Learn Editor: Update enable-exploit-protection.md

YongRhee-MSFT · YongRhee-MSFT · commit 7e9a84fe81d5 · 2024-11-15T09:47:31.000-08:00
diff --git a/defender-endpoint/enable-exploit-protection.md b/defender-endpoint/enable-exploit-protection.md
@@ -35,6 +35,31 @@ search.appverid: met150
 
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
+## Pre-requisites
+
+Below are recommendations for you to be successful on deploying Exploit Protection.
+
+- Setup monitoring for application crashes ([Event ID 1000 and/or Event ID 1001](/troubleshoot/windows-server/performance/troubleshoot-application-service-crashing-behavior)) and/or hangs (Event ID 1002)
+
+- Enable [full user mode dump](/windows/win32/wer/collecting-user-mode-dumps) collection
+
+- Check to see which applications are already compiled with "[Control Flow Guard](/windows/win32/secbp/control-flow-guard)" (CFG) which primarily focus on mitigating memory corruption vulnerabilities.  Use dumpbin tool to see if it is compiled w/ [CFG](/windows/win32/secbp/control-flow-guard).  For these applications, you could skip enabling enforcement for DEP, ASRL, SEHOP, and ACG.
+
+- Go thru safe deployment practices (sdp)
+
+> [!WARNING]
+> If you do not test and do not go thru safe deployment practices, you could contribute to end-user productivity outages.
+
+### Safe deployment practices
+
+Safe deployment practices (SDP): Safe deployment processes and procedures define how to safely make and deploy changes to your workload.  Implementing SDP requires you to think about deployments through the lens of managing risk.  You can minimize the risk of end-user productivity outages in your deployments and limit the effects of problematic deployments on your users by implementing SDP.
+
+Start out with a small set (e.g. 10 to 50) of Windows devices and use that as your test environment to see which of the 21 mitigations, are incompatible with Exploit Protection.  Remove the mitigations that are not compatible with the application.  Reiterate with the applications that you are targeting. Once you feel that the policy is ready for production.
+
+Start out by pushing first to User Acceptance Testing (UAT) usually comprised of the IT administrators, Security administrators and help desk personnel.  Then to 1%, 5%, 10%, 25%, 50%, 75%, and finally to 100% of your environment.
+
+## Enabling Exploit Protection mitigations
+
 You can enable each mitigation separately by using any of these methods:
 
 - [Windows Security app](#windows-security-app)
@@ -245,26 +270,30 @@ The following table lists the individual **Mitigations** (and **Audits**, when a
 |Disable extension points|App-level only|`ExtensionPoint`|Audit not available|
 |Disable Win32k system calls|App-level only|`DisableWin32kSystemCalls`|`AuditSystemCall`|
 |Don't allow child processes|App-level only|`DisallowChildProcessCreation`|`AuditChildProcess`|
-|Export address filtering (EAF)|App-level only|`EnableExportAddressFilterPlus`, `EnableExportAddressFilter` <a href="#r1" id="t1">\[1\]</a>|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Import address filtering (IAF)|App-level only|`EnableImportAddressFilter`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Simulate execution (SimExec)|App-level only|`EnableRopSimExec`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
-|Validate API invocation (CallerCheck)|App-level only|`EnableRopCallerCheck`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
+|Export address filtering (EAF)|App-level only|`EnableExportAddressFilterPlus`, `EnableExportAddressFilter` <a href="#r1" id="t1">[1]</a>|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Import address filtering (IAF)|App-level only|`EnableImportAddressFilter`|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Simulate execution (SimExec)|App-level only|`EnableRopSimExec`|Audit not available <a href="#r2" id="t2">[2]</a>|
+|Validate API invocation (CallerCheck)|App-level only|`EnableRopCallerCheck`|Audit not available <a href="#r2" id="t2">[2]</a>|
 |Validate handle usage|App-level only|`StrictHandle`|Audit not available|
 |Validate image dependency integrity|App-level only|`EnforceModuleDepencySigning`|Audit not available|
-|Validate stack integrity (StackPivot)|App-level only|`EnableRopStackPivot`|Audit not available <a href="#r2" id="t2">\[2\]</a>|
+|Validate stack integrity (StackPivot)|App-level only|`EnableRopStackPivot`|Audit not available <a href="#r2" id="t2">[2]</a>|
 
-<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
+<a href="#t1" id="r1">[1]</a>: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 
-<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation isn't available via PowerShell cmdlets.
+<a href="#t2" id="r2">[2]</a>: Audit for this mitigation isn't available via PowerShell cmdlets.
 
 ## Customize the notification
 
 For information about customizing the notification when a rule is triggered and an app or file is blocked, see [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
 
+## Removing the exploit protection mitigations
+
+To reset (undo or remove) the exploit protection mitigations, please review the [Exploit protection reference](/defender-endpoint/exploit-protection-reference).
+
 ## See also
 
 - [Evaluate exploit protection](evaluate-exploit-protection.md)
