deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

exp prot updates

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-24 12:39:10 -07:00
parent 20a2e44ea1
commit c706a1d637
18 changed files with 302 additions and 249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -70,7 +70,7 @@ You can review the Windows event log to see events there are created when an Att
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

2
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -72,7 +72,7 @@ You can review the Windows event log to see events there are created when Contro
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [download the XML directly](scripts/cfa-events.xml).
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

41
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -55,7 +55,7 @@ See the [PowerShell reference table](#powershell-reference) at the bottom of thi
### Configure system-level mitigations with the app
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -90,7 +90,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
>Screenshot coming
@ -171,7 +171,44 @@ You can disable audit mode by using the same command but replacing `-Enable` wit
The following table lists each mitigation, its associated PowerShell cmdlet, and indicates whether it can be applied system-wide or to individual apps. It also lists any optional cmdlets and the appropriate audit mode cmdlet.
#### PowerShell
You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
Get the current settings in the registry for processName.exe
```
Get-ProcessMitigation -Name processName.exe
```
Exports the current settings to the filename.xml
```
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Imports the settings in filename.xml to the system.
```
Set-ProcessMitigation -PolicyFilePath filename.xml
```
Enables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
```
Disables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
```
Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
```
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
```
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
## Related topics

8
windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
View File

@ -52,7 +52,13 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full re
### Converting and Applying an EMET config:
1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe export emetConfig.xml**
2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
3. Note that this may give you some warnings, but these should be safe to ignore.
4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.

2
windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -51,7 +51,7 @@ The mitigations available in Exploit Protection are enabled or configured to the
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
For background information on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.

4
windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -42,7 +42,7 @@ This topic describes how to enable Network Protection with Group Policy, PowerSh
You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
For background information on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use Group Policy to enable or audit Network Protection
@ -75,7 +75,7 @@ For background information on how audit mode works, and when you might want to u
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feauting in auditing mode using the following cmdlet:
You can enable the feauting in audit mode using the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection AuditMode

10
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -52,7 +52,7 @@ Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction r
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
This tool has a simple user interface that lets you choose a rule, configure it in blocking, auditing, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events.
@ -63,7 +63,7 @@ When you run a scenario, you will see what the scenario entails, what the rule i
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [auditing mode to measure impact](#use-auditing-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
@ -108,7 +108,7 @@ Block mode will cause a notification to appear on the user's desktop:
You can [modify the notification to display your company name and links](attack-surface-reduction-exploit-guard.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
The following sections describe what each rule does and what the scenarios entail for each rule.
@ -220,9 +220,9 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
## Use auditing mode to measure impact
## Use audit mode to measure impact
You can also enable the Attack Surface Reduction feature in auditing mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.

6
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -83,9 +83,9 @@ Event ID | Description
1123 | Blocked Controlled Folder Access event
## Use auditing mode to measure impact
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in auditing mode. This lets you see a record of what *would* have happened if you had enabled the setting.
As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@ -100,7 +100,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).

274
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title:
description:
keywords:
title: See how Exploit Protection works in a demo
description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,187 +15,99 @@ ms.author: iawilt
## Exploit Protection
# Evaluate Exploit Protection
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the Enhance Mitigation Experience Toolkit (EMET) are included in Exploit Protection. See the [Comparison between EMET and Exploit Protection](emet-exploit-protection-exploit-guard.md).
This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
>[NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
## Enable and validate an Exploit Protection mitigation
For this demo we're going to enable the mitigation that prevents child processes from being created. We'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set—ProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation
```
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that we know the mitigation has been enabled, we can test to see if it works and what the experience would be for an end user:
1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.
2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
Lastly, we can disable the mitigation so that Internet Explorer works properly again:
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review Exploit Protection events in Windows Event Viewer
You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
This lets you see a record of what *would* have happened if you had enabled the mitigation.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
Exploit Protection | GP, MDM, PS & UI | Provider: Security-Mitigations |
| | | 1 | ACG audit
| | | 2 | ACG enforce
| | | 3 | Do not allow child processes audit
| | | 4 | Do not allow child processes block
| | | 5 | Block low integrity images audit
| | | 6 | Block low integrity images block
| | | 7 | Block remote images audit
| | | 8 | Block remote images block
| | | 9 | Disable win32k system calls audit
| | | 10 | Disable win32k system calls block
| | | 11 | Code integrity guard audit
| | | 12 | Code integrity guard block
| | | 13 | EAF audit
| | | 14 | EAF enforce
| | | 15 | EAF+ audit
| | | 16 | EAF+ enforce
| | | 17 | IAF audit
| | | 18 | IAF enforce
| | | 19 | ROP StackPivot audit
| | | 20 | ROP StackPivot enforce
| | | 21 | ROP CallerCheck audit
| | | 22 | ROP CallerCheck enforce
| | | 23 | ROP SimExec audit
| | | 24 | ROP SimExec enforce
Exploit Protection | GP, MDM, PS & UI |Provider: WER-Diagnostics |
| | | 5 | CFG Block
Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
| | | 260 | Untrusted Font
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Exploit Protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
| | | | ForceASLR
| | | | BottomUpASLR
| | | | HeapTermination
| | | | SEHOP
| | | | CFG
| | | | Strict handle checks
| | | | ACG
| | | | Untrusted font blocking
| | | | No child process
| | | | Win32k syscall disable
| | | | Extension point disable
| | | | Various image loading restrictions
| | | | Anti-ROP (CallerCheck, SimExec, StackPivot)
