From 67c9f1f29aa99e23a668830ba1248b97b0ea155f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:17:36 -0800 Subject: [PATCH 1/7] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 0f325b3497..5d3a707826 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/09/2019 +ms.date: 01/08/2020 ms.reviewer: manager: dansimp --- @@ -23,20 +23,18 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. +[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. - You can enable each mitigation separately by using any of these methods: -* [Windows Security app](#windows-security-app) -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [System Center Configuration Manager (SCCM)](#sccm) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) They are configured by default in Windows 10. @@ -45,16 +43,19 @@ Some mitigations have additional options. You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. +You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. + ## Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. -3. Go to **Program settings** and choose the app you want to apply mitigations to: +3. Go to **Program settings** and choose the app you want to apply mitigations to.
+ 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. From df9a6bf6c49aaafd6ba886619d17d1a6da135377 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:27:33 -0800 Subject: [PATCH 2/7] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 73 ++++++++----------- 1 file changed, 32 insertions(+), 41 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 5d3a707826..26b16a6530 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -52,21 +52,19 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - If the app you want to configure is already listed, click it and then click **Edit**. + - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation +6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+ - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation 7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. @@ -79,19 +77,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option -**Example 1** +### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default -Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. - -Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. +Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. -**Example 2** +### Example 2: Josie configures Data Execution Prevention in system settings to be off by default -Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. - -Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. +Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. @@ -102,28 +96,27 @@ CFG will be enabled for *miles.exe*. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. -3. Go to **Program settings** and choose the app you want to apply mitigations to: - - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. +3. Go to **Program settings** and choose the app you want to apply mitigations to.
+ - If the app you want to configure is already listed, click it and then click **Edit**. + - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. +2. Click **Device configuration** > **Profiles** > **Create profile**. +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: +4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: ![Enable network protection in Intune](../images/enable-ep-intune.png) -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Click **OK** to save each open blade and click **Create**. +7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -132,21 +125,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## SCCM 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Exploit protection**, and click **Next**. -1. Browse to the location of the exploit protection XML file and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +2. Click **Home** > **Create Exploit Guard Policy**. +3. Enter a name and a description, click **Exploit protection**, and click **Next**. +4. Browse to the location of the exploit protection XML file and click **Next**. +5. Review the settings and click **Next** to create the policy. +6. After the policy is created, click **Close**. ## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. - -1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. +3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. ## PowerShell From 20076482964245337ae0355db6de40724814d0a2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:29:11 -0800 Subject: [PATCH 3/7] Update enable-exploit-protection.md --- .../microsoft-defender-atp/enable-exploit-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 26b16a6530..73d6b7ed23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -25,6 +25,9 @@ manager: dansimp [Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps. +> [!IMPORTANT] +> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported. + Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. You can enable each mitigation separately by using any of these methods: @@ -36,10 +39,7 @@ You can enable each mitigation separately by using any of these methods: - [Group Policy](#group-policy) - [PowerShell](#powershell) -They are configured by default in Windows 10. - -You can set each mitigation to on, off, or to its default value. -Some mitigations have additional options. +Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. From 8414a18bb79f3cf889b5c88e33498f73d6ea0cf2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:30:34 -0800 Subject: [PATCH 4/7] Update enable-exploit-protection.md --- .../microsoft-defender-atp/enable-exploit-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 73d6b7ed23..1e00cd20dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -10,8 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: levinec -ms.author: ellevin +author: denisebmsft +ms.author: deniseb ms.date: 01/08/2020 ms.reviewer: manager: dansimp From 7e395b4bbb522c1539b57dc1a1c12cab86ef71f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:37:36 -0800 Subject: [PATCH 5/7] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 1e00cd20dd..6c243891bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -57,7 +57,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. -4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. @@ -66,7 +66,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -79,15 +79,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default -Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. +Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default -Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. +Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**. -Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. +Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. @@ -116,7 +116,7 @@ CFG will be enabled for *miles.exe*. 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: ![Enable network protection in Intune](../images/enable-ep-intune.png) 6. Click **OK** to save each open blade and click **Create**. -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +7. Click the profile. Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM From 008df50151f6260e41b29d0b7f89398c71196226 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 8 Jan 2020 15:45:16 -0800 Subject: [PATCH 6/7] Update enable-exploit-protection.md --- .../microsoft-defender-atp/enable-exploit-protection.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 6c243891bb..1820384542 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -89,8 +89,7 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. -CFG will be enabled for *miles.exe*. +The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -116,7 +115,7 @@ CFG will be enabled for *miles.exe*. 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: ![Enable network protection in Intune](../images/enable-ep-intune.png) 6. Click **OK** to save each open blade and click **Create**. -7. Click the profile. Assignments**, assign to **All Users & All Devices**, and click **Save**. +7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM From 870b00084417f26f40c5d1c805bc4f7df5204f4f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 8 Jan 2020 16:10:21 -0800 Subject: [PATCH 7/7] Changed "dlls" to "DLLs" --- .../microsoft-defender-atp/enable-exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 1820384542..36853a0451 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -221,7 +221,7 @@ Validate handle usage | App-level only | StrictHandle | Audit not available Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available -\[1\]: Use the following format to enable EAF modules for dlls for a process: +\[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll