deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

ep changes

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-16 11:26:51 -07:00
parent 6c02a0f46a
commit 48ff508ae9
14 changed files with 783 additions and 224 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/threat-protection/TOC.md
View File

@ -152,7 +152,7 @@
#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Configure Exploit Protection](windows-defender-exploit-guard\configure-exploit-protection.md)
#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Configure system-wide settings for Exploit Protection](windows-defender-exploit-guard\configure-system-exploit-protection.md)
##### [Individually configure apps for Exploit Protection](windows-defender-exploit-guard\configure-app-exploit-protection.md)
### [Reduce attack surfaces with Windows Defender Exploit Guard](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)

8
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -33,7 +33,11 @@ ms.author: iawilt
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
@ -45,6 +49,8 @@ When a rule is triggered, a notification will be displayed from the Action Cente
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Attack Surface Reduction will work:

8
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -23,7 +23,13 @@ You might want to do this when testing how the feature will work in your organiz
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable auditing mode and then review the event log to see what impact the feature would have had were it enabled.
This topic links to enabling the auditing functionality for each feature. It also You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable auditing mode.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
This topic links to topics that describe how to enable the auditing functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable auditing mode.
Auditing options | How to enable auditing mode | How to view events

53
windows/threat-protection/windows-defender-exploit-guard/configure-app-exploit-protection.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## App-specific mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
1. Configure
2. Export
3. Import
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

100
windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to...
You can set each of the following system-level mitigations to on, off, or the default value:
Mitigation | Default value
Control flow guard | On
Data execution prevention | On
Force randomization for images (Mandatory ASLR) | Off
Randomize memory allocations (Bottom-up ASLR) | On
Validate exception chains (SEHOP) | On
Validate heap integrity | Off
Generally, the default values should be used to...
### Control flow guard
### Data execution prevention
### Force randomization for images (Mandatory ASLR)
### Randomize memory allocations (Bottom-up ASLR)
### Validate exception chains (SEHOP)
### Validate heap integrity
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

9
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -35,7 +35,11 @@ ms.author: iawilt
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
@ -47,11 +51,14 @@ The protected folders include common system folders, and you can [add additional
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Controlled Folder Access will work:
Windows 10 version | Windows Defender Antivirus
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled

91
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by Attack Surface Reduction rules.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
### Use Group Policy to exclude files and folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
```
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

256
windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md Normal file
View File

@ -0,0 +1,256 @@
---
title:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Protect devices from exploits with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
## Requirements
The following requirements must be met before Exploit Protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to...
You can set each of the following system-level mitigations to on, off, or the default value:
Mitigation | Default value
Control flow guard | On
Data execution prevention | On
Force randomization for images (Mandatory ASLR) | Off
Randomize memory allocations (Bottom-up ASLR) | On
Validate exception chains (SEHOP) | On
Validate heap integrity | Off
Generally, the default values should be used to...
### Control flow guard
### Data execution prevention
### Force randomization for images (Mandatory ASLR)
### Randomize memory allocations (Bottom-up ASLR)
### Validate exception chains (SEHOP)
### Validate heap integrity
1. Configure
2. Export
3. Import
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
### Export system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
### Import system-level mitigations
**Use the Windows Defender Security app to import system-level mitigations:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
**Use Group Policy to import and deploy system-level mitigations:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## App-specific mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
1. Configure
2. Export
3. Import
### Configure app-specific mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
### Export app-specific mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
### Import app-specific mitigations
**Use the Windows Defender Security app to import app-specific mitigations:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
**Use Group Policy to import and deploy app-specific mitigations:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Review event logs for Exploit Protection
How do you see these event logs? Are they under specific codes/areas?
Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.

105
windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Turn on the protected folders feature in Windows 10
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled Folder Access
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Enable Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable and audit Controlled Folder Access
You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use the Windows Defender Security app to enable Controlled Folder Access
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Set the switch for the feature to **On**
![](images/cfa-on.png)
### Use Group Policy to enable Controlled Folder Access
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
### Use PowerShell to enable Controlled Folder Access
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
You can enable the feauting in auditing mode by specifying `AuditMode` instead of `Enabled`.
Use `Disabled` to turn the feature off.
### Use MDM CSPs to enable Controlled Folder Access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

282
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -19,7 +19,7 @@ ms.author: iawilt
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
- Windows 10 Insider Preview
**Audience**
@ -28,229 +28,87 @@ ms.author: iawilt
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
- Configuration service providers for mobile device management
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
Exploit Protection automatically applies a number of exploit mitigation techniques on both [the operating system processes](configure-system-exploit-protection.md) and on [individual apps](configure-app-exploit-protection.md).
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
You configure these settings using the Windows Defender Security Center app on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
Exploit Protection consists of a number of mitigations that are designed to protect against typical malware infection behavior - especially for malware that attempts to exploit software vulnerabilities to spread and infect machines.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Exploit Protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to...
You can set each of the following system-level mitigations to on, off, or the default value:
Mitigation | Default value
Control flow guard | On
Data execution prevention | On
Force randomization for images (Mandatory ASLR) | Off
Randomize memory allocations (Bottom-up ASLR) | On
Validate exception chains (SEHOP) | On
Validate heap integrity | Off
Generally, the default values should be used to...
### Control flow guard
### Data execution prevention
### Force randomization for images (Mandatory ASLR)
### Randomize memory allocations (Bottom-up ASLR)
### Validate exception chains (SEHOP)
### Validate heap integrity
1. Configure
2. Export
3. Import
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
### Export system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
### Import system-level mitigations
**Use the Windows Defender Security app to import system-level mitigations:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
**Use Group Policy to import and deploy system-level mitigations:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## App-specific mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
1. Configure
2. Export
3. Import
### Configure app-specific mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
### Export app-specific mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
### Import app-specific mitigations
**Use the Windows Defender Security app to import app-specific mitigations:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
**Use Group Policy to import and deploy app-specific mitigations:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Review event logs for Exploit Protection
How do you see these event logs? Are they under specific codes/areas?
Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.
## Review Exploit Protection events in Windows Event Viewer
You can review the Windows event log to see events there are created when Exploit Protection blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [download the XML directly](scripts/ep-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
Provider/source | Event ID | Description
-|:-:|-
Security-Mitigations | 1 | ACG audit
Security-Mitigations | 2 | ACG enforce
Security-Mitigations | 3 | Do not allow child processes audit
Security-Mitigations | 4 | Do not allow child processes block
Security-Mitigations | 5 | Block low integrity images audit
Security-Mitigations | 6 | Block low integrity images block
Security-Mitigations | 7 | Block remote images audit
Security-Mitigations | 8 | Block remote images block
Security-Mitigations | 9 | Disable win32k system calls audit
Security-Mitigations | 10 | Disable win32k system calls block
Security-Mitigations | 11 | Code integrity guard audit
Security-Mitigations | 12 | Code integrity guard block
Security-Mitigations | 13 | EAF audit
Security-Mitigations | 14 | EAF enforce
Security-Mitigations | 15 | EAF+ audit
Security-Mitigations | 16 | EAF+ enforce
Security-Mitigations | 17 | IAF audit
Security-Mitigations | 18 | IAF enforce
Security-Mitigations | 19 | ROP StackPivot audit
Security-Mitigations | 20 | ROP StackPivot enforce
Security-Mitigations | 21 | ROP CallerCheck audit
Security-Mitigations | 22 | ROP CallerCheck enforce
Security-Mitigations | 23 | ROP SimExec audit
Security-Mitigations | 24 | ROP SimExec enforce
WER-Diagnostics | 5 | CFG Block
Provider: Win32K | 260 | Untrusted Font
## In this section
Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Exploit Protection in your network. See how to configure mitigations for the operating system and for individual apps, and how to export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.

46
windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Turn on the protected folders feature in Windows 10
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled Folder Access
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Import, export, and deploy Exploit Protection configurations
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

9
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -33,11 +33,18 @@ ms.author: iawilt
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network Protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
You can enable Network Protection in either block or auditing mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
## Requirements

21
windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml Normal file
View File

@ -0,0 +1,21 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1125,1126,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Network Protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>

17
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -35,21 +35,24 @@ You can use Windows Defender EG to:
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
Evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for Windows Defender EG, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
- [Windows Defender Device Guard]
- Windows Defender Device Guard
- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
Each of the features in Windows Defender EG have slightly different requirements:
Feature | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection)
-|-|-|-
Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | Must be enabled | Required
@ -65,8 +68,8 @@ Controlled Folder Access | Must be enabled | Required for reporting in the Windo
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.