| | | | EAF, EAF+
| | | Control Flow mitigation |
| | | Process restrictions |
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Exploit Protection
Exploit Protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
>
> Note: SCCM and Intune will be supported in furture releases.
You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
Note, however, that there are some prerequisites before you can enable this setting:
- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
>
> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
- Place the generated XML file in a shared or local path.
#### Group policy
The Exploit Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
- Name: Use a common set of Exploit Protection settings
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
-- https://localhost:8080/Config.xml
The settings in the XML file will be applied to the endpoint.
**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
**Not configured:** Same as **Disabled**.
#### PowerShell
You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
Get the current settings in the registry for processName.exe
```
Get-ProcessMitigation -Name processName.exe
```
Exports the current settings to the filename.xml
```
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Imports the settings in filename.xml to the system.
```
Set-ProcessMitigation -PolicyFilePath filename.xml
```
Enables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
```
Disables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
```
Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
```
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
```
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
### Make sure things are working
1. Apply a mitigation setting:
a. Launch PowerShell as an admin and run **Set—ProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation**
2. Validate that the setting is correctly applied:
a. Open Windows Defender Security Center -> App & browser control
b. Scroll to the bottom and under **Exploit protection**, click **Exploit protection settings** and navigate to the **Program settings** pivot
c. Scroll down to **iexplore.exe**, click on it and click **Edit**
d. Find the **Do not allow child processes** setting and make sure that **Override System settings** and **On** are set
3. Validate that Internet Explorer wont run:
a. Try launching iexplore.exe via the run dialog
b. An IE frame should appear and then close
4. Validate that event viewer reports that the mitigation fired:
a. Open Event Viewer
b. Navigate to Applications and Services Log -> Microsoft -> Windows -> Security-Mitigations -> Kernel Mode
c. Check for the following entry for Internet Explorer (event ID 4)
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
5. Undo the mitigation setting:
a. Open Windows Defender Security Center -> App & browser control
b. Scroll to the bottom and under **Exploit protection**, click on **Exploit protection settings** and navigate to the **Program settings** pivot
c. Scroll down to **iexplore.exe**, click on it and click **Edit**
d. Find the **Do not allow child processes **setting and toggle the **On** to **Off**
e. Click **Apply**
6. Validate that Internet Explorer runs:
a. Try launching iexplore.exe via the run dialog
b. IE should open as expected
### Converting and Applying an EMET config:
1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe export emetConfig.xml**
2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
3. Note that this may give you some warnings, but these should be safe to ignore.
4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
### Managing Exploit Protection through Group Policy
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit Protection](enable-exploit-protection.md)

4
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -83,9 +83,9 @@ Event ID | Description
1126 | Event when rule fires in Block-mode
## Use auditing mode to measure impact
## Use audit mode to measure impact
You can also enable the Network Protection feature in auditing mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.

4
windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -38,9 +38,9 @@ Before you begin, you should read the main [Windows Defender Exploit Guard](wind
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Evaluate Network Protection](evaluate-network-protection.md)
You might also be interested in enabling the features in auditing mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
- [Use auditing mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
## Related topics

105
windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml → windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -1,3 +1,74 @@
---
title: Use Attack Surface Reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Reduce attack surfaces with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## ASR
```xml
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1121,1122,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Attack Surface Reduction view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>
```
## CFA
```xml
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>
```
## EP
```xml
<ViewerConfig>
<QueryConfig>
<QueryParams>
@ -52,4 +123,36 @@
<Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
</Columns>
</ResultsConfig>
</ViewerConfig>
</ViewerConfig>
```
## NP
```xml
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1125,1126,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Network Protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>
```

2
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -70,7 +70,7 @@ You can review the Windows event log to see events there are created when Exploi
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [download the XML directly](scripts/ep-events.xml).
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

40
windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -34,9 +34,47 @@ ms.author: iawilt
- PowerShell
- Configuration service providers for mobile device management
### Managing exploit protection through Group Policy
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.
- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
>
> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
- Place the generated XML file in a shared or local path.
### Converting and Applying an EMET config:
1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe export emetConfig.xml**
2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
3. Note that this may give you some warnings, but these should be safe to ignore.
4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
#### Group policy
The Exploit Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
- Name: Use a common set of Exploit Protection settings
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
-- https://localhost:8080/Config.xml
The settings in the XML file will be applied to the endpoint.
**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
**Not configured:** Same as **Disabled**.
### Export system-level mitigations
.
### Import system-level mitigations

4
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -39,7 +39,7 @@ As a part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
You can enable Network Protection in either block or auditing mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
You can enable Network Protection in either block or audit mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
@ -66,7 +66,7 @@ You can review the Windows event log to see events there are created when Networ
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.

21
windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml
View File

@ -1,21 +0,0 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1121,1122,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Attack Surface Reduction view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>

1
windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml
View File

@ -1 +0,0 @@
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>

21
windows/threat-protection/windows-defender-exploit-guard/scripts/np-events.xml
View File

@ -1,21 +0,0 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1125,1126,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Network Protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>