deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into csp-holographic-list-update

Browse Source
This commit is contained in:
Heidi Lohr
2019-02-15 09:50:15 -08:00
parent f7c4d8eaa9 c2aa20b3c2
commit fbc3494f73
32 changed files with 452 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -17,6 +17,13 @@ ms.date: 11/07/2018
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## February 2019
New or changed topic | Description
--- | ---
[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation.
[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation.
## January 2019
New or changed topic | Description

4
windows/configuration/kiosk-shelllauncher.md
View File

@ -36,7 +36,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
### Requirements
## Requirements
>[!WARNING]
>- Windows 10 doesnt support setting a custom shell prior to OOBE. If you do, you wont be able to deploy the resulting image.
@ -50,7 +50,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
### Configure Shell Launcher
## Configure Shell Launcher
To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.

20
windows/configuration/kiosk-single-app.md
View File

@ -238,30 +238,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
>
>Account type: Local standard user, Azure AD
![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png)
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp).
The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
**To configure kiosk in Microsoft Intune**
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
3. Select **Device configuration**.
4. Select **Profiles**.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Single app kiosk**.
1. Enter the user account (Azure AD or a local standard user account).
11. Enter the Application User Model ID for an installed app.
14. Select **OK**, and then select **Create**.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, see the documentation for your provider.

29
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -46,30 +46,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
1. [Generate the Start layout for the kiosk device.](#startlayout)
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
3. Select **Device configuration**.
4. Select **Profiles**.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Kiosk (Preview)** for the profile type.
9. Select **Kiosk - 1 setting available**.
10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
12. Enter a friendly name for the configuration.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
15. Browse to and select the Start layout XML file that you generated in step 1.
16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.
17. Select **OK**. You can add additional configurations or finish.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
>[!NOTE]
>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
## Configure a kiosk using a provisioning package
@ -178,7 +155,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
@ -674,4 +651,4 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
## Other methods
Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).
Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).

1
windows/deployment/update/windows-as-a-service.md
View File

@ -24,6 +24,7 @@ Everyone wins when transparency is a top priority. We want you to know when upda
The latest news:
<ul compact style="list-style: none">
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>

2
windows/deployment/windows-autopilot/registration-auth.md
View File

@ -39,7 +39,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
![Request a reseller relationship](images/csp1.png)
- Select the checkbox indicating whether or not you want delegated admin rights:
![Delegated rights](images/csp2.png)
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in tihs document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:

2
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -18,7 +18,7 @@ ms.author: greg-lindsay
Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, levering the enrollment status page to prevent access to the desktop until the device is fully provisioned.
Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
>[!NOTE]
>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.

6
windows/security/threat-protection/TOC.md
View File

@ -7,7 +7,7 @@
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
@ -122,7 +122,9 @@
### [Configure and manage capabilities](windows-defender-atp/onboard.md)
#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
####Hardware-based isolation
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### Device control

7
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -5,7 +5,7 @@
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
@ -120,7 +120,9 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
###Hardware-based isolation
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### Device control
@ -136,7 +138,6 @@
#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
#### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)

58
windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
View File

@ -1,58 +0,0 @@
---
title: How hardware-based containers help protect Windows 10 (Windows 10)
description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
author: justinha
ms.date: 08/01/2018
---
# Windows Defender System Guard: How hardware-based containers help protect Windows 10
Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Protect and maintain the integrity of the system after it's running
- Validate that system integrity has truly been maintained through local and remote attestation
## Maintaining the integrity of the system as it starts
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the devices Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
After successful verification and startup of the devices firmware and Windows bootloader, the next opportunity for attackers to tamper with the systems integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection.
This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the systems antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasnt been compromised before the remainder of your system defenses start.
![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
## Maintaining integrity of the system after its running (run time)
Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
![Windows Defender System Guard](images/windows-defender-system-guard.png)
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we cant just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the devices integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

7
windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
View File

@ -35,13 +35,16 @@ The following steps guide you on how to create roles in Windows Defender Securit
3. Enter the role name, description, and permissions you'd like to assign to the role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
>[!NOTE]
>This setting is only available in the Windows Defender ATP administrator (default) role.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.

225
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/29/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -20,26 +19,25 @@ ms.date: 11/29/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019.
- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually initiate during normal day-to-day work
## Requirements
You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
## Attack surface reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
Rule name | GUID
-|-
@ -50,7 +48,7 @@ Block Office applications from injecting code into other processes | 75668C1F-73
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
@ -58,147 +56,186 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Rule: Block executable content from email client and webmail
Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
### Rule: Block all Office applications from creating child processes
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
SCCM name: Block executable content from email client and webmail
>[!NOTE]
>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Block all Office applications from creating child processes
### Rule: Block Office applications from creating executable content
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
Intune name: Office apps launching child processes
### Rule: Block Office applications from injecting code into other processes
SCCM name: Block Office application from creating child processes
Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Block Office applications from creating executable content
### Rule: Block JavaScript or VBScript From launching downloaded executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
Intune name: Office apps/macros creating executable content
### Rule: Block execution of potentially obfuscated scripts
SCCM name: Block Office applications from creating executable content
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
This rule prevents scripts that appear to be obfuscated from running.
### Block Office applications from injecting code into other processes
### Rule: Block Win32 API calls from Office macro
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
This rule applies to Word, Excel, and PowerPoint.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
Intune name: Office apps injecting code into other processes (no exceptions)
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
SCCM name: Block Office applications from injecting code into other processes
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
>[!IMPORTANT]
>File and folder exclusions don't apply to this attack surface reduction rule.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
### Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
### Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
### Rule: Use advanced protection against ransomware
### Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
Intune name: Flag credential stealing from the Windows local security authority subsystem
SCCM name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
### Block process creations originating from PSExec and WMI commands
### Rule: Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
>[!IMPORTANT]
>File and folder exclusions do not apply to this attack surface reduction rule.
>[!WARNING]
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
### Rule: Block untrusted and unsigned processes that run from USB
### Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication application from creating child processes
Intune name: Untrusted and unsigned processes that run from USB
Outlook will not be allowed to create child processes.
SCCM name: Block untrusted and unsigned processes that run from USB
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
### Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
>[!NOTE]
>This rule applies to Outlook only.
>This rule applies to Outlook and Outlook.com only.
### Rule: Block Adobe Reader from creating child processes
Intune name: Not yet available
This rule blocks Adobe Reader from creating child processes.
SCCM name: Not yet available
## Review attack surface reduction rule events in the Windows Defender ATP Security Center
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
### Block Adobe Reader from creating child processes
You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
## Review attack surface reduction rule events in Windows Event Viewer
Intune name: Not applicable
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
SCCM name: Not applicable
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. Click **OK**.
6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the "operation" that was blocked/audited
- **Description**: Additional details about the event or audit, including Security intelligence, engine, and product version of Windows Defender Antivirus
## Attack surface reduction rules in Windows 10 Enterprise E3
A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
## In this section
Topic | Description
---|---
[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
## Related topics
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

