mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 13:57:22 +00:00
128 lines
7.3 KiB
Markdown
128 lines
7.3 KiB
Markdown
---
|
|
title: Apply mitigations to help prevent attacks through vulnerabilities
|
|
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
|
|
description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
|
|
search.product: eADQiWindows 10XVcnh
|
|
ms.pagetype: security
|
|
ms.prod: w10
|
|
ms.mktglfcycl: manage
|
|
ms.sitesec: library
|
|
ms.pagetype: security
|
|
ms.localizationpriority: medium
|
|
author: andreabichsel
|
|
ms.author: v-anbic
|
|
ms.date: 05/30/2018
|
|
---
|
|
|
|
|
|
|
|
# Protect devices from exploits with Windows Defender Exploit Guard
|
|
|
|
|
|
**Applies to:**
|
|
|
|
- Windows 10, version 1709 and later
|
|
- Windows Server 2016
|
|
|
|
|
|
**Audience**
|
|
|
|
- Enterprise security administrators
|
|
|
|
|
|
**Manageability available with**
|
|
|
|
- Windows Defender Security Center app
|
|
- Group Policy
|
|
- PowerShell
|
|
|
|
|
|
|
|
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
|
|
|
|
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
|
|
|
|
>[!TIP]
|
|
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
|
|
|
|
Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
|
|
|
|
You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
|
|
|
|
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
|
|
|
|
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
|
|
|
|
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10.
|
|
|
|
>[!IMPORTANT]
|
|
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
|
|
|
|
>[!WARNING]
|
|
>Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
|
|
|
|
## Requirements
|
|
|
|
Windows 10 version | Windows Defender Advanced Threat Protection
|
|
-|-
|
|
Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
|
|
|
|
|
|
## Review Exploit protection events in Windows Event Viewer
|
|
|
|
You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:
|
|
|
|
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
|
|
|
|
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
|
|
|
|
3. On the left panel, under **Actions**, click **Import custom view...**
|
|
|
|
|
|
|
|
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
|
|
|
5. Click **OK**.
|
|
|
|
6. This will create a custom view that filters to only show the following events related to Exploit protection:
|
|
|
|
Provider/source | Event ID | Description
|
|
-|:-:|-
|
|
Security-Mitigations | 1 | ACG audit
|
|
Security-Mitigations | 2 | ACG enforce
|
|
Security-Mitigations | 3 | Do not allow child processes audit
|
|
Security-Mitigations | 4 | Do not allow child processes block
|
|
Security-Mitigations | 5 | Block low integrity images audit
|
|
Security-Mitigations | 6 | Block low integrity images block
|
|
Security-Mitigations | 7 | Block remote images audit
|
|
Security-Mitigations | 8 | Block remote images block
|
|
Security-Mitigations | 9 | Disable win32k system calls audit
|
|
Security-Mitigations | 10 | Disable win32k system calls block
|
|
Security-Mitigations | 11 | Code integrity guard audit
|
|
Security-Mitigations | 12 | Code integrity guard block
|
|
Security-Mitigations | 13 | EAF audit
|
|
Security-Mitigations | 14 | EAF enforce
|
|
Security-Mitigations | 15 | EAF+ audit
|
|
Security-Mitigations | 16 | EAF+ enforce
|
|
Security-Mitigations | 17 | IAF audit
|
|
Security-Mitigations | 18 | IAF enforce
|
|
Security-Mitigations | 19 | ROP StackPivot audit
|
|
Security-Mitigations | 20 | ROP StackPivot enforce
|
|
Security-Mitigations | 21 | ROP CallerCheck audit
|
|
Security-Mitigations | 22 | ROP CallerCheck enforce
|
|
Security-Mitigations | 23 | ROP SimExec audit
|
|
Security-Mitigations | 24 | ROP SimExec enforce
|
|
WER-Diagnostics | 5 | CFG Block
|
|
Win32K | 260 | Untrusted Font
|
|
|
|
|
|
## In this section
|
|
|
|
Topic | Description
|
|
---|---
|
|
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved.
|
|
[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior.
|
|
[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network.
|
|
[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
|
|
[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.
|