deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
2212b678a201cccae4c56a2431b4a30ea41e1c58
windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md
Iaan D'Souza-Wiltshire 48ff508ae9 ep changes
2017-08-16 11:26:51 -07:00

101 lines
2.8 KiB
Markdown
Raw Blame History

---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
## System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to...
You can set each of the following system-level mitigations to on, off, or the default value:
Mitigation | Default value
Control flow guard | On
Data execution prevention | On
Force randomization for images (Mandatory ASLR) | Off
Randomize memory allocations (Bottom-up ASLR) | On
Validate exception chains (SEHOP) | On
Validate heap integrity | Off
Generally, the default values should be used to...
### Control flow guard
### Data execution prevention
### Force randomization for images (Mandatory ASLR)
### Randomize memory allocations (Bottom-up ASLR)
### Validate exception chains (SEHOP)
### Validate heap integrity
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
Reference in New Issue View Git Blame Copy Permalink