deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
abd5c4ad390a51cb15a5b1e3cc5efa8ad1b91449
windows-itpro-docs/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
Liza Poggemeyer d9d1fedbe6 fixed loc priority
2018-06-27 16:58:05 -07:00

119 lines
4.7 KiB
Markdown
Raw Blame History

---
title: Conduct a demo to see how Network protection works
description: Quickly see how Network protection works by performing common scenarios that it protects against
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
---
# Evaluate Network protection
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or later
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site.
>[!NOTE]
>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Enable Network protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
### Visit a (fake) malicious domain
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png)
## Review Network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when rule fires in Audit-mode
1126 | Event when rule fires in Block-mode
## Use audit mode to measure impact
You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
>[!TIP]
>If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
Reference in New Issue View Git Blame Copy Permalink