Merge pull request #8930 from illfated/patch-5

Update enable-exploit-protection.md
This commit is contained in:
Denise Vangel-MSFT
2021-01-08 09:46:55 -08:00
committed by GitHub

View File

@ -31,13 +31,12 @@ manager: dansimp
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can enable each mitigation separately by using any of these methods: You can enable each mitigation separately by using any of these methods:
- [Windows Security app](#windows-security-app)
* [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune)
* [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm)
* [Mobile Device Management (MDM)](#mdm) - [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) - [Group Policy](#group-policy)
* [Group Policy](#group-policy) - [PowerShell](#powershell)
* [PowerShell](#powershell)
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
@ -47,7 +46,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
## Windows Security app ## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
@ -160,11 +159,8 @@ Get-ProcessMitigation -Name processName.exe
> [!IMPORTANT] > [!IMPORTANT]
> System-level mitigations that have not been configured will show a status of `NOTSET`. > System-level mitigations that have not been configured will show a status of `NOTSET`.
> > - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. > - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
> The default setting for each system-level mitigation can be seen in the Windows Security. > The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format: Use `Set` to configure each mitigation in the following format:
@ -207,24 +203,24 @@ If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP Set-Processmitigation -Name test.exe -Remove -Disable DEP
``` ```
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters.
|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | | Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter |
|:---|:---|:---|:---| | :-------------- | :--------- | :---------------------------------- | :-------------------------- |
| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | | Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | | Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | | Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available | Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available | Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
|Block remote images | App-level only | BlockRemoteImages | Audit not available | Block remote images | App-level only | BlockRemoteImages | Audit not available |
|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
|Disable extension points | App-level only | ExtensionPoint | Audit not available | Disable extension points | App-level only | ExtensionPoint | Audit not available |
|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> | | Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> | | Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> | | Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
@ -239,6 +235,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
``` ```
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets. <a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification ## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.