deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 17:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

acrolinx and toc updates

Browse Source
This commit is contained in:
Beth Levin 2020-08-14 15:18:34 -07:00
parent b8c5fd2011
commit a1265dad78
11 changed files with 63 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/TOC.md
View File

@ -49,7 +49,7 @@
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
@ -57,6 +57,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@ -83,12 +84,13 @@
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md)
##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@ -100,8 +102,9 @@
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)

1
windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
View File

@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
ms.reviewer:
manager: dansimp
---

2
windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
View File

@ -1,5 +1,5 @@
---
title: Configure how attack surface reduction rules work to fine-tune protection in your network
title: Customize attack surface reduction rules
description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh

2
windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
View File

@ -1,5 +1,5 @@
---
title: Add additional folders and apps to be protected
title: Customize controlled folder access
description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh

4
windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: Enable or disable specific mitigations used by exploit protection
title: Customize exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage

29
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -1,5 +1,5 @@
---
title: Enable attack surface reduction rules individually to protect your organization
title: Enable attack surface reduction rules
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
@ -68,11 +67,11 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
## MDM
@ -103,32 +102,32 @@ Example:
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
2. Click **Home** > **Create Exploit Guard Policy**.
2. Select **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
4. Choose which rules will block or audit actions and click **Next**.
4. Choose which rules will block or audit actions and select **Next**.
5. Review the settings and click **Next** to create the policy.
5. Review the settings and select **Next** to create the policy.
6. After the policy is created, click **Close**.
6. After the policy is created, **Close**.
## Group Policy
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
@ -136,7 +135,7 @@ Example:
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
@ -146,7 +145,7 @@ Example:
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:

52
windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
View File

@ -1,5 +1,5 @@
---
title: Turn on the protected folders feature in Windows 10
title: Enable controlled folder access
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled folder access
search.product: eADQiWindows 10XVcnh
@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
@ -44,71 +43,70 @@ For more information about disabling local list merging, see [Prevent or allow u
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
3. Set the switch for **Controlled folder access** to **On**.
> [!NOTE]
> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
> If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
2. Click **Device configuration** > **Profiles** > **Create profile**.
2. Go to **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. <br/> ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) <br/>
4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.<br/> ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)<br/>
5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**.<br/> ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)<br/>
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
6. Click **OK** to save each open blade and click **Create**.
6. Select **OK** to save each open blade and **Create**.
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
## MDM
## Mobile Device Management (MDM)
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
2. Click **Home** > **Create Exploit Guard Policy**.
2. Select **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
5. Review the settings and click **Next** to create the policy.
5. Review the settings and select **Next** to create the policy.
6. After the policy is created, click **Close**.
6. After the policy is created, **Close**.
## Group Policy
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
* **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
* **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
* **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
* **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
* **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
* **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
* **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
* **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
* **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png)
@ -117,7 +115,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@ -127,9 +125,9 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
Use `Disabled` to turn the feature off.
Use `Disabled` to turn off the feature.
## Related topics
## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Customize controlled folder access](customize-controlled-folders.md)

4
windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
View File

@ -1,5 +1,5 @@
---
title: Turn on network protection
title: Turning on network protection
description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
@ -131,7 +131,7 @@ Confirm network protection is enabled on a local computer by using Registry edit
* 1=On
* 2=Audit
## Related topics
## See also
* [Network protection](network-protection.md)
* [Evaluate network protection](evaluate-network-protection.md)

4
windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
View File

@ -1,6 +1,6 @@
---
title: See how controlled folder access can help protect files from being changed by malicious apps
description: Use a custom tool to see how Controlled folder access works in Windows 10.
title: Evaluate controlled folder access
description: See how controlled folder access can help protect files from being changed by malicious apps.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
ms.prod: w10

15
windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
View File

@ -1,6 +1,6 @@
---
title: Conduct a demo to see how network protection works
description: Quickly see how Network protection works by performing common scenarios that it protects against
title: Evaluate network protection
description: See how network protection works by testing common scenarios that it protects against.
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -10,7 +10,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/10/2019
ms.reviewer:
manager: dansimp
---
@ -23,18 +22,16 @@ manager: dansimp
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled.
Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@ -61,7 +58,7 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
## Related topics
## See also
* [Network protection](network-protection.md)
* [Enable network protection](enable-network-protection.md)

7
windows/security/threat-protection/microsoft-defender-atp/event-views.md
View File

@ -1,7 +1,6 @@
---
ms.reviewer:
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
title: View attack surface reduction events
description: Import custom views to see attack surface reduction events.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -11,7 +10,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
ms.reviewer:
manager: dansimp
---