deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 15049: added table

Browse Source 
added table
This commit is contained in:
Justin Hall 2019-04-02 17:12:21 +00:00
commit 76693bf26e
6 changed files with 31 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 03/26/2018
ms.date: 04/02/2019
---
# Reduce attack surfaces with attack surface reduction rules
@ -236,15 +236,6 @@ SCCM name: Not applicable
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
## Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
Event ID | Description
5007 | Event when settings are changed
1121 | Event when an attack surface reduction rule fires in audit mode
1122 | Event when an attack surface reduction rule fires in block mode
## Related topics

33
windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/18/2018
ms.date: 04/02/2019
---
@ -37,32 +37,13 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
|Audit options | How to enable audit mode | How to view events |
|- | - | - |
|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
Audit options | How to enable audit mode | How to view events
- | - | -
Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force
<location>\Enable-ExploitGuardAuditMode.ps1
```
Replace \<location> with the folder path where you placed the file.
A message should appear to indicate that audit mode was enabled.
## Related topics

13
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/16/2018
ms.date: 04/02/2019
---
# Evaluate attack surface reduction rules
@ -45,6 +45,17 @@ This enables all attack surface reduction rules in audit mode.
>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
| Event ID | Description |
|----------|-------------|
|5007 | Event when settings are changed |
| 1121 | Event when an attack surface reduction rule fires in audit mode |
| 1122 | Event when an attack surface reduction rule fires in block mode |
## Customize attack surface reduction rules
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.

3
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 03/26/2019
ms.date: 04/02/2019
---
# Evaluate exploit protection
@ -109,6 +109,7 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code in
- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
- [Enable network protection](enable-network-protection.md)
- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
- [Enable attack surface reduction](enable-attack-surface-reduction.md)

14
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/01/2019
ms.date: 04/02/2019
---
# Evaluate network protection
@ -20,7 +20,7 @@ ms.date: 04/01/2019
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain.
@ -55,11 +55,11 @@ The network connection will be allowed and a test message will be displayed.
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
Event ID | Provide/Source | Description
-|-
5007 | Windows Defender (Operational) | Event when settings are changed
1125 | Windows Defender (Operational) | Event when a network connection is audited
1126 | Windows Defender (Operational) | Event when a network connection is blocked
| Event ID | Provide/Source | Description |
|-|-|-|
|5007 | Windows Defender (Operational) | Event when settings are changed |
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
## Related topics

3
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 03/26/2018
ms.date: 04/02/2019
---
# Protect devices from exploits
@ -154,5 +154,6 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)