mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 05:13:40 +00:00
101 lines
2.8 KiB
Markdown
101 lines
2.8 KiB
Markdown
---
|
|
title: Configure how ASR works so you can finetune the protection in your network
|
|
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
|
|
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
|
|
search.product: eADQiWindows 10XVcnh
|
|
ms.pagetype: security
|
|
ms.prod: w10
|
|
ms.mktglfcycl: manage
|
|
ms.sitesec: library
|
|
ms.pagetype: security
|
|
localizationpriority: medium
|
|
author: iaanw
|
|
ms.author: iawilt
|
|
---
|
|
|
|
# Customize Attack Surface Reduction
|
|
|
|
**Applies to:**
|
|
|
|
- Windows 10 Insider Preview
|
|
|
|
**Audience**
|
|
|
|
- Enterprise security administrators
|
|
|
|
|
|
**Manageability available with**
|
|
|
|
- Windows Defender Security Center app
|
|
- Group Policy
|
|
- PowerShell
|
|
- Configuration service providers for mobile device management
|
|
|
|
|
|
## System-level mitigations
|
|
|
|
What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
|
|
|
|
System-level mitigations are applied to...
|
|
|
|
You can set each of the following system-level mitigations to on, off, or the default value:
|
|
|
|
Mitigation | Default value
|
|
Control flow guard | On
|
|
Data execution prevention | On
|
|
Force randomization for images (Mandatory ASLR) | Off
|
|
Randomize memory allocations (Bottom-up ASLR) | On
|
|
Validate exception chains (SEHOP) | On
|
|
Validate heap integrity | Off
|
|
|
|
Generally, the default values should be used to...
|
|
|
|
|
|
|
|
### Control flow guard
|
|
|
|
|
|
|
|
### Data execution prevention
|
|
|
|
|
|
|
|
### Force randomization for images (Mandatory ASLR)
|
|
|
|
|
|
|
|
### Randomize memory allocations (Bottom-up ASLR)
|
|
|
|
|
|
|
|
### Validate exception chains (SEHOP)
|
|
|
|
|
|
|
|
### Validate heap integrity
|
|
|
|
|
|
### Configure system-level mitigations
|
|
|
|
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
|
|
|
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
|
|
|
|
|
|
|
3. Under the **Controlled folder access** section, click **Protected folders**
|
|
|
|
4. Click **Add a protected folder** and follow the prompts to add apps.
|
|
|
|
|
|
|
|
You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
|
|
|
|
|
|
## Related topics
|
|
|
|
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
|
|
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
|
|
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
|
|
|