Windows 10 Fall update 1709 Security Feature 4: Exploit Guard Attack Surface Reduction

Posted by Ahmed Nabil | 0 comments»
Another cool feature in the Exploit Guard Intrusion prevention tool offered starting Windows 10 1709 is the Attack Surface Reduction (ASR). ASR is key component in the Exploit Guard tool and as I mentioned earlier that Exploit Guard is key component in the Windows 10 defensive stack and its mainly concerned with Pre-breach phase and its main goal is to prevent the attack from occurring.

Most of the recent attacks especially Ransomware attacks came from malicious office files,  or mail that is sent to the user and when the user clicks it, the malicious payload is downloaded and run on the local computer or connect back to the command and control center (C&C) to download further files and the end result is infecting the computer or get it encrypted (ask for ransom)

Attack Surface Reduction is dealing mainly with the below rules to protect your entry points (Surface):

  1. Office Rules: Prevent Office apps from creating Executable content, launching child process or injecting into other process.........etc.                                                                                                             
  2. Script Rules: Block malicious scripts, obfuscated macro codes and others.                                            
  3. Mail Rules: Block running executable content from your mail client and web mail.

For more details please check this link

There are given set of rules in the ASR and each rule has a unique GUID, to enable these rules you simply enable them by the GUID (Check Below image)

So for example if you would like to block executable content from your mail client and web mail, you need to activate the rule with GUID BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 (First rule)

How to implement ASR on Standalone Machine:

I would highly recommend to implement first ASR on standalone machine and test the rules and their effect on your application and daily work processes. Power shell (Admin elevated) will be used to enable ASR. For example let us enable the first rule (Blocking executable content form mail and web mail)

PowerShell Command

Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions AuditMode

This will turn on the first rule of blocking executable content in mail in Audit Mode. You have three options when running this command which are Enabled, Disabled, AuditMode. I would recommend to turn it first in AuditMode so you can check your logs and event viewer for ASR blocking events without interrupting your business.

How to check the ASR events in Event Viewer:

  1. Download the exploit guard evaluation package and extract the ZIP file                                                                                                                                                                                                                   
  2. Open the event Viewer  - Import Custom View - Pick the asr-events                                                                                                                                                                                                                                          
  3. All events can be checked from this custom view, this is very beneficial especially in the AuditMode phase while ASR is under test.

How to Simulate and Demo the Attack Surface Reduction:

In the same Exploit Guard Evaluation Package, you can find a file named Exploit Guard ASR test tool (for 32 bit and 64 bit OS), Running this file will display the ASR rules and their status on your machine (whether blocked, enabled or in AuditMode) and you can run a simulation to ensure its working. For example I will run the simulation for the first rule (Executable content in mail and web mail) which will try running notepad.exe and get it blocked. Its very cool test tool that you need to play around with it.

How to enable ASR for Enterprise/Domain computers:

After you are fully satisfied with the test results you can start rolling it out on all client computers using group policy. The location of the Group policy is as follows:

Computer Configuration - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Attack Surface Reduction

You need to add the Rule ID and value (0, 1 & 2). Its little bit confusing but O=Off (Nothing happen, rule disabled), 2=AuditMode and 1=Block (which means enabling the rule)

So another exciting feature and I would encourage everyone on Windows 10 1709 to give it a try.

Windows 10 Fall update 1709 Security Feature 3: Exploit Guard Protection Settings

Posted by Ahmed Nabil | 0 comments»
Exploit Guard as you may have noticed is very exciting security feature in Windows 10 1709, they are set of host/endpoint Intrusion Prevention tools defending against malicious macro, email and script based threats.

For those familiar with Microsoft free EMET (Enhanced Mitigation Experience Toolkit) tool they will find that Exploit Guard is the natural successor to EMET where its used to limit an block attacks on the application level using memory mitigation techniques as well as other options.

