deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
79a99f52d8c555ad35c2de787e01bbf19bdeb6f0
windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
Iaan D'Souza-Wiltshire 9d1d638b6a exprot
2017-08-20 17:56:07 -07:00

203 lines
9.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
## Exploit Protection
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
Exploit Protection | GP, MDM, PS & UI | Provider: Security-Mitigations |
| | | 1 | ACG audit
| | | 2 | ACG enforce
| | | 3 | Do not allow child processes audit
| | | 4 | Do not allow child processes block
| | | 5 | Block low integrity images audit
| | | 6 | Block low integrity images block
| | | 7 | Block remote images audit
| | | 8 | Block remote images block
| | | 9 | Disable win32k system calls audit
| | | 10 | Disable win32k system calls block
| | | 11 | Code integrity guard audit
| | | 12 | Code integrity guard block
| | | 13 | EAF audit
| | | 14 | EAF enforce
| | | 15 | EAF+ audit
| | | 16 | EAF+ enforce
| | | 17 | IAF audit
| | | 18 | IAF enforce
| | | 19 | ROP StackPivot audit
| | | 20 | ROP StackPivot enforce
| | | 21 | ROP CallerCheck audit
| | | 22 | ROP CallerCheck enforce
| | | 23 | ROP SimExec audit
| | | 24 | ROP SimExec enforce
Exploit Protection | GP, MDM, PS & UI |Provider: WER-Diagnostics |
| | | 5 | CFG Block
Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
| | | 260 | Untrusted Font
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Exploit Protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
| | | | ForceASLR
| | | | BottomUpASLR
| | | | HeapTermination
| | | | SEHOP
| | | | CFG
| | | | Strict handle checks
| | | | ACG
| | | | Untrusted font blocking
| | | | No child process
| | | | Win32k syscall disable
| | | | Extension point disable
| | | | Various image loading restrictions
| | | | Anti-ROP (CallerCheck, SimExec, StackPivot)
| | | | EAF, EAF+
| | | Control Flow mitigation |
| | | Process restrictions |
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Exploit Protection
Exploit Protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
>
> Note: SCCM and Intune will be supported in furture releases.
You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
Note, however, that there are some prerequisites before you can enable this setting:
- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
>
> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
- Place the generated XML file in a shared or local path.
#### Group policy
The Exploit Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
- Name: Use a common set of Exploit Protection settings
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
-- https://localhost:8080/Config.xml
The settings in the XML file will be applied to the endpoint.
**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
**Not configured:** Same as **Disabled**.
#### PowerShell
You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
Get the current settings in the registry for processName.exe
```
Get-ProcessMitigation -Name processName.exe
```
Exports the current settings to the filename.xml
```
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Imports the settings in filename.xml to the system.
```
Set-ProcessMitigation -PolicyFilePath filename.xml
```
Enables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
```
Disables a list of mitigations
```
Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
```
Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
```
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
```
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
### Make sure things are working
1. Apply a mitigation setting:
a. Launch PowerShell as an admin and run **Set—ProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation**
2. Validate that the setting is correctly applied:
a. Open Windows Defender Security Center -> App & browser control
b. Scroll to the bottom and under **Exploit protection**, click **Exploit protection settings** and navigate to the **Program settings** pivot
c. Scroll down to **iexplore.exe**, click on it and click **Edit**
d. Find the **Do not allow child processes** setting and make sure that **Override System settings** and **On** are set
3. Validate that Internet Explorer wont run:
a. Try launching iexplore.exe via the run dialog
b. An IE frame should appear and then close
4. Validate that event viewer reports that the mitigation fired:
a. Open Event Viewer
b. Navigate to Applications and Services Log -> Microsoft -> Windows -> Security-Mitigations -> Kernel Mode
c. Check for the following entry for Internet Explorer (event ID 4)
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
5. Undo the mitigation setting:
a. Open Windows Defender Security Center -> App & browser control
b. Scroll to the bottom and under **Exploit protection**, click on **Exploit protection settings** and navigate to the **Program settings** pivot
c. Scroll down to **iexplore.exe**, click on it and click **Edit**
d. Find the **Do not allow child processes **setting and toggle the **On** to **Off**
e. Click **Apply**
6. Validate that Internet Explorer runs:
a. Try launching iexplore.exe via the run dialog
b. IE should open as expected
### Converting and Applying an EMET config:
1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe export emetConfig.xml**
2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
3. Note that this may give you some warnings, but these should be safe to ignore.
4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
### Managing Exploit Protection through Group Policy
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
Reference in New Issue View Git Blame Copy Permalink