exp prot customize and update gpo for wdav 3ps

2025-05-16 07:17:24 +00:00 · 2017-08-24 14:48:30 -07:00 · 2017-08-24 14:48:30 -07:00 · 6c79bd0826
commit 6c79bd0826
parent 3a0d207923
8 changed files with 121 additions and 75 deletions
--- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@ -82,7 +82,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not
 Reporting | Configure time out for detections in recently remediated state | Not used
 Reporting | Configure time out for detections requiring additional action | Not used
 Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Root | Turn off Windows Defender Antivirus | Not used
+Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
 Root | Define addresses to bypass proxy server | Not used
 Root | Define proxy auto-config (.pac) for connecting to the network | Not used
 Root | Define proxy server for connecting to the network | Not used
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@ -36,43 +36,68 @@ Exploit Protection automatically applies a number of exploit mitigation techniqu
 It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
-You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
+You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
 This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
 It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml).
-## System-level mitigations
+## Exploit Protection mitigations
-> What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
+All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-System-level mitigations are applied to ... They can also be enabled or configured for individual apps.
+You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
-You can set each of the following system-level mitigations to on, off, or their default value as indicated in the following table.
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
-See the [PowerShell reference table](#powershell-reference) at the bottom of this topic for information on configuring Exploit Protection mitigations with PowerShell cmdlets. The following section describes how to configure mitigations using the Windows Defender Security Center app.
+Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
 - | - | - | -
 Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
 Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
 Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
 Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
 Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
 Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
 Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
 Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
 Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
 Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
 Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
 Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
 Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
 Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
 Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
 Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
 Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
 Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
 Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
 Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
-### Configure system-level mitigations
+
 ### Configure system-level mitigations with the Windows Defender Security Center app
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
->Screenshot coming
+    ![](images/wdsc-exp-prot.png)
 3.	Under the **System settings** section, find the mitigation you want to configure and select either:
    - **On by default**
    - **Off by default**
-    -** Use default**
+    -**Use default**
    >[!NOTE]
    >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
    Changing some settings may required a restart, which will be indicated in red text underneath the setting.
    ![](images/wdsc-exp-prot-sys-settings.png)
 4. Repeat this for all the system-level mitigations you want to configure.
 You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or continue on to configure app-specific mitigations. 
@ -80,20 +105,13 @@ You can now [export these settings as an XML file](import-export-exploit-protect
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
- ## App-specific mitigations
+### Configure app-specific mitigations with the Windows Defender Security Center app
 > What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
 You can configure any of the Exploit Protection mitigations for individual apps. The following table lists each mitigation, what it does, and any additional options.
 ### Configure app-specific mitigations
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
->Screenshot coming
+    ![](images/wdsc-exp-prot.png)
 3.	Go to the **Program settings** section and choose the app you want to apply mitigations to:
@ -102,11 +120,16 @@ Exporting the configuration as an XML file allows you to copy the configuration
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
        ![](images/wdsc-exp-prot-app-settings.png)
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or return to configure system-level mitigations. 
+    ![](images/wdsc-exp-prot-app-settings-options.png)
 You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or return to configure system-level mitigations. 
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@ -120,39 +143,54 @@ Exporting the configuration as an XML file allows you to copy the configuration
 >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
- You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device.
+ You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
- Use `Set` to make configure each mitigation in the following format:
+```
 Get-ProcessMitigation -Name processName.exe 
 ```
 Use `Set` to configure each mitigation in the following format:
 ```PowerShell
- Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation and options>,<mitigation and options>,<mitigation and options>
+ Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
 Where:
-<Scope>:
+
-    -`-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+- \<Scope>:
-    -`-System` to indicate the mitigation should be applied at the system level
+    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-<Action>:
+    - `-System` to indicate the mitigation should be applied at the system level
-    -`-Enable` to enable the mitigation
+- \<Action>:
-    -`-Disable` to disable the mitigation
+    - `-Enable` to enable the mitigation
-<Mitigation>:
+    - `-Disable` to disable the mitigation
-    -The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
+- \<Mitigation>:
    - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
 For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 ```PowerShell
- Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP EmulateAtlThunks, DisallowChildProcessCreation
+ Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
 ```
 >[!IMPORTANT]
 >Seperate each mitigation option with commas.
 If you wanted to apply DEP at the system level, you'd use the following command:
 ```PowerShell
 Set-Processmitigation -System -Enable DEP
 ```
- To disable DEP, you'd use the same command but replace `-Enable` with `-Disable`.
+ To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
 If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
  ```PowerShell
 Set-Processmitigation -Name test.exe -Remove -Disable DEP
 ```
  You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. 
@ -164,51 +202,44 @@ Where:
 You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
 ### PowerShell reference table
 This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
 <a id="cmdlets-table"></a>
- The following table lists each mitigation, its associated PowerShell cmdlet, and indicates whether it can be applied system-wide or to individual apps. It also lists any optional cmdlets and the appropriate audit mode cmdlet. 
+Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
 - | - | - | -
 Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
 Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
 Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocate  | Audit not available
 Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
 Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
 Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
 Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
 Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
 Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
 Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
 Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
 Disable extension points | App-level only |   ExtensionPoint  | Audit not available
 Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall 
 Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
 Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="r1" id="t1">\[1\]</a> | Audit not available 
 Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
 Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
 Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
 Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
 Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
 #### PowerShell
-You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples: 
+<a href="t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
-Get the current settings in the registry for processName.exe
+    ```
-```
+    Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
-Get-ProcessMitigation -Name processName.exe 
+    ```
 ```
 Exports the current settings to the filename.xml
 ```
 Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
 ```
 Imports the settings in filename.xml to the system.
 ```
 Set-ProcessMitigation -PolicyFilePath filename.xml 
 ```
 Enables a list of mitigations
 ```
 Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP 
 ```
 Disables a list of mitigations
 ```
 Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP 
 ```
 Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
 ```
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
 ```
 Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
 ```
 ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml 
 ```
 ## Related topics
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@ -14,7 +14,7 @@ ms.author: iawilt
-# Protect devices from exploits with Windows Defender Exploit Guard
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
 **Applies to:**
--- a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
--- a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
--- a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
--- a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
--- a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@ -34,6 +34,21 @@ ms.author: iawilt
 - PowerShell
 - Configuration service providers for mobile device management
 Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
 ```
 ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml 
 ```
 Exports the current settings to the filename.xml
 ```
 Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
 ```
 Imports the settings in filename.xml to the system.
 ```
 Set-ProcessMitigation -PolicyFilePath filename.xml 
 ```
`@ -14,7 +14,7 @@ ms.author: iawilt`



	`# Protect devices from exploits with Windows Defender Exploit Guard`	`# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard`


	`Applies to:`	`Applies to:`