deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

final changes/tweaks to check meta before pub

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-26 01:36:41 -07:00
parent 03ec999098
commit b003c3ccf6
21 changed files with 125 additions and 296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -66,7 +66,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Attack Surface Reduction events in Windows Event Viewer
You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered:
You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *asr-events.xml* to an easily accessible location on the machine.
@ -74,6 +74,8 @@ You can review the Windows event log to see events there are created when an Att
2. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

34
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -1,5 +1,5 @@
---
title: Test how the features will work in your organization
title: Test how Windows Defender EG features will work in your organization
description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -36,13 +36,12 @@ While the features will not block or prevent apps, scripts, or files from being
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
This topic links to topics that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
Audit options | How to enable audit mode | How to view events
- | - | -
Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
@ -51,6 +50,25 @@ Audit applies to all events | [Enable Network Protection](enable-network-protect
Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force
<location>\Enable-ExploitGuardAuditMode.ps1
```
Replace \<location> with the folder path where you placed the file.
A message should appear to indicate that audit mode was enabled.
## Related topics
Topic | Description
@ -62,11 +80,3 @@ Topic | Description
## Enabling Windows Defender EG rules in audit mode
Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied.
**Note:** Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1
Run the following in an elevated powershell prompt:
- Set-ExecutionPolicy Bypass -Force
- .\Enable-ExploitGuardAuditMode.ps1
Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode

56
windows/threat-protection/windows-defender-exploit-guard/configure-app-exploit-protection.md
View File

@ -1,56 +0,0 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## App-specific mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
1. Configure
2. Export
3. Import
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

103
windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md
View File

@ -1,103 +0,0 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to...
You can set each of the following system-level mitigations to on, off, or the default value:
Mitigation | Default value
Control flow guard | On
Data execution prevention | On
Force randomization for images (Mandatory ASLR) | Off
Randomize memory allocations (Bottom-up ASLR) | On
Validate exception chains (SEHOP) | On
Validate heap integrity | Off
Generally, the default values should be used to...
### Control flow guard
### Data execution prevention
### Force randomization for images (Mandatory ASLR)
### Randomize memory allocations (Bottom-up ASLR)
### Validate exception chains (SEHOP)
### Validate heap integrity
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

8
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -48,7 +48,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
A notification will appear on the machine where the app attempted to make changes to a protected folder.
A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
@ -67,7 +67,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Controlled Folder Access events in Windows Event Viewer
You can review the Windows event log to see events there are created when Controlled Folder Access blocks (or audits) an app:
You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
@ -75,6 +75,8 @@ You can review the Windows event log to see events there are created when Contro
3. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

4
windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -184,7 +184,9 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)

39
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
# Customize Exploit Protection
@ -128,11 +128,13 @@ Exporting the configuration as an XML file allows you to copy the configuration
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
![](images/wdsc-exp-prot-app-settings-options.png)
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or return to configure system-level mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@ -148,15 +150,15 @@ Exporting the configuration as an XML file allows you to copy the configuration
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```
```PowerShell
Get-ProcessMitigation -Name processName.exe
```
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
```
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
```
Where:
@ -174,8 +176,8 @@ Where:
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
>[!IMPORTANT]
>Seperate each mitigation option with commas.
@ -183,16 +185,16 @@ Where:
If you wanted to apply DEP at the system level, you'd use the following command:
```PowerShell
Set-Processmitigation -System -Enable DEP
```
Set-Processmitigation -System -Enable DEP
```
To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
```PowerShell
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
@ -200,8 +202,8 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
@ -226,7 +228,7 @@ Block remote images | App-level only | BlockRemoteImages | Audit not availabl
Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="r1" id="t1">\[1\]</a> | Audit not available
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
@ -240,9 +242,14 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot
<a href="t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
```
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics

