|
|
||||||
Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID
|
|
||||||
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID
|
|
||||||
Script rules |
|
|
||||||
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here]
|
|
||||||
Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d}
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID
|
|
||||||
Email rule |
|
|
||||||
Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
|
|
||||||
| Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress]
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Manually enabling the Attack Surface Reduction rules
|
|
||||||
|
|
||||||
You can also manually use GP or MDM-URIs to enable the ASR rules:
|
|
||||||
|
|
||||||
From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID.
|
|
||||||
|
|
||||||
After you<6F>ve chosen your rules, use one of the tools above to simulate a rule to fire.
|
|
||||||
- <20>./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules<65>
|
|
||||||
- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2
|
|
||||||
|
|
||||||
|
|
||||||
### View event logs
|
|
||||||
|
|
||||||
Note: event logs are not the primary mechanism for investigation. The Windows Defender ATP portal receives much richer information that allows for investigation. Information is also presented in an interactive machine-timeline view.
|
|
||||||
|
|
||||||
|
|
||||||
#### Event fields
|
|
||||||
- **ID**: matches with the Rule-ID that triggered the block/audit.
|
- **ID**: matches with the Rule-ID that triggered the block/audit.
|
||||||
- **Detection time**: Time of detection
|
- **Detection time**: Time of detection
|
||||||
- **Process Name**: The process that performed the <20>operation<6F> that was blocked/audited
|
- **Process Name**: The process that performed the <20>operation<6F> that was blocked/audited
|
||||||
- **Description**:
|
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
|
||||||
|
|
||||||
Windows Defender Antivirus has audited an operation that is not allowed by your IT administrator.
|
|
||||||
|
|
||||||
For more information please contact your IT administrator.
|
|
||||||
-- ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
|
||||||
-- Detection time: 2017-06-21T11:52:29.062Z
|
|
||||||
-- User: SYSTEM
|
|
||||||
-- Path: C:\Windows\System32\notepad.exe
|
|
||||||
-- Process Name: C:\Program Files\Microsoft Office\Office16\winword.exe
|
|
||||||
-- Signature Version: 1.245.730.0
|
|
||||||
-- Engine Version: 1.1.13902.0
|
|
||||||
-- Product Version: 4.12.16228.1000
|
|
||||||
|
|
||||||
|
|
||||||
### View the alert notification
|
## In this section
|
||||||
|
|
||||||
If you configure the test to block, a notification will be displayed from the Action Center. This notification is customizable with your organization and contact information.
|
|
||||||
|
|
||||||
|
|
||||||
## Customize the notification
|
|
||||||
|
|
||||||
Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support.
|
|
||||||
Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information.
|
|
||||||
|
|
||||||
|
Topic | Description
|
||||||
|
---|---
|
||||||
|
[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
|
||||||
|
[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
|
||||||
|
[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
|
||||||
|
|
||||||
|
|||||||
@ -26,3 +26,32 @@ This topic lists the auditing functionality available for each feature, the mana
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Audit/block modes
|
||||||
|
|
||||||
|
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
|
||||||
|
|
||||||
|
Component |Description |Rule/mitigation description |
|
||||||
|
-|-|-|-
|
||||||
|
Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
|
||||||
|
| | | Allowed apps |Apps that are allowed to write into protected folders
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Audit/block modes
|
||||||
|
|
||||||
|
Each of these components can individually be enabled in audit or blocking mode.
|
||||||
|
|
||||||
|
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
|
||||||
|
|
||||||
|
Component |Description |Rule/mitigation description |
|
||||||
|
-|-|-|-
|
||||||
|
Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
|
||||||
|
| | | | Block obfuscated js/vbs/ps/macro code
|
||||||
|
| | | | Block office application from launching child processes
|
||||||
|
| | | | Block office application from injecting into other processes
|
||||||
|
| | | | Block Win32 imports from macro code in Office
|
||||||
|
| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet
|
||||||
|
| | | | Block obfuscated js/vbs/ps/macro code
|
||||||
|
| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client).
|
||||||
@ -19,7 +19,7 @@ ms.author: iawilt
|
|||||||
|
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
|
|
||||||
- Windows 10 Insider Preview, build 16232 and later
|
- Windows 10 Insider Preview
|
||||||
|
|
||||||
**Audience**
|
**Audience**
|
||||||
|
|
||||||
@ -45,7 +45,9 @@ A notification will appear on the machine where the app attempted to make change
|
|||||||
Controlled Folder Access monitors the changes that apps make to files in certain protected folders.
|
Controlled Folder Access monitors the changes that apps make to files in certain protected folders.
|
||||||
If an app attempts to make a change to these files, and the app is blacklisted by the feature, you<6F>ll get a notification about the attempt.
|
If an app attempts to make a change to these files, and the app is blacklisted by the feature, you<6F>ll get a notification about the attempt.
|
||||||
|
|
||||||
The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
|
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
|
||||||
|
|
||||||
|
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
@ -54,165 +56,18 @@ The following requirements must be met before Controlled Folder Access will work
|
|||||||
Windows 10 version | Windows Defender Antivirus
|
Windows 10 version | Windows Defender Antivirus
|
||||||
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
|
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
|
||||||
|
|
||||||
## Enable Controlled Folder Access
|
|
||||||
|
|
||||||
You can enable Controlled Folder Access with either the Windows Defender Security Center app or Group Policy. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
|
|
||||||
|
|
||||||
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
|
|
||||||
|
|
||||||
|
|
||||||
For further details on how audit mode works, and when you might want to use it, see the section [Use auditing mode to measure impact](#use-auditing-mode-to-measure-impact).
|
|
||||||
|
|
||||||
### Use the Windows Defender Security app to enable Controlled Folder Access
|
|
||||||
|
|
||||||
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
|
||||||
|
|
||||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Set the switch for the feature to **On**
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Use Group Policy to enable Controlled Folder Access
|
|
||||||
|
|
||||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
|
||||||
|
|
||||||
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
|
||||||
|
|
||||||
4. Click **Policies** then **Administrative templates**.
|
|
||||||
|
|
||||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
|
||||||
|
|
||||||
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
|
|
||||||
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
|
|
||||||
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
|
|
||||||
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
>[!IMPORTANT]
|
|
||||||
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
|
||||||
|
|
||||||
### Use PowerShell to enable Controlled Folder Access
|
|
||||||
|
|
||||||
|
|
||||||
### Use MDM CSPs or Intune to enable Controlled Folder Access
|
|
||||||
|
|
||||||
|
|
||||||
### Use System Center Configuration Manager to enable Controlled Folder Access
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Protect additional folders
|
|
||||||
|
|
||||||
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
|
|
||||||
|
|
||||||
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
|
|
||||||
|
|
||||||
Adding other folders to Controlled Folder Access can be useful, for example, if you don<6F>t store files in the default Windows libraries or you<6F>ve changed the location of the libraries away from the defaults.
|
|
||||||
|
|
||||||
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
|
|
||||||
|
|
||||||
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
|
|
||||||
|
|
||||||
### Use the Windows Defender Security app to protect additional folders
|
|
||||||
|
|
||||||
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
|
||||||
|
|
||||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Under the **Controlled folder access** section, click **Protected folders**
|
|
||||||
|
|
||||||
4. Click **Add a protected folder** and follow the prompts to add apps.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Use Group Policy to protect additional folders
|
|
||||||
|
|
||||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
|
||||||
|
|
||||||
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
|
||||||
|
|
||||||
4. Click **Policies** then **Administrative templates**.
|
|
||||||
|
|
||||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
|
||||||
|
|
||||||
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
|
|
||||||
|
|
||||||
> [!IMPORTANT]
|
|
||||||
> Environment variables and wildcards are not supported.
|
|
||||||
|
|
||||||
|
|
||||||
### Use PowerShell to protect additional folders
|
|
||||||
|
|
||||||
|
|
||||||
### Use MDM CSPs or Intune to protect additional folders
|
|
||||||
|
|
||||||
|
|
||||||
### Use System Center Configuration Manager to protect additional folders
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Allow specifc apps to make changes to controlled folders
|
|
||||||
|
|
||||||
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you<6F>re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
|
|
||||||
|
|
||||||
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
|
|
||||||
|
|
||||||
### Use the Windows Defender Security app to whitelist specific apps
|
|
||||||
|
|
||||||
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
|
||||||
|
|
||||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
|
|
||||||
|
|
||||||
4. Click **Add an allowed app** and follow the prompts to add apps.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Use Group Policy to whitelist specific apps
|
|
||||||
|
|
||||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
|
||||||
|
|
||||||
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
|
||||||
|
|
||||||
4. Click **Policies** then **Administrative templates**.
|
|
||||||
|
|
||||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
|
||||||
|
|
||||||
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Use PowerShell to whitelist specific apps
|
|
||||||
|
|
||||||
|
|
||||||
### Use MDM CSPs or Intune to whitelist specific apps
|
|
||||||
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
|
|
||||||
|
|
||||||
### Use System Center Configuration Manager to whitelist specific apps
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Review Controlled Folder Access events in Windows Event Viewer
|
## Review Controlled Folder Access events in Windows Event Viewer
|
||||||
|
|
||||||
You can also review the Windows event log to see the events there were created when using the tool:
|
You can review the Windows event log to see events there are created when Controlled Folder Access blocks (or audits) an app:
|
||||||
|
|
||||||
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
|
||||||
|
|
||||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
||||||
|
|
||||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
|
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||||
|
|
||||||
|
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [download the XML directly](scripts/cfa-events.xml).
