deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixing image links

Browse Source
This commit is contained in:
martyav
2019-08-19 12:22:34 -04:00
parent 9273d7b1e5
commit 6d3d52491e
11 changed files with 181 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md
View File

@ -78,7 +78,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png)
> [!IMPORTANT]
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
@ -109,7 +109,7 @@ An allowed application or service only has write access to a controlled folder a
4. Click **Add an allowed app** and follow the prompts to add apps.
![Screenshot of how to add an allowed app button](images/cfa-allow-app.png)
![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png)
### Use Group Policy to allow specific apps
@ -138,7 +138,7 @@ An allowed application or service only has write access to a controlled folder a
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
![Screenshot of a PowerShell window with the above cmdlet entered](../images/cfa-allow-app-ps.png)
> [!IMPORTANT]
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.

50
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -48,27 +48,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
Mitigation | Description | Can be applied to | Audit mode available
-|-|-|-
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
> [!IMPORTANT]
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@ -76,10 +76,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>
> Enabled in **Program settings** | Enabled in **System settings** | Behavior
> -|-|-
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
>
>
>

46
windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection.md
View File

@ -49,29 +49,29 @@ The table in this section indicates the availability and support of native mitig
Mitigation | Available in Windows Defender | Available in EMET
-|-|-
Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
> [!NOTE]
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -127,7 +127,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
* Block (enable ASR rule) = 1
* Audit = 2
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders.md
View File

@ -60,11 +60,11 @@ For more information about disabling local list merging, see [Prevent or allow u
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
@ -100,7 +100,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
* **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
* **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png)
![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png)
> [!IMPORTANT]
> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.

12
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -73,10 +73,10 @@ If you add an app to the **Program settings** section and configure individual m
Enabled in **Program settings** | Enabled in **System settings** | Behavior
-|-|-
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
**Example 1**
@ -117,10 +117,10 @@ CFG will be enabled for *miles.exe*.
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](images/enable-ep-intune.png)
![Enable network protection in Intune](../images/enable-ep-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.

80
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -61,7 +61,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
![Enable HVCI using Group Policy](images/enable-hvci-gp.png)
![Enable HVCI using Group Policy](../images/enable-hvci-gp.png)
5. Click **Ok** to close the editor.
@ -191,16 +191,16 @@ The output of this command provides details of the available hardware-based secu
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
| Value | Description |
|--------|-------------|
| **0.** | If present, no relevant properties exist on the device. |
| **1.** | If present, hypervisor support is available. |
| **2.** | If present, Secure Boot is available. |
| **3.** | If present, DMA protection is available. |
| **4.** | If present, Secure Memory Overwrite is available. |
| **5.** | If present, NX protections are available. |
| **6.** | If present, SMM mitigations are available. |
| **7.** | If present, Mode Based Execution Control is available. |
Value | Description
-|-
**0.** | If present, no relevant properties exist on the device.
**1.** | If present, hypervisor support is available.
**2.** | If present, Secure Boot is available.
**3.** | If present, DMA protection is available.
**4.** | If present, Secure Memory Overwrite is available.
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
**7.** | If present, Mode Based Execution Control is available.
#### InstanceIdentifier
@ -211,38 +211,38 @@ A string that is unique to a particular device. Valid values are determined by W
This field describes the required security properties to enable virtualization-based security.
| Value | Description |
|--------|-------------|
| **0.** | Nothing is required. |
| **1.** | If present, hypervisor support is needed. |
| **2.** | If present, Secure Boot is needed. |
| **3.** | If present, DMA protection is needed. |
| **4.** | If present, Secure Memory Overwrite is needed. |
| **5.** | If present, NX protections are needed. |
| **6.** | If present, SMM mitigations are needed. |
| **7.** | If present, Mode Based Execution Control is needed. |
Value | Description
-|-
**0.** | Nothing is required.
**1.** | If present, hypervisor support is needed.
**2.** | If present, Secure Boot is needed.
**3.** | If present, DMA protection is needed.
**4.** | If present, Secure Memory Overwrite is needed.
**5.** | If present, NX protections are needed.
**6.** | If present, SMM mitigations are needed.
**7.** | If present, Mode Based Execution Control is needed.
#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
| Value | Description |
|--------|-------------|
| **0.** | No services configured. |
| **1.** | If present, Windows Defender Credential Guard is configured. |
| **2.** | If present, HVCI is configured. |
| **3.** | If present, System Guard Secure Launch is configured. |
Value | Description
-|-
**0.** | No services configured.
**1.** | If present, Windows Defender Credential Guard is configured.
**2.** | If present, HVCI is configured.
**3.** | If present, System Guard Secure Launch is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
| Value | Description |
|--------|-------------|
| **0.** | No services running. |
| **1.** | If present, Windows Defender Credential Guard is running. |
| **2.** | If present, HVCI is running. |
| **3.** | If present, System Guard Secure Launch is running. |
Value | Description
-|-
**0.** | No services running.
**1.** | If present, Windows Defender Credential Guard is running.
**2.** | If present, HVCI is running.
**3.** | If present, System Guard Secure Launch is running.
#### Version
@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
This field indicates whether VBS is enabled and running.
| Value | Description |
|--------|-------------|
| **0.** | VBS is not enabled. |
| **1.** | VBS is enabled but not running. |
| **2.** | VBS is enabled and running. |
Value | Description
-|-
**0.** | VBS is not enabled.
**1.** | VBS is enabled but not running.
**2.** | VBS is enabled and running.
#### PSComputerName
@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png)
## Troubleshooting

