mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 21:27:23 +00:00
updates to image alts
This commit is contained in:
Iaan D'Souza-Wiltshire
parent
dc35e4ef57
commit
6e75bf3e2f
@ -144,7 +144,7 @@ You can review the Windows event log to see events that are created when an Atta
|
||||
|
||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ You can review the Windows event log to see events that are created when Control
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
|
||||
|
||||
4. Click **Add a protected folder** and follow the prompts to add apps.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to protect additional folders
|
||||
@ -107,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
|
||||
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
@ -144,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
|
||||
|
||||
4. Click **Add an allowed app** and follow the prompts to add apps.
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to whitelist specific apps
|
||||
|
||||
@ -178,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
|
||||
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
|
||||
@ -51,25 +51,25 @@ It also describes how to enable or configure the mitigations using Windows Defen
|
||||
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
|
||||
|
||||
|
||||
You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
|
||||
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
|
||||
|
||||
|
||||
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
|
||||
|
||||
|
||||
|
||||
|
||||
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
|
||||
|
||||
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
|
||||
|
||||
Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
|
||||
Mitigation | Description | Can be applied to | Audit mode available
|
||||
- | - | - | -
|
||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
|
||||
|
||||
|
||||
|
||||
|
||||
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
|
||||
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
|
||||
|
||||
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Repeat this for all the system-level mitigations you want to configure.
|
||||
|
||||
@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
|
||||
@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
||||
|
||||
|
||||
|
||||
|
||||
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
|
||||
- Disabled = 0
|
||||
- Audit mode = 2
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ For further details on how audit mode works, and when you might want to use it,
|
||||
|
||||
3. Set the switch for the feature to **On**
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to enable Controlled folder access
|
||||
|
||||
@ -77,7 +77,7 @@ For further details on how audit mode works, and when you might want to use it,
|
||||
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
|
||||
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
||||
|
||||
@ -57,7 +57,7 @@ This tool has a simple user interface that lets you choose a rule, configure it
|
||||
|
||||
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
|
||||
|
||||
|
||||
|
||||
|
||||
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
|
||||
|
||||
@ -99,7 +99,7 @@ Audit | The rule wil fire, but the suspicious behavior will **not** be blocked f
|
||||
|
||||
Block mode will cause a notification to appear on the user's desktop:
|
||||
|
||||
|
||||
|
||||
|
||||
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
|
||||
|
||||
|
||||
@ -73,11 +73,11 @@ You can enable Controlled folder access, run the tool, and see what the experien
|
||||
|
||||
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
|
||||
|
||||
|
||||
|
||||
|
||||
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
|
||||
|
||||
|
||||
|
||||
|
||||
## Review Controlled folder access events in Windows Event Viewer
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ You can also carry out the processes described in this topic in audit or disable
|
||||
|
||||
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Review Network protection events in Windows Event Viewer
|
||||
|
||||
@ -47,7 +47,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
@ -57,7 +57,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import Custom View...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted XML file for the custom view you want and select it.
|
||||
|
||||
@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
3. On the left panel, under **Actions**, click **Create Custom View...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user