10 KiB
title, keywords, description, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author
| title | keywords | description | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|
| eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | iaanw | iawilt |
Customize Exploit Protection
Applies to:
- Windows 10 Insider Preview
Audience
- Enterprise security administrators
Manageability available with
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves generating or exporting, importing, and deploying the configuration to multiple devices.
System-level mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to ... They can also be enabled or configured for individual apps.
You can set each of the following system-level mitigations to on, off, or their default value as indicated in the following table.
See the PowerShell reference table at the bottom of this topic for information on configuring Exploit Protection mitigations with PowerShell cmdlets. The following section describes how to configure mitigations using the Windows Defender Security Center app.
Configure system-level mitigations
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection label:
Screenshot coming
-
Under the System settings section, find the mitigation you want to configure and select either:
- On by default
- Off by default -** Use default**
Note
You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
-
Repeat this for all the system-level mitigations you want to configure.
You can now export these settings as an XML file or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
App-specific mitigations
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
You can configure any of the Exploit Protection mitigations for individual apps. The following table lists each mitigation, what it does, and any additional options.
Configure app-specific mitigations
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the App & browser control tile (or the app icon on the left menu bar) and then the Exploit protection settings at the bottom of the screen:
Screenshot coming
-
Go to the Program settings section and choose the app you want to apply mitigations to:
- If the app you want to configure is already listed, click it and then click Edit
- If the app is not listed, at the top of the list click Add program to customize and then choose how you want to add the app:
- Use Add by program name to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use Choose exact file path to use a standard Windows Explorer file picker window to find and select the file you want.
-
After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to On. Select any additional options. Choosing Audit will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-
Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting up your configuration.
You can now export these settings as an XML file or return to configure system-level mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
PowerShell reference
You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
Important
Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation. Using Get will list the current configuration status of any mitigations that have been enabled on the device.
Use Set to make configure each mitigation in the following format:
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation and options>,<mitigation and options>,<mitigation and options>
Where:
-:
--Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
--System to indicate the mitigation should be applied at the system level
-:
--Enable to enable the mitigation
--Disable to disable the mitigation
-:
-The mitigation's cmdlet as defined in the mitigation cmdlets table below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child processes, you'd use the following command:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP EmulateAtlThunks, DisallowChildProcessCreation
If you wanted to apply DEP at the system level, you'd use the following command:
Set-Processmitigation -System -Enable DEP
To disable DEP, you'd use the same command but replace -Enable with -Disable.
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the Audit mode cmdlet as specified in the mitigation cmdlets table below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the testing.exe used in the example above, you'd use the following command:
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
You can disable audit mode by using the same command but replacing -Enable with -Disable.
The following table lists each mitigation, its associated PowerShell cmdlet, and indicates whether it can be applied system-wide or to individual apps. It also lists any optional cmdlets and the appropriate audit mode cmdlet.
PowerShell
You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
Get the current settings in the registry for processName.exe
Get-ProcessMitigation -Name processName.exe
Exports the current settings to the filename.xml
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
Imports the settings in filename.xml to the system.
Set-ProcessMitigation -PolicyFilePath filename.xml
Enables a list of mitigations
Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
Disables a list of mitigations
Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml