From f58d8761a8346b696c9691ec243cf74159715aa0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 1 Apr 2019 10:25:22 -0700 Subject: [PATCH 1/5] added registry entry --- .../enable-network-protection.md | 30 ++++++++++++------- .../evaluate-network-protection.md | 7 +++-- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index e1caa8c51b..a569a2c52b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -47,7 +47,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d ## Group Policy -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers. + +1. On a standalone computer, click **Start**, type and then click **Edit group policy**. + + -Or- + + On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -58,10 +64,17 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. - >[!IMPORTANT] >To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. +You can confirm network protection is enabled on a local computer by using Registry editor: + +1. Click **Start** and type **regedit** to open **Registry Editor**. +1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection +1. Click **EnableNetworkProtection** and confirm the value: + - 0=Off + - 1=On + - 2=Audit ## PowerShell @@ -82,16 +95,11 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. ## -Network protection can't be turned on using the Windows Security app, but you can enable it by using Registry editor. - -1. Click **Start** and type **regedit** to open **Registry Editor**. -1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -1. Set the value: - 0=off - 1=on - 2=audit +Network protection can't be turned on using the Windows Security app, but you can enable it by ## Related topics -- [Protect your network](network-protection-exploit-guard.md) +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Network protection](network-protection-exploit-guard.md) - [Evaluate network protection](evaluate-network-protection.md) +- [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 518e47cd60..532e3b5cb8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -64,6 +64,7 @@ Event ID | Provide/Source | Description ## Related topics -- [Protect your network](network-protection-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Network protection](network-protection-exploit-guard.md) +- [Enable network protection](enable-network-protection.md) +- [Troubleshoot network protection](troubleshoot-np.md) From fd96fdaa15ef21f03712bcdaaac0a87a413e6e25 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 1 Apr 2019 10:26:52 -0700 Subject: [PATCH 2/5] dates --- .../windows-defender-exploit-guard/enable-network-protection.md | 2 +- .../evaluate-network-protection.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index a569a2c52b..b1e858ebcb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/28/2019 +ms.date: 04/01/2019 --- # Enable network protection diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 532e3b5cb8..ea6a20bdcc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/27/2019 +ms.date: 04/01/2019 --- # Evaluate network protection From 965120a918b24d39c86c5772ba8fd6ba477dbb92 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 1 Apr 2019 15:31:17 -0700 Subject: [PATCH 3/5] fixed link --- .../audit-audit-the-use-of-backup-and-restore-privilege.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 0b3a95e875..cc5c550da5 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 04/01/2019 --- # Audit: Audit the use of Backup and Restore privilege @@ -80,7 +80,7 @@ When the backup and restore function is used, it creates a copy of the file syst ### Countermeasure Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner. -For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879). +For more information about configuring this key, see [Eventlog Key](https://docs.microsoft.com/windows/desktop/EventLog/eventlog-key). ### Potential impact From 97c22fdb0492400bca928fbc896bc49232855c2f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 1 Apr 2019 15:56:15 -0700 Subject: [PATCH 4/5] fixed link --- ...nable-virtualization-based-protection-of-code-integrity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 5efdacf7f8..72d603b012 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,7 +10,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/15/2019 +ms.date: 04/01/2019 --- # Enable virtualization-based protection of code integrity @@ -291,6 +291,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time + - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. From c0b715b0798eaf43d9e106185c94d5b1dec1988b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 1 Apr 2019 15:57:37 -0700 Subject: [PATCH 5/5] edit --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 72d603b012..8648bcd508 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -28,7 +28,7 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. >[!TIP] -> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book +> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book ## HVCI Features