deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 07:13:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
3a0d20792348b58c7377d7cf55b14a3c54e94d02
windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
Iaan D'Souza-Wiltshire c706a1d637 exp prot updates
2017-08-24 12:39:10 -07:00

219 lines
10 KiB
Markdown
Raw Blame History

---
title:
keywords:
description:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml).
## System-level mitigations
> What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
System-level mitigations are applied to ... They can also be enabled or configured for individual apps.
You can set each of the following system-level mitigations to on, off, or their default value as indicated in the following table.
See the [PowerShell reference table](#powershell-reference) at the bottom of this topic for information on configuring Exploit Protection mitigations with PowerShell cmdlets. The following section describes how to configure mitigations using the Windows Defender Security Center app.
### Configure system-level mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
>Screenshot coming
3. Under the **System settings** section, find the mitigation you want to configure and select either:
- **On by default**
- **Off by default**
-** Use default**
>[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
4. Repeat this for all the system-level mitigations you want to configure.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
## App-specific mitigations
> What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
You can configure any of the Exploit Protection mitigations for individual apps. The following table lists each mitigation, what it does, and any additional options.
### Configure app-specific mitigations
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
>Screenshot coming
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml) or return to configure system-level mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
## PowerShell reference
You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device.
Use `Set` to make configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation and options>,<mitigation and options>,<mitigation and options>
```
Where:
-<Scope>:
-`-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-`-System` to indicate the mitigation should be applied at the system level
-<Action>:
-`-Enable` to enable the mitigation
-`-Disable` to disable the mitigation
-<Mitigation>:
-The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP EmulateAtlThunks, DisallowChildProcessCreation
```
If you wanted to apply DEP at the system level, you'd use the following command:
```PowerShell
Set-Processmitigation -System -Enable DEP
```
To disable DEP, you'd use the same command but replace `-Enable` with `-Disable`.
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
<a id="cmdlets-table"></a>
The following table lists each mitigation, its associated PowerShell cmdlet, and indicates whether it can be applied system-wide or to individual apps. It also lists any optional cmdlets and the appropriate audit mode cmdlet.
#### PowerShell
You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
Get the current settings in the registry for processName.exe
```
Get-ProcessMitigation -Name processName.exe
```
Exports the current settings to the filename.xml
```
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Imports the settings in filename.xml to the system.
```
Set-ProcessMitigation -PolicyFilePath filename.xml
```
Enables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
```
Disables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
```
Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
```
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
```
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
Reference in New Issue View Git Blame Copy Permalink