|
||||||
|
|
||||||
4. Click **OK**.
|
4. Click **OK**.
|
||||||
|
|
||||||
@ -225,16 +80,10 @@ Event ID | Description
|
|||||||
1123 | Blocked Controlled Folder Access event
|
1123 | Blocked Controlled Folder Access event
|
||||||
|
|
||||||
|
|
||||||
|
## In this section
|
||||||
|
|
||||||
|
Topic | Description
|
||||||
|
---|---
|
||||||
|
[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
|
||||||
|
[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
|
||||||
## Audit/block modes
|
[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
|
||||||
|
|
||||||
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
|
|
||||||
|
|
||||||
Component |Description |Rule/mitigation description |
|
|
||||||
-|-|-|-
|
|
||||||
Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
|
|
||||||
| | | Allowed apps |Apps that are allowed to write into protected folders
|
|
||||||
|
|||||||
@ -0,0 +1,68 @@
|
|||||||
|
---
|
||||||
|
title: Use Windows Defender Exploit Guard to protect your corporate network
|
||||||
|
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
|
||||||
|
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: manage
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
localizationpriority: medium
|
||||||
|
author: iaanw
|
||||||
|
ms.author: iawilt
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
# Customize Attack Surface Reduction
|
||||||
|
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
|
||||||
|
- Windows 10 Insider Preview, build 16232 and later
|
||||||
|
|
||||||
|
**Audience**
|
||||||
|
|
||||||
|
- Enterprise security administrators
|
||||||
|
|
||||||
|
|
||||||
|
**Manageability available with**
|
||||||
|
|
||||||
|
- Group Policy
|
||||||
|
- PowerShell
|
||||||
|
- Windows Management Instrumentation (WMI)
|
||||||
|
- Microsoft Intune
|
||||||
|
- Windows Defender Security Center app
|
||||||
|
|
||||||
|
|
||||||
|
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||||
|
|
||||||
|
This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
|
||||||
|
|
||||||
|
## Exclude files and folders
|
||||||
|
|
||||||
|
You can exclude files and folders from being evaluated by Attack Surface Reduction rules. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the files should be excluded from individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
|
||||||
|
|
||||||
|
|
||||||
|
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||||
|
|
||||||
|
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
||||||
|
|
||||||
|
4. Click **Policies** then **Administrative templates**.
|
||||||
|
|
||||||
|
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
|
||||||
|
|
||||||
|
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
|
||||||
|
|
||||||
|
|
||||||
|
## Customize the notification
|
||||||
|
|
||||||
|
Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support.
|
||||||
|
Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information.
|
||||||
|
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
|
||||||
|
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
@ -0,0 +1,146 @@
|
|||||||
|
---
|
||||||
|
title:
|
||||||
|
keywords:
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: manage
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
localizationpriority: medium
|
||||||
|
author: iaanw
|
||||||
|
ms.author: iawilt
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Protect important folders with Controlled Folder Access
|
||||||
|
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
|
||||||
|
- Windows 10 Insider Preview, build 16232 and later
|
||||||
|
|
||||||
|
**Audience**
|
||||||
|
|
||||||
|
- Enterprise security administrators
|
||||||
|
|
||||||
|
|
||||||
|
**Manageability available with**
|
||||||
|
|
||||||
|
- Group Policy
|
||||||
|
- PowerShell
|
||||||
|
- Windows Management Instrumentation (WMI)
|
||||||
|
- Microsoft Intune
|
||||||
|
- Windows Defender Security Center app
|
||||||
|
|
||||||
|
|
||||||
|
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
||||||
|
|
||||||
|
This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
|
||||||
|
|
||||||
|
- [Add additional folders to be protected](#protect-additional-folders)
|
||||||
|
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
|
||||||
|
|
||||||
|
## Protect additional folders
|
||||||
|
|
||||||
|
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
|
||||||
|
|
||||||
|
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
|
||||||
|
|
||||||
|
Adding other folders to Controlled Folder Access can be useful, for example, if you don<6F>t store files in the default Windows libraries or you<6F>ve changed the location of the libraries away from the defaults.
|
||||||
|
|
||||||
|
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
|
||||||
|
|
||||||
|
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
|
||||||
|
|
||||||
|
### Use the Windows Defender Security app to protect additional folders
|
||||||
|
|
||||||
|
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||||
|
|
||||||
|
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Under the **Controlled folder access** section, click **Protected folders**
|
||||||
|
|
||||||
|
4. Click **Add a protected folder** and follow the prompts to add apps.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Use Group Policy to protect additional folders
|
||||||
|
|
||||||
|
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||||
|
|
||||||
|
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
||||||
|
|
||||||
|
4. Click **Policies** then **Administrative templates**.
|
||||||
|
|
||||||
|
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
||||||
|
|
||||||
|
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
|
||||||
|
|
||||||
|
> [!IMPORTANT]
|
||||||
|
> Environment variables and wildcards are not supported.
|
||||||
|
|
||||||
|
|
||||||
|
### Use PowerShell to protect additional folders
|
||||||
|
|
||||||
|
|
||||||
|
### Use MDM CSPs or Intune to protect additional folders
|
||||||
|
|
||||||
|
|
||||||
|
### Use System Center Configuration Manager to protect additional folders
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Allow specifc apps to make changes to controlled folders
|
||||||
|
|
||||||
|
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you<6F>re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
|
||||||
|
|
||||||
|
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
|
||||||
|
|
||||||
|
### Use the Windows Defender Security app to whitelist specific apps
|
||||||
|
|
||||||
|
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||||
|
|
||||||
|
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
|
||||||
|
|
||||||
|
4. Click **Add an allowed app** and follow the prompts to add apps.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Use Group Policy to whitelist specific apps
|
||||||
|
|
||||||
|
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||||
|
|
||||||
|
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
||||||
|
|
||||||
|
4. Click **Policies** then **Administrative templates**.
|
||||||
|
|
||||||
|
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
||||||
|
|
||||||
|
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Use PowerShell to whitelist specific apps
|
||||||
|
|
||||||
|
|
||||||
|
### Use MDM CSPs or Intune to whitelist specific apps
|
||||||
|
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
|
||||||
|
|
||||||
|
### Use System Center Configuration Manager to whitelist specific apps
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
|
||||||
|
- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
@ -0,0 +1,133 @@
|
|||||||
|
---
|
||||||
|
title: Use Windows Defender Exploit Guard to protect your corporate network
|
||||||
|
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
|
||||||
|
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: manage
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
localizationpriority: medium
|
||||||
|
author: iaanw
|
||||||
|
ms.author: iawilt
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
# Enable Attack Surface Reduction
|
||||||
|
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
|
||||||
|
- Windows 10 Insider Preview, build 16232 and later
|
||||||
|
|
||||||
|
**Audience**
|
||||||
|
|
||||||
|
- Enterprise security administrators
|
||||||
|
|
||||||
|
|
||||||
|
**Manageability available with**
|
||||||
|
|
||||||
|
- Group Policy
|
||||||
|
- PowerShell
|
||||||
|
- Windows Management Instrumentation (WMI)
|
||||||
|
- Microsoft Intune
|
||||||
|
- Windows Defender Security Center app
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
|
||||||
|
|
||||||
|
## Individually enable Attack Surface Reduction rules
|
||||||
|
|
||||||
|
You can use Group Policy to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
|
||||||
|
|
||||||
|
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
|
||||||
|
|
||||||
|
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||||
|
|
||||||
|
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
||||||
|
|
||||||
|
4. Click **Policies** then **Administrative templates**.
|
||||||
|
|
||||||
|
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
|
||||||
|
|
||||||
|
6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
|
||||||
|
- Click **Show...** and enter the Rule ID in the **Value name** column and your desired state in the **Value** column as follows:
|
||||||
|
- Block mode = 1
|
||||||
|
- Disabled = 0
|
||||||
|
- Audit mode = 2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console.
|
||||||
|
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>The tool reveals the RuleIDs. How will the IDs be hidden/how will the experience differ without an E5?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Policy settings for Windows Defender EG
|
||||||
|
|
||||||
|
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
|
||||||
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction
|
||||||
|
|
||||||
|
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
|
||||||
|
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
|
||||||
|
-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
|
||||||
|
|
||||||
|
|
||||||
|
#### Rule-GUIDs for ASR
|
||||||
|
|
||||||
|
Rule description | GUIDs
|
||||||
|
-|-
|
||||||
|
Office rules |
|
||||||
|
Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
|
||||||
|
| OMA URI : <20>./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules<65>
|
||||||
|
| Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
|
||||||
|
| 1 = Block, 2 = Audit, 0 = Disabled.
