Merge pull request #1911 from YongRhee-MSFT/docs-editor/enable-exploit-protection-1731692849

rjagiewich · web-flow · commit 286163c9817c · 2024-11-15T14:50:33.000-08:00
Update enable-exploit-protection.md
diff --git a/defender-endpoint/enable-exploit-protection.md b/defender-endpoint/enable-exploit-protection.md
@@ -14,7 +14,7 @@ ms.collection:
 - m365-security
 - tier3
 - mde-asr
-ms.date: 05/03/2023
+ms.date: 11/15/2024
 search.appverid: met150
 ---
 
@@ -35,6 +35,31 @@ search.appverid: met150
 
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
+## Prerequisites
+
+This section includes recommendations for you to be successful with deploying exploit protection.
+
+- Set up monitoring for application crashes ([Event ID 1000 and/or Event ID 1001](/troubleshoot/windows-server/performance/troubleshoot-application-service-crashing-behavior)) and/or hangs (Event ID 1002)
+
+- Enable [full user mode dump](/windows/win32/wer/collecting-user-mode-dumps) collection
+
+- Check to see which applications are already compiled with "[Control Flow Guard](/windows/win32/secbp/control-flow-guard)" (CFG) which primarily focus on mitigating memory corruption vulnerabilities. Use dumpbin tool to see if it's compiled w/ [CFG](/windows/win32/secbp/control-flow-guard). For these applications, you could skip enabling enforcement for DEP, ASRL, SEHOP, and ACG.
+
+- Use safe deployment practices.
+
+> [!WARNING]
+> If you do not test and do not go thru safe deployment practices, you could contribute to end-user productivity outages.
+
+### Safe deployment practices
+
+Safe deployment practices (SDP): Safe deployment processes and procedures define how to safely make and deploy changes to your workload. Implementing SDP requires you to think about deployments through the lens of managing risk. You can minimize the risk of end-user productivity outages in your deployments and limit the effects of problematic deployments on your users by implementing SDP.
+
+Start out with a small set (for example, 10 to 50) of Windows devices and use that as your test environment to see which of the 21 mitigations, are incompatible with exploit protection. Remove the mitigations that aren't compatible with the application. Reiterate with the applications that you're targeting. Once you feel that the policy is ready for production.
+
+Start out by pushing first to User Acceptance Testing (UAT) comprised of the IT administrators, Security administrators and help desk personnel. Then to 1%, 5%, 10%, 25%, 50%, 75%, and finally to 100% of your environment.
+
+## Enabling exploit protection mitigations
+
 You can enable each mitigation separately by using any of these methods:
 
 - [Windows Security app](#windows-security-app)
@@ -55,23 +80,25 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**.
 
 3. Go to **Program settings** and choose the app you want to apply mitigations to.
-    - If the app you want to configure is already listed, select it, and then select **Edit**.
-    - If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
-    - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with its extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-    - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You're notified if you need to restart the process or app, or if you need to restart Windows.
+   - If the app you want to configure is already listed, select it, and then select **Edit**.
+   - If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
+   - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with its extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+   - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** applies the mitigation in audit mode only. You're notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
 
 6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
-    - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 or Windows 11 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+
+   - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+   - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+   - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 or Windows 11 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
 7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
 
-If you add an app to the **Program settings** section and configure individual mitigation settings there, they'll be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+If you add an app to the **Program settings** section and configure individual mitigation settings there, they are honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 
 |Enabled in **Program settings**|Enabled in **System settings**|Behavior|
 |:---|:---|:---|
@@ -98,13 +125,14 @@ The result is that DEP is enabled for *test.exe*. DEP won't be enabled for any o
 
 2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
-    - If the app you want to configure is already listed, select it, and then select **Edit**.
-    - If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.<br/>
+3. Go to **Program settings** and choose the app you want to apply mitigations to.
+
+   - If the app you want to configure is already listed, select it, and then select **Edit**.
+   - If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.<br/>
       - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
       - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process or app, or if you need to restart Windows.
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** applies the mitigation in audit mode only. You're notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
 
@@ -164,7 +192,7 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](/wi
 
 ## Group Policy
 
-1. On your Group Policy management device, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). Right-click the Group Policy Object you want to configure and select **Edit**.
 
 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
@@ -174,15 +202,14 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](/wi
 
 ## PowerShell
 
-You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
+You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` lists the current configuration status of any mitigations that are enabled on the device. Add the `-Name` cmdlet and app exe to see mitigations for just that app:
 
 ```PowerShell
 Get-ProcessMitigation -Name processName.exe
 ```
 
 > [!IMPORTANT]
 > System-level mitigations that have not been configured will show a status of `NOTSET`.
->
 > - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
 > - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
 > The default setting for each system-level mitigation can be seen in the Windows Security.
@@ -245,29 +272,34 @@ The following table lists the individual **Mitigations** (and **Audits**, when a
 |Disable extension points|App-level only|`ExtensionPoint`|Audit not available|
 |Disable Win32k system calls|App-level only|`DisableWin32kSystemCalls`|`AuditSystemCall`|
 |Don't allow child processes|App-level only|`DisallowChildProcessCreation`|`AuditChildProcess`|
-|Export address filtering (EAF)|App-level only|`EnableExportAddressFilterPlus`, `EnableExportAddressFilter` <a href="#r1" id="t1">\[1\]</a>|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Import address filtering (IAF)|App-level only|`EnableImportAddressFilter`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Simulate execution (SimExec)|App-level only|`EnableRopSimExec`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Validate API invocation (CallerCheck)|App-level only|`EnableRopCallerCheck`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
+|Export address filtering (EAF)|App-level only|`EnableExportAddressFilterPlus`, `EnableExportAddressFilter` <a href="#r1" id="t1">[1]</a>|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Import address filtering (IAF)|App-level only|`EnableImportAddressFilter`|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Simulate execution (SimExec)|App-level only|`EnableRopSimExec`|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Validate API invocation (CallerCheck)|App-level only|`EnableRopCallerCheck`|Audit not available <a href="#r2" id="t2">[2]</a>|
 |Validate handle usage|App-level only|`StrictHandle`|Audit not available|
 |Validate image dependency integrity|App-level only|`EnforceModuleDepencySigning`|Audit not available|
-|Validate stack integrity (StackPivot)|App-level only|`EnableRopStackPivot`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
+|Validate stack integrity (StackPivot)|App-level only|`EnableRopStackPivot`|Audit not available <a href="#r2" id="t2">[2]</a>|
 
-<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
+<a href="#t1" id="r1">[1]</a>: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 
-<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation isn't available via PowerShell cmdlets.
+<a href="#t2" id="r2">[2]</a>: Audit for this mitigation isn't available via PowerShell cmdlets.
 
 ## Customize the notification
 
 For information about customizing the notification when a rule is triggered and an app or file is blocked, see [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
 
+## Removing the exploit protection mitigations
+
+To reset (undo or remove) the exploit protection mitigations, see the [Exploit protection reference](/defender-endpoint/exploit-protection-reference).
+
 ## See also
 
 - [Evaluate exploit protection](evaluate-exploit-protection.md)
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
