deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

netprot drafted

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-08-15 18:58:51 -07:00
parent 16b320ef2f
commit f594ecf3f5
9 changed files with 258 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -45,3 +45,11 @@ Topic | Description
## Enabling Windows Defender EG rules in audit mode
Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied.
**Note:** Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1
Run the following in an elevated powershell prompt:
- Set-ExecutionPolicy Bypass -Force
- .\Enable-ExploitGuardAuditMode.ps1
Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode

2
windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -87,5 +87,5 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

2
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -134,4 +134,4 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

97
windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Turn Network Protection on
description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs
keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Enable Network Protection
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
## Enable and audit Network Protection
You can enable Network Protection in either block or auditing mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
>[!NOTE]
>What does it mean by non blocking ATP events only?
### Use Group Policy to enable Network Protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**.
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
>[!IMPORTANT]
>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
### Use PowerShell to enable Network Protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feauting in auditing mode using the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable Network Protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Network Protection](evaluate-network-protection.md)

168
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -1,7 +1,7 @@
---
title:
description:
keywords:
title: Conduct a demo to see how Network Protection works
description: Quickly see how Network Protection works by performing common scenarios that it protects against
keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -13,116 +13,98 @@ author: iaanw
ms.author: iawilt
---
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Network Filter
In Windows 10, Version 1709, you can enable Windows Defender EG Network Protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can enable Network Protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
#### Group Policy
The Network Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard
- Name: Prevent users and apps from accessing dangerous websites
- Values: **Enabled**: Specify the mode in the **Options** section:
**Block**: Users and applications will not be able to access dangerous domains
**Audit**: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to block, then a record of the event will be in the event logs
The settings in the XML file will be applied to the endpoint
**Disabled**: Users and applications will not be blocked from connecting to dangerous domains.
**Not configured**: Same as **Disabled**.
To enable Network Protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
#### Windows Management Instrumentation/PowerShell
Use the following cmdlet to configure Network Protection:
```
Set-MpPreference -EnableNetworkProtection [Disabled|Enabled|AuditMode]
```
To enable Network Protection in Block mode, use:
```
Set-MpPreference -EnableNetworkProtection Enabled
```
#### Mobile device management/Configuration service provider
Use this CSP to configure Network Protection:
- Policy area: Defender
- Name: Defender\EnableNetworkProtection
- Supported Values:
-- 0: Disabled
-- 1: Enabled (Block Mode)
-- 2: Audit Mode
To enable Network Protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
# Evaluate Network Protection
## Network Protection
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
Component | Configuration available with | Event ID | Corresponds to<74>
-|-|-|-
Network Filter | GP, MDM | Provider: Windows Defender |
| | | Event when settings are changed | <Evt-ID: 5007>
| | | Event when NW filter fires in Audit-mode | <Evt-ID: 1125>
| | | Event when NW filter fires in Block-mode | <Evt-ID: 1126>
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
>[!NOTE]
>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
## Enable Network Protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
Component |Description |Rule/mitigation description |
-|-|-|-
Network Filter |Blocks outbound connection from any app to low rep IP/domain - This can be enabled in audit/block mode |Enable/disable/audit |Puts the feature in enable/disable or audit mode.
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
### Visit a (fake) malicious domain
### Visit a malicious domain in block mode using Internet Explorer or Google Chrome
1. Enable Network Protection in block mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will get a 403 Forbidden response in the browser, and you will see an Action Center message saying that Windows Defender EG blocked a connection to a malicious site.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
![](images/np-notif.png)
### Visit a malicious domain in audit mode using Internet Explorer or Google Chrome
1. Enable Network Protection in audit mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will be able to navigate successfully to the site. However, you can see an audit event in Windows Defender ATP or in the Windows Event Log (under Windows Defender > Operational).
## Review Network Protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network Protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when rule fires in Audit-mode
1126 | Event when rule fires in Block-mode
### Visit a malicious domain in Microsoft Edge
1. Enable Network Protection in bmode.
1. Ensure that SmartScreen is enabled. (Start -> Windows Defender Security Center -> App & browser -> SmartScreen in Microsoft Edge -> Block or Warn)
1. Open Microsoft Edge.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will see a SmartScreen malware/phishing warning. This is the 1st class experience for Microsoft Edge.
## Use auditing mode to measure impact
You can also enable the Network Protection feature in auditing mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
## Enabling Windows Defender EG rules in audit mode
Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied.
**Note:** Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1
Run the following in an elevated powershell prompt:
- Set-ExecutionPolicy Bypass -Force
- .\Enable-ExploitGuardAuditMode.ps1
Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode
>[!TIP]
>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md).
## Monitoring with Windows Defender Advanced Threat Protection
Windows Defender EG events can be found in event logs, or if the enterprise uses Windows Defender ATP, the Windows Defender Security Center
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

BIN
windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

64
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
title: Use Network Protection to prevent connections to suspicious domains
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network Protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -15,12 +15,11 @@ ms.author: iawilt
# Windows Defender Exploit Guard
# Protect your network with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
- Windows 10 Insider Preview
**Audience**
@ -31,16 +30,53 @@ ms.author: iawilt
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can enable Network Protection in either block or auditing mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
## Requirements
The following requirements must be met before Network Protection will work:
Windows 10 version | Windows Defender Antivirus
- | -
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review Network Protection events in Windows Event Viewer
You can review the Windows event log to see events there are created when Network Protection blocked access to a malicious IP or domain:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *np-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network Protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when Network Protection fires in Audit-mode
1126 | Event when Network Protection fires in Block-mode
## In this section
Set-MpPreference -EnableNetworkProtection [Disabled|Enabled|AuditMode]
Topic | Description
---|---
[Evaluate Network Protection](evaluate-network-protection.md) | Undertake a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.

21
windows/threat-protection/windows-defender-exploit-guard/scripts/np-events.xml Normal file
View File

@ -0,0 +1,21 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1125,1126,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Network Protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>

10
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -49,12 +49,12 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur
Each of the features in Windows Defender EG have slightly different requirements:
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
Feature | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | Not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | Must be enabled | Required
Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.