It should be noted that EMET end of support is July 31, 2018. You can easily import and convert your EMET configuration and settings to Exploit Guard. For detailed comparison between both EMET and Exploit Guard check the below link

To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:

  1. Conversion:                                                                                                                                                                                                                                                                             ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml                                                                                                                                                                        
  2. Importing your converted file to Exploit Guard:                                                                                                                                                                                                                                         Set-ProcessMitigation -PolicyFilePath filename.xml

Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:

  1. Attack surface Reduction: Protect entry vectors as Macros  -Office files with Macros that download and execute content (Office rules, script rules and mail rules) - This will be discussed in my next blog post.                                                                                                                                
  2. Controlled Folder Access: Protecting Files in your critical folders on your system (Ransomware). Check my earlier post                                                                                                                              
  3. Network Protection: Part of the Exploit Guard protecting against internet based attacks (building on the earlier browser smart screen protection......etc)
In this article i am mainly discussing the Exploit protection settings for both the systems and applications (Mitigation similar to former EMET tool)

Configuring Exploit Protection settings on Standalone machine:

You can open the Exploit Protection settings from the Windows Defender Security Center - App and Browser Control - Scroll down and click on Exploit Protection

Two main things to note is the export settings option at the end of the page which is very beneficial to export all settings once you have a well tested and appropriate settings for your windows 10 machines and need to deploy it via group policy to all other clients in your organization.

Also Exploit protection includes both the System settings and Program settings, in the system area you will find mostly memory mitigation settings similar to the ones we used to have in EMET and then the program settings were you have your programs protected and you can add other programs by name or path to be protected as shown below

Configuring Exploit Protection settings on domain machines using group policy:

As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.

This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers,  navigate to Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Exploit Guard - Exploit Protection

There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)

That's it for now and see you on my next post and Exploit Guard Attack Surface reduction.

Windows 10 Fall update 1709 Security Feature 2: Exploit Guard - Controlled Folder Access

Posted by Ahmed Nabil | 0 comments»
Today we will discuss another new security feature released in windows 10 fall update 1709 which is the controlled folder access. This feature was mainly introduced as a step to try stop or contain Ransomware attacks on endpoint clients by protecting specific folders from unauthorized access by malicious apps or processes.

This protection is real time and will block instantly such malicious activity and give you immediate warning message on your desktop notifications.

When you enable the controlled folder access feature, it will protect specific folders by default as your desktop, documents, favorites, pictures and videos. however you can add any other folder to get protected as well.

If you received a notification that an app was blocked access to one of  your protected folders You can allow this app if you are aware of its usage and you are sure its a business legitimate app.

How to enable Controlled Folder Access:

  1. From the Windows Defender Security Center - Virus and Threat Protection settings (Check below screen shots)                                                                                                                                                                           

  2. After Clicking on the Virus and Threat Protection Settings - scroll down to the Controlled Folder access and enable it.                                                                                                                                                                       
  3. Click on Protected folders to give you list for current default protected folders or click Allow an app through Controlled folder access to allow legitimate app that might not be known to Microsoft and is getting blocked.                                                                                                                                                                                                                                                  

Configuring Group Policy to enable Controlled Folder Access:

  1. You can use powershell as usual to enable controlled folder access and for enterprise users group policy can be implemented by editing the Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Controlled Folder Access                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
  2. Please remember to extend your AD Group policy templates with the new 1709 templates as mentioned in part 1 of this series.                                                                                                                                          
  3. To enable it you need to edit the "Configure Controlled Folder Access" settings as shown below, either to enable it or keep in Audit mode (Changes to protected folder will be allowed but audited which means you can view these changes in the Event logs)                                                                                                                                                                                                                                                                                                                                                                                                                             
  4. The other two settings is to add another protected folder other than the default ones and to allow specific app to access the protected folder.

How to view Controlled Folder Access Events:

  1. Download the Exploit Guard Evaluation Package  (Zip folder that need to be extracted)                                                                                                                                                                                                                                         
  2. Open Event Viewer - Action - Import Custom View                                                                                                                                                                                                                                                                                             
  3. Open the downloaded Evaluation Package and pick cfa-events.xml                                                                                                                                                                                                    
  4. Confirm the selection and add it to the custom view                                                                                                                                                                                                                                                                                                   
  5. It will appear under the Event Viewer custom view as shown below                                                                                                                                                                                                                                                                     
  6. Upon checking some logs, i noticed that the Controlled folder access blocked Adobe to make a change on a file on my desktop and here comes the value of the Audit mode. Adobe is a legitimate application and i have PDF files that need to be edited on the desktop. If Audit mode was set, the change/edit will be done however i will be notified in the logs to later on add Adobe as approved app to the list of apps in the controlled folder Access.                                                                                                                                                                                                                                                                                                                                                                                                                     

Controlled Folder Access (CFA) is another useful tool introduced in Windows 10 1709 tackling mainly Ransomware problems. Hope you enjoyed this post and see on the next feature.