179
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,101 +11,168 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/17/2018
---
# Enable attack surface reduction rules
**Applies to:**
[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
## Exclude files and folders from ASR rules
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
>[!WARNING]
>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
>[!IMPORTANT]
>File and folder exclusions do not apply to the following ASR rules:
>
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
## Enable and audit attack surface reduction rules
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
Attack surface reduction rules are identified by their unique rule ID.
For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
You can manually add the rules by using the GUIDs in the following table:
Each ASR rule contains three settings:
Rule description | GUID
-|-
Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
* Not configured: Disable the ASR rule
* Block: Enable the ASR rule
* Audit: Evaluate how the ASR rule would impact your organization if enabled
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
### Use Group Policy to enable or audit attack surface reduction rules
### Enable ASR rules in Intune
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
### Enable ASR rules in SCCM
For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
### Enable ASR rules with Group Policy
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to enable or audit attack surface reduction rules
### Enable ASR rules with PowerShell
>[!WARNING]
>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
```
You can enable the feature in audit mode using the following cmdlet:
To enable ASR rules in audit mode, use the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
```
>[!IMPORTANT>
>You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list.
>
>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
>
>```PowerShell
>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
>```
To turn off ASR rules, use the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Disabled
```
You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
>[!IMPORTANT]
>You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
>
>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
>
>```PowerShell
>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
>```
>[!WARNING]
>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
>You can obtain a list of rules and their current state by using `Get-MpPreference`
You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
>[!WARNING]
>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
>You can obtain a list of rules and their current state by using `Get-MpPreference`
### Use MDM CSPs to enable attack surface reduction rules
3. To exclude files and folders from ASR rules, use the following cmdlet:
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
```PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
```
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Enable ASR rules with MDM CSPs
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
>[!NOTE]
>Be sure to enter OMA-URI values without spaces.
## Related topics
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Customize attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 02/14/2019
---
# Enable controlled folder access
@ -20,7 +20,7 @@ ms.date: 10/02/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 02/14/2019
---
# Enable exploit protection
@ -20,9 +20,9 @@ ms.date: 08/08/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
## Enable and audit exploit protection

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 02/14/2019
---
# Enable network protection
@ -20,7 +20,7 @@ ms.date: 05/30/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).

4
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/29/2018
ms.date: 02/14/2019
---
# Protect your network
@ -71,7 +71,7 @@ You can review the Windows event log to see events that are created when network
1125 | Event when network protection fires in audit mode
1126 | Event when network protection fires in block mode
## In this section
## Related topics
Topic | Description
---|---

5
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/18/2018
---
# Troubleshoot attack surface reduction rules
@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.

83
windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md Normal file
View File

@ -0,0 +1,83 @@
---
title: How a hardware-based root of trust helps protect Windows 10 (Windows 10)
description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.date: 02/14/2019
---
# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Validate that system integrity has truly been maintained through local and remote attestation
## Maintaining the integrity of the system as it starts
### Static Root of Trust for Measurement (SRTM)
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
This hardware-based root of trust comes from the devices Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed.
- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
![System Guard Secure Launch](images/system-guard-secure-launch.png)
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
### System Management Mode (SMM) protection
System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if DRTM is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
1. Paging protection to prevent inappropriate access to code and data
2. SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering.
This prevents access to any memory that has not been specifically assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function.
In the future, Windows 10 will also measure this SMI Handlers behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we cant just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the devices integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few.
![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

66
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md Normal file
View File

@ -0,0 +1,66 @@
---
title: System Guard Secure Launch and SMM protection (Windows 10)
description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.date: 02/14/2019
---
# System Guard Secure Launch and SMM protection
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices.
## How to enable System Guard Secure Launch
You can enable System Guard Secure Launch by using any of these options:
- [Mobile Device Management (MDM)](#mobile-device-management)
- [Group Policy](#group-policy)
- [Windows Security app](#windows-security-app)
- [Registry](#registry)
### Mobile Device Management
System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
### Group Policy
1. Click **Start** > type and then click **Edit group policy**.
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
![Secure Launch Group Policy](images/secure-launch-group-policy.png)
### Windows Security app
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
![Secure Launch Security App](images/secure-launch-security-app.png)
### Registry
1. Open Registry editor.
2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
![Secure Launch Registry](images/secure-launch-registry.png)
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
![Secure Launch Security App](images/secure-launch-msinfo.png)