--- title: Configure how ASR works so you can finetune the protection in your network description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw ms.author: iawilt --- # Customize Attack Surface Reduction **Applies to:** - Windows 10 Insider Preview **Audience** - Enterprise security administrators **Manageability available with** - Windows Defender Security Center app - Group Policy - PowerShell - Configuration service providers for mobile device management ## System-level mitigations What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps? System-level mitigations are applied to... You can set each of the following system-level mitigations to on, off, or the default value: Mitigation | Default value Control flow guard | On Data execution prevention | On Force randomization for images (Mandatory ASLR) | Off Randomize memory allocations (Bottom-up ASLR) | On Validate exception chains (SEHOP) | On Validate heap integrity | Off Generally, the default values should be used to... ### Control flow guard ### Data execution prevention ### Force randomization for images (Mandatory ASLR) ### Randomize memory allocations (Bottom-up ASLR) ### Validate exception chains (SEHOP) ### Validate heap integrity ### Configure system-level mitigations 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. ![](images/cfa-prot-folders.png) You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines. ## Related topics - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) - [Enable Attack Surface Reduction](enable-attack-surface-reduction.md) - [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)