2
windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---

38
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -54,28 +54,16 @@ You can also manually add the rules from the following table:
Rule description | GUIDs
-|-
Block executable content from email client and webmail. | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
Block Office applications from creating child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
Block Office applications from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
Block Office applications from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
Impede JavaScript and VBScript to launch executables | {d3e037e1-3eb8-44c8-a917-57927947596d}
Block execution of potentially obfuscated scripts | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
>[!NOTE]
>I don't see this rule in the test tool
Block executable content from email client and webmail. | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduction.md) topic for details on each rule.
>[!NOTE]
>Are we revealing the rule GUIDs? Will they appear on E5 machines?
### Use Group Policy to enable Attack Surface Reduction rules
@ -107,12 +95,8 @@ See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduct
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>
```
>[!NOTE]
>Not sure if this is right. What does AttackSurfaceReductionRules_Actions do? Do you need to add $TRUE/$FALSE or 1/0 at the end to enable it? Does the rule need to go in " or {}? Some examples would be handy here I think
You can enable the feauting in audit mode using the following cmdlet:
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
@ -120,8 +104,6 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
>[!NOTE]
>We need to walk through this so I understand how it works
### Use MDM CSPs to enable Attack Surface Reduction rules

2
windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---

10
windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title:
keywords:
description:
title: Turn on Exploit Protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -40,7 +40,7 @@ ms.date:08/25/2017
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751)) are included in Exploit Protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).

8
windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -80,9 +80,9 @@ For background information on how audit mode works, and when you might want to u
You can enable the feauting in audit mode using the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection AuditMode
```
```
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.

25
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -55,8 +55,6 @@ The tool is part of the Windows Defender Exploit Guard evaluation package:
This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
![](images/asr-test-tool.png)
@ -90,10 +88,6 @@ You can right-click on the output window and click **Open Event Viewer** to see
>[!TIP]
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
>[!NOTE]
>TODO: Need to remove dirty + delay from tool
Choosing the **Mode** will change how the rule functions:
@ -125,18 +119,12 @@ Scenario name | File type | Program
Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook
Mail Client Script Archive | Script archive files | Microsoft Outlook
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
WebMail Script Archive | Script archive files (such as .????) | Web mail
WebMail Script Archive | Script archive files | Web mail
>[!NOTE]
>Todo: Add example script archive file
>[!NOTE]
>WebMail rules are currently being engineered and may not work as expected
### Rule: Block Office applications from creating child processes
>[!NOTE]
@ -154,13 +142,6 @@ The following scenarios can be individually chosen:
- A scenario will be randomly chosen from this list
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
- MZ Block
- ???
>[!NOTE]
>Todo: add desription on MZ Block
### Rule: Block Office applications from injecting into other processes
@ -208,7 +189,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

6
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -73,11 +73,11 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
![](images/cfa-filecreator.png)
![](images/cfa-filecreator.png)
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
![](images/cfa-notif.png)
![](images/cfa-notif.png)
## Review Controlled Folder Access events in Windows Event Viewer
@ -87,7 +87,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

4
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -49,7 +49,7 @@ This topcs helps you evaluate Exploit Protection. See the [Exploit Protection to
## Enable and validate an Exploit Protection mitigation
For this demo we're going to enable the mitigation that prevents child processes from being created. We'll use Internet Explorer as the parent app.
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
@ -69,7 +69,7 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that we know the mitigation has been enabled, we can test to see if it works and what the experience would be for an end user:
Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.

8
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -36,7 +36,9 @@ ms.date: 08/25/2017
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
@ -59,7 +61,7 @@ You can also carry out the processes described in this topic in audit or disable
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
> should we add https://smartscreentestratings2.net/index.html as the test site for this example. Display a sample phishing site, and then show what happens when you go to it with Network Protection enabled
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
![](images/np-notif.png)
@ -73,7 +75,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

9
windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Attack Surface Reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
title: Import custom views in XML to see Windows Defender Exploit Guard events
description: Use Windows Event Viewer to import individual views for each of the features.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -12,7 +12,6 @@ ms.date: 08/25/2017
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
@ -146,7 +145,7 @@ The easiest way to do this is to import a custom view as an XML file. You can ob
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
Feature | Provider/source | Event ID | Description
-|-|:-:|-
:-|:-|:-:|:-
Exploit Protection | Security-Mitigations | 1 | ACG audit
Exploit Protection | Security-Mitigations | 2 | ACG enforce
Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit

17
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -1,6 +1,7 @@
---
title:
keywords:
title: Apply mitigations that help prevent attacks that use vulnerabilities in software
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -45,12 +46,14 @@ Exploit Protection works best with [Windows Defender Advanced Threat Protection]
You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10.
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
@ -65,7 +68,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full re
## Review Exploit Protection events in Windows Event Viewer
You can review the Windows event log to see events there are created when Exploit Protection blocks (or audits) an app:
You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@ -73,6 +76,8 @@ You can review the Windows event log to see events there are created when Exploi
3. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@ -115,4 +120,6 @@ Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Exploit Protection in your network. See how to configure mitigations for the operating system and for individual apps, and how to export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.
[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network.
[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.

17
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date:08/25/2017
ms.date: 08/25/2017
---
@ -36,14 +36,15 @@ ms.date:08/25/2017
- Configuration service providers for mobile device management
Network Protection help prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. By bringing smartscreen intel down onto the client, Network Protection block all outboud HTTP/S Traffic to low reputation sources based on Domain/Hostname
Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
As a part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), Network Protection reduces the attak surface of your devices from internet based threats.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
You can enable Network Protection in either block or audit mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
@ -61,7 +62,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Network Protection events in Windows Event Viewer
You can review the Windows event log to see events there are created when Network Protection blocked access to a malicious IP or domain:
You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *np-events.xml* to an easily accessible location on the machine.
@ -69,6 +70,8 @@ You can review the Windows event log to see events there are created when Networ
2. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@ -88,5 +91,5 @@ You can review the Windows event log to see events there are created when Networ
Topic | Description
---|---
[Evaluate Network Protection](evaluate-network-protection.md) | Undertake a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.

16
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -29,21 +29,21 @@ ms.date: 08/25/2017
- Enterprise security administrators
Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10, allowing enterprise administrators to manage the attack surface of the OS & applications. By resticting the various vectors through which malware can cause harm to your devices, Windows Defender offers a defense in depth solution to keeping the enteprise safe. With a rich collection of tools and features based off the Intelligent Security Graph, Exploit Guard provides an easy to use experience that offers the best balance of security & productivity for an enterprise.
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of the operating system and apps used by your employees.
You can use Windows Defender Exploit Guard (WDEG) to configure and manage any of the following functionalities:
There are four features in Windows Defender EG:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface of your applications with intelligent rule that stop vectors of office, script & mail based malware [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on the device wwith [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
Evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for Windows Defender EG, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)

9
windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
View File

@ -148,15 +148,6 @@ Users can click on the displayed information to get more help:
9. Click **OK** after configuring each setting to save your changes.
### Use PowerShell to customize the notification
>[!NOTE]
>Are there any PS cmdlets for customizing? What about CSPs for MDM?
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).