deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

lint/cleaned enable exploit protection

Browse Source
This commit is contained in:
martyav 2019-07-30 15:27:22 -04:00
parent 0d3cf3e8ee
commit 7b13a3b6a8
1 changed files with 73 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -20,9 +20,9 @@ manager: dansimp
**Applies to:** **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. [Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
@ -30,12 +30,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
You can enable each mitigation separately by using any of these methods: You can enable each mitigation separately by using any of these methods:
- [Windows Security app](#windows-security-app) * [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune) * [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm) * [Mobile Device Management (MDM)](#mdm)
- [System Center Configuration Manager (SCCM)](#sccm) * [System Center Configuration Manager (SCCM)](#sccm)
- [Group Policy](#group-policy) * [Group Policy](#group-policy)
- [PowerShell](#powershell) * [PowerShell](#powershell)
They are configured by default in Windows 10. They are configured by default in Windows 10.
@ -54,24 +54,24 @@ You can [export these settings as an XML file](import-export-exploit-protection-
1. If the app you want to configure is already listed, click it and then click **Edit** 1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. 5. Repeat this for all the apps and mitigations you want to configure.
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: 6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. 7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior Enabled in **Program settings** | Enabled in **System settings** | Behavior
:-: | :-: | :-: -|-|-
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
@ -104,8 +104,8 @@ CFG will be enabled for *miles.exe*.
1. If the app you want to configure is already listed, click it and then click **Edit** 1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@ -138,13 +138,13 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## Group Policy ## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. 1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. 1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell ## PowerShell
@ -154,30 +154,31 @@ You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigatio
Get-ProcessMitigation -Name processName.exe Get-ProcessMitigation -Name processName.exe
``` ```
>[!IMPORTANT] > [!IMPORTANT]
>System-level mitigations that have not been configured will show a status of `NOTSET`. > System-level mitigations that have not been configured will show a status of `NOTSET`.
> >
>For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. > For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
> >
>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
> >
>The default setting for each system-level mitigation can be seen in the Windows Security. > The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format: Use `Set` to configure each mitigation in the following format:
```PowerShell ```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options> Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
``` ```
Where: Where:
- \<Scope>: * \<Scope>:
- `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- `-System` to indicate the mitigation should be applied at the system level * `-System` to indicate the mitigation should be applied at the system level
- \<Action>: * \<Action>:
- `-Enable` to enable the mitigation * `-Enable` to enable the mitigation
- `-Disable` to disable the mitigation * `-Disable` to disable the mitigation
- \<Mitigation>: * \<Mitigation>:
- The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@ -185,8 +186,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
``` ```
>[!IMPORTANT] > [!IMPORTANT]
>Separate each mitigation option with commas. > Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command: If you wanted to apply DEP at the system level, you'd use the following command:
@ -204,7 +205,6 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | - - | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
@ -229,23 +229,19 @@ Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process: <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
```PowerShell ```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
``` ```
## Customize the notification ## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics ## Related topics
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) * [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)