From e4f4593dff80eedc07f0af77aa5b8df6dbd04868 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:49:07 -0800 Subject: [PATCH] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 110 +++++++++--------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index a3dacf2086..aafa081de2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -46,13 +46,13 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**. +1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. @@ -60,12 +60,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -80,7 +80,7 @@ If you add an app to the **Program settings** section and configure individual m Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default @@ -88,38 +88,38 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. +The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list se;ect **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. 3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
-6. Click **OK** to save each open blade and click **Create**. +6. Select **OK** to save each open blade, and then choose **Create**. -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**. ## MDM @@ -127,42 +127,42 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Microsoft Endpoint Manager -1. In Microsoft Endpoint Manager, click **Endpoint Security** > **Attack surface reduction**. +1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**. -2. Click **Create Policy**, select **Platform**, and under **Profile** choose **Exploit Protection**. Click **Create**. +2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**. -3. Enter a name and a description, and click **Next**. +3. Specify a name and a description, and then choose **Next**. -4. Click **Select XML File** and browse to the location of the exploit protection XML file, then select it and click **Next**. +4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**. 5. Configure **Scope tags** and **Assignments** if necessary. -6. Under **Review + create**, review the configuration and click **Create** if everything is ok. +6. Under **Review + create**, review the configuration and then choose **Create**. ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Exploit protection**, and click **Next**. +3. Specify a name and a description, select **Exploit protection**, and then choose **Next**. -4. Browse to the location of the exploit protection XML file and click **Next**. +4. Browse to the location of the exploit protection XML file and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings, and then choose **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, select **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**. ## PowerShell @@ -222,27 +222,27 @@ This table lists the individual **Mitigations** (and **Audits**, when available) | Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | | :-------------- | :--------- | :---------------------------------- | :-------------------------- | -| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | -| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | -| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | -| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | -| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | -| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | -| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | -| Block remote images | App-level only | BlockRemoteImages | Audit not available | -| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | -| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | -| Disable extension points | App-level only | ExtensionPoint | Audit not available | -| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | -| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | -| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | -| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | -| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | -| Validate handle usage | App-level only | StrictHandle | Audit not available | -| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | -| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | +| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available +| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available | +| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available | +| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` | +| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` | +| Block remote images | App-level only | `BlockRemoteImages` | Audit not available | +| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` | +| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | `ExtensionPoint` | Audit not available | +| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` | +| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` | +| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] | +| Validate handle usage | App-level only | `StrictHandle` | Audit not available | +| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: @@ -253,10 +253,10 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file. ## See also -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)