deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits

Browse Source
This commit is contained in:
Justin Hall 2019-03-26 15:10:40 -07:00
parent a0595f5b74
commit dc5d7eeccd
2 changed files with 46 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 02/14/2019
ms.date: 03/26/2019
---
# Enable exploit protection
@ -24,16 +24,13 @@ ms.date: 02/14/2019
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
## Enable and audit exploit protection
## Enable exploit protection
You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. You can customize the configuration to suit your organization and then deploy that configuration across your network.
You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.

59
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -25,40 +25,63 @@ It consists of a number of mitigations that can be applied to either the operati
Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for any mitigation to see how it will work in a test environment.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Use audit mode to measure impact
## Enable exploit protection in audit mode
1. Go to the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) and download the [EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?).
To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
1. Open an elevated PowerShell windows and run:
Configure each mitigation in the following format:
```powershell
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
Set-ProcessMitigation help
```
1. Tp verify the configuration, run:
```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
```
```powershell
Get-ProcessMitigation
```
Where:
2. Type **event viewer** in the Start menu and open **Event Viewer**.
- \<Scope>:
- `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- \<Action>:
- `-Enable` to enable the mitigation
- `-Disable` to disable the mitigation
- \<Mitigation>:
- The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
3. Click **Action** > **Import Custom View...**
| Mitigation | Audit mode cmdlet |
| - | - |
|Arbitrary code guard (ACG) | AuditDynamicCode |
|Block low integrity images | AuditImageLoad |
|Block untrusted fonts | AuditFont, FontAuditOnly |
|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
|Disable Win32k system calls | AuditSystemCall |
|Do not allow child processes | AuditChildProcess |
![Animation highlighting Import custom view on the left of Event viewer](images/events-import.gif)
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
4. Select the XML > **Open** > **OK**.
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can see the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
You can disable audit mode by replacing `-Enable` with `-Disable`.
## Review exploit protection audit events
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
## Related topics
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)