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -51,7 +51,7 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
The network connection will be allowed and a test message will be displayed.
![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](../images/np-notif.png)
## Review network protection events in Windows Event Viewer

27
windows/security/threat-protection/windows-defender-exploit-guard/event-views.md
View File

@ -50,33 +50,31 @@ You can also manually navigate to the event area that corresponds to the feature
1. Type **event viewer** in the Start menu and open **Event Viewer**.
3. Click **Action** > **Import Custom View...**
1. Click **Action** > **Import Custom View...**
![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
![Animation highlighting Import custom view on the left of the Even viewer window](../images/events-import.gif)
4. Navigate to where you extracted XML file for the custom view you want and select it.
1. Navigate to where you extracted XML file for the custom view you want and select it.
4. Click **Open**.
5. This will create a custom view that filters to only show the events related to that feature.
1. Click **Open**.
1. This will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
3. On the left panel, under **Actions**, click **Create Custom View...**
1. On the left panel, under **Actions**, click **Create Custom View...**
![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif)
![Animation highlighting the create custom view option on the Event viewer window](../images/events-create.gif)
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
5. Paste the XML code for the feature you want to filter events from into the XML section.
1. Paste the XML code for the feature you want to filter events from into the XML section.
4. Click **OK**. Specify a name for your filter.
1. Click **OK**. Specify a name for your filter.
5. This will create a custom view that filters to only show the events related to that feature.
1. This will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@ -133,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
@ -142,7 +139,7 @@ You can access these events in Windows Event viewer:
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
![Animation showing using Event Viewer](images/event-viewer.gif)
![Animation showing using Event Viewer](../images/event-viewer.gif)
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-

46
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection.md
View File

@ -98,29 +98,29 @@ The table in this section indicates the availability and support of native mitig
Mitigation | Available under Exploit protection | Available in EMET
-|-|-
Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
> [!NOTE]
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.

6
windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -49,11 +49,11 @@ When you have configured exploit protection to your desired state (including bot
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png)
![Highlight of the Exploit protection settings option in the Windows Security app](../images/wdsc-exp-prot.png)
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png)
![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png)
> [!NOTE]
> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
@ -144,7 +144,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
![Screenshot of the group policy setting for exploit protection](../images/exp-prot-gp.png)
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.