deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 22:33:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates to image alts

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-09-29 13:42:20 -07:00
parent dc35e4ef57
commit 6e75bf3e2f
10 changed files with 31 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -51,25 +51,25 @@ It also describes how to enable or configure the mitigations using Windows Defen
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
![](images/ep-default.png)
![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png)
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
Mitigation | Description | Can be applied to | Audit mode available
- | - | - | -
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
![](images/wdsc-exp-prot.png)
![App & browser control screen in the Windows Defender Security Center](images/wdsc-exp-prot.png)
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
![](images/wdsc-exp-prot-sys-settings.png)
![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png)
4. Repeat this for all the system-level mitigations you want to configure.
@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
![](images/wdsc-exp-prot.png)
![Screenshot showing the Exploit protection label highlighted in the Windows Defender Security Center App & browser settings section](images/wdsc-exp-prot.png)
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
![](images/wdsc-exp-prot-app-settings.png)
![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png)
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
![](images/wdsc-exp-prot-app-settings-options.png)
![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png)
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.