|
||||||
|
Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID
|
||||||
|
Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID
|
||||||
|
Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID
|
||||||
|
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID
|
||||||
|
Script rules |
|
||||||
|
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here]
|
||||||
|
Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d}
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID
|
||||||
|
Email rule |
|
||||||
|
Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
|
||||||
|
| Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Manually enabling the Attack Surface Reduction rules
|
||||||
|
|
||||||
|
You can also manually use GP or MDM-URIs to enable the ASR rules:
|
||||||
|
|
||||||
|
From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID.
|
||||||
|
|
||||||
|
After you<6F>ve chosen your rules, use one of the tools above to simulate a rule to fire.
|
||||||
|
- <20>./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules<65>
|
||||||
|
- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2
|
||||||
|
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
|
||||||
|
- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
@ -0,0 +1,96 @@
|
|||||||
|
---
|
||||||
|
title:
|
||||||
|
keywords:
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: manage
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
localizationpriority: medium
|
||||||
|
author: iaanw
|
||||||
|
ms.author: iawilt
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Enable Controlled Folder Access
|
||||||
|
|
||||||
|
|
||||||
|
**Applies to:**
|
||||||
|
|
||||||
|
- Windows 10 Insider Preview, build 16232 and later
|
||||||
|
|
||||||
|
**Audience**
|
||||||
|
|
||||||
|
- Enterprise security administrators
|
||||||
|
|
||||||
|
|
||||||
|
**Manageability available with**
|
||||||
|
|
||||||
|
- Group Policy
|
||||||
|
- PowerShell
|
||||||
|
- Windows Management Instrumentation (WMI)
|
||||||
|
- Microsoft Intune
|
||||||
|
- Windows Defender Security Center app
|
||||||
|
|
||||||
|
|
||||||
|
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
||||||
|
|
||||||
|
This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
|
||||||
|
|
||||||
|
## Enable Controlled Folder Access
|
||||||
|
|
||||||
|
You can enable Controlled Folder Access with either the Windows Defender Security Center app or Group Policy. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
|
||||||
|
|
||||||
|
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
|
||||||
|
|
||||||
|
|
||||||
|
For further details on how audit mode works, and when you might want to use it, see the section [Use auditing mode to measure impact](#use-auditing-mode-to-measure-impact).
|
||||||
|
|
||||||
|
### Use the Windows Defender Security app to enable Controlled Folder Access
|
||||||
|
|
||||||
|
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||||
|
|
||||||
|
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Set the switch for the feature to **On**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Use Group Policy to enable Controlled Folder Access
|
||||||
|
|
||||||
|
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||||
|
|
||||||
|
3. In the **Group Policy Management Editor** go to **Computer configuration**.
|
||||||
|
|
||||||
|
4. Click **Policies** then **Administrative templates**.
|
||||||
|
|
||||||
|
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
|
||||||
|
|
||||||
|
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
|
||||||
|
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
|
||||||
|
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
|
||||||
|
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
>[!IMPORTANT]
|
||||||
|
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
||||||
|
|
||||||
|
### Use PowerShell to enable Controlled Folder Access
|
||||||
|
|
||||||
|
|
||||||
|
### Use MDM CSPs or Intune to enable Controlled Folder Access
|
||||||
|
|
||||||
|
|
||||||
|
### Use System Center Configuration Manager to enable Controlled Folder Access
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
|
||||||
|
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
@ -231,14 +231,19 @@ You can also use Group Policy, Intune, MDM, or System Center Configuration Manag
|
|||||||
|
|
||||||
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
|
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
|
||||||
|
|
||||||
See the following sections in the main [Use Attack Surface Reduction rules](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager:
|
See the following topics for configuring the feature with management tools, including Group Policy and MDM CSP policies:
|
||||||
|
|
||||||
- [Exclude files and folders](attack-surface-reduction-exploit-guard.md#exclude-files-and-folders)
|
- [Exclude files and folders](customize-attack-surface-reduction.md#exclude-files-and-folders)
|
||||||
- [Configure rules individually](attack-surface-reduction-exploit-guard.md#configure-rules-individually)
|
- [Configure rules individually](enable-attack-surface-reduction.md#individually-enable-attack-surface-reduction-rules)
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Attack Surface ]
|
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
|
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -108,7 +108,12 @@ For further details on how audit mode works, and when you might want to use it,
|
|||||||
|
|
||||||
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
|
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
|
||||||
|
|
||||||
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager:
|
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy and MDM CSPs:
|
||||||
|
|
||||||
- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
|
- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
|
||||||
- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)
|
- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
|
||||||
|
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
|
||||||
|
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
|
||||||
Reference in New Issue
Block a user