Exploit Guard as you may have noticed is very exciting security feature in Windows 10 1709, they are set of host/endpoint Intrusion Prevention tools defending against malicious macro, email and script based threats.
For those familiar with the free Microsoft EMET tool (Enhanced Mitigation Experience Toolkit), you will find that Exploit Guard is the natural successor to EMET, where it is used to limit a block of attacks at the application level using memory mitigation techniques and other options.
Please note that EMET support ends on July 31, 2018. You can easily import and convert your configuration and settings from EMET to Exploit Guard. For a detailed comparison between EMET and Exploit Guard, see the following link
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard
To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:
Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:
Configuring Exploit Protection settings on Standalone machine:
You can open the Exploit Protection settings from the Windows Defender Security Center - App and Browser Control - Scroll down and click on Exploit Protection
Configuring Exploit Protection settings on domain machines using group policy:
As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.
This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers, navigate to Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Exploit Guard - Exploit Protection
There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)
For those familiar with the free Microsoft EMET tool (Enhanced Mitigation Experience Toolkit), you will find that Exploit Guard is the natural successor to EMET, where it is used to limit a block of attacks at the application level using memory mitigation techniques and other options.
Please note that EMET support ends on July 31, 2018. You can easily import and convert your configuration and settings from EMET to Exploit Guard. For a detailed comparison between EMET and Exploit Guard, see the following link
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard
To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:
- Conversion: ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- Importing your converted file to Exploit Guard: Set-ProcessMitigation -PolicyFilePath filename.xml
Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:
- Attack surface Reduction: Protect entry vectors as Macros -Office files with Macros that download and execute content (Office rules, script rules and mail rules) - This will be discussed in my next blog post.
- Controlled Folder Access: Protecting Files in your critical folders on your system (Ransomware). Check my earlier post http://itcalls.blogspot.com.eg/2017/10/windows-10-fall-update-1709-security_25.html
- Network Protection: Part of the Exploit Guard protecting against internet based attacks (building on the earlier browser smart screen protection......etc)
In this article i am mainly discussing the Exploit protection settings for both the systems and applications (Mitigation similar to former EMET tool)
Configuring Exploit Protection settings on Standalone machine:
You can open the Exploit Protection settings from the Windows Defender Security Center - App and Browser Control - Scroll down and click on Exploit Protection
Two main things to keep in mind is the export configuration option at the bottom of the page that is very beneficial to export all the settings once you have tried a proper configuration for your Windows 10 machines and need to implement it through the policy of group for all the other clients in your organization
Also the Exploit protection includes both the system configuration and the program configuration, in the system area you will find memory mitigation settings similar to the ones we used to have in EMET and then the configuration of the program if you have your programs protected and you can add other programs by name or route to protect as shown below.
Configuring Exploit Protection settings on domain machines using group policy:
As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.
This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers, navigate to Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Exploit Guard - Exploit Protection
There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)
That's it for now and see you on my next post and Exploit Guard Attack Surface reduction.
Further more details click Below
2 Comments
