deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

lint/cleaned customize exploit protection

Browse Source
This commit is contained in:
martyav
2019-07-30 14:53:34 -04:00
parent 5645ea7f67
commit ee3eff7002
1 changed files with 58 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -20,7 +20,7 @@ manager: dansimp
**Applies to:** **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
@ -46,7 +46,7 @@ The **Use default** configuration for each of the mitigation settings indicates
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to | Audit mode available Mitigation | Description | Can be applied to | Audit mode available
- | - | - | :-: -|-|-|-
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
@ -74,7 +74,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
> >
> >
> Enabled in **Program settings** | Enabled in **System settings** | Behavior > Enabled in **Program settings** | Enabled in **System settings** | Behavior
>:-: | :-: | :-: > -|-|-
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** > [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** > [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** > [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
@ -82,7 +82,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
> >
> >
> >
>- **Example 1** > * **Example 1**
> >
> Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
> >
@ -91,7 +91,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. > The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
> >
> >
>- **Example 2** > * **Example 2**
> >
> Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
> >
@ -112,9 +112,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
>[!NOTE] >[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
@ -127,14 +127,13 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
1. If the app you want to configure is already listed, click it and then click **Edit** 1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. 7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@ -168,16 +167,17 @@ Use `Set` to configure each mitigation in the following format:
```PowerShell ```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options> Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
``` ```
Where: Where:
- \<Scope>: * \<Scope>:
- `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- `-System` to indicate the mitigation should be applied at the system level * `-System` to indicate the mitigation should be applied at the system level
- \<Action>: - \<Action>:
- `-Enable` to enable the mitigation * `-Enable` to enable the mitigation
- `-Disable` to disable the mitigation * `-Disable` to disable the mitigation
- \<Mitigation>: * \<Mitigation>:
- The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@ -202,7 +202,6 @@ Where:
Set-Processmitigation -Name test.exe -Remove -Disable DEP Set-Processmitigation -Name test.exe -Remove -Disable DEP
``` ```
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
@ -219,7 +218,6 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
<a id="cmdlets-table"></a> <a id="cmdlets-table"></a>
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | - - | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
@ -244,23 +242,20 @@ Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process: <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
```PowerShell ```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
``` ```
## Customize the notification ## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics ## Related topics
- [Protect devices from exploits](exploit-protection-exploit-guard.md) * [Protect devices from exploits](exploit-protection.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) * [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable exploit protection](enable-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)