For more information on the first blog post please check the below Link

Windows 10 Fall update 1709 Security Feature 1: Windows Defender Application Guard

Posted by Ahmed Nabil | 1 comments»
Microsoft celebrated my birthday and released the new Windows 10 fall update on October 17, 2017 with many new exciting features and updates especially in the security field which will be our main concern in this series of articles. My intent is to go through each new Security feature targeted to Endpoint users (Windows 10 users) one by one in a separate blog post and we will start today with the Defender Application Guard.

What is the Windows Defender Application Guard ?

Windows Defender Application Guard is a new security feature in Windows 10 1709 that is integrated in Edge Browser (only Edge for now) that allows you and your Organization users to browse suspicious/un-trusted sites and check them without affecting or exposing your Operating System to any harm.

This happens with the beauty of Virtual machines (Windows Hyper-V) by opening the Edge browser in application guard mode which is simply opening the browser in an isolated virtual machine that totally isolates this web site/sites opened by the defender application guard mode from reaching your Operating System core components as well as your files and data. Once the Edge browser is closed (Virtual Machine turned off), all the site data opened is the browser is deleted and completely wiped.

What are the modes of Defender Application Guard ?

Windows Defender Application Guard comes in two flavors:

  1. Standalone: The user will manually start the Edge in Application Guard mode when he is feeling suspicious regarding opening a specific website and would like to test it in secure mode. There are no policies (Organization forced Group policies) governing this, its just the user perspective.                                                                                                                                                                                          
  2. Enterprise: The organization will set rules and policies to identify trusted sites and un-trusted sites. When users tries to open one of these un-trusted sites, these URLs will be loaded in the Application Guard Edge mode (Isolated Virtual Machine)

How to Install Application Guard ?

In General application Guard  requires a computer capable to run virtualization, remember the Application guard will leverage the Virtual Machine technology to isolate your suspicious URLs. Machines need to be 64 bit with Virtualization extensions support and some RAM for the Virtual machine (Microsoft recommendation is to have a system with at least 8 GB RAM)

Application Guard is disabled and you need to enable it from Control Panel - Turn Windows Features on or off.

After enabling the feature, it will get installed and requires reboot.

You can install it also using Powershell and link it to group policy if needed for mass distribution.

For more info check the below article 

How will the user open Edge Application Guard (Standalone) ?

As agreed before, in the standalone mode, the user will manually open the Edge browser in Application Guard mode to examine and open any suspicious URL

  1. The User will open normal Edge browser - Settings - New Application Guard Window                                                                                                                                                                                                                             

  2. It will take few minutes when you open it for the first time as it prepares the environment and loads the isolated virtual machine. Later on when you open another URL it will work faster since the environment is already set and VM is up and running.                                                                  
  3. A new Edge browser is loaded with Application Guard enabled (Top Left)

How to apply the Application Guard for Enterprise Users ?

So this is the second mode we discussed which is applying the application guard settings for the enterprise using group policies.

  1. Installation of Application Guard as discussed earlier by enabling the respective windows feature.                                                                                                                                                          
  2. For Enterprise users we will be controlling the settings using Group policies and for this reason we need to download the latest Windows 10 1709  Group policy Administrative templates (ADMX and ADML) and copy them to the Domain Controllers Central store.                                                                         
  3. To download the latest 1709 administrative template, please check the link below                                                                               
  4. By default the files will be installed under C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions.                                                               
  5. Copy the Admx files under Local folder Policy definitions (mentioned in step 4) to the Central store (I hope everyone is using central store) Policy definitions  under \\\SYSVOL\\Policies\PolicyDefinitions                                                                  
  6. Repeat the same for the Adml files from the local folder mentioned in step 4 under PolicyDefinitions\en-US to \\\SYSVOL\\Policies\PolicyDefinitions\en-US. This will ensure your domain controllers have the latest needed templates for the network Isolation group policies.                                                                                                                                                           
  7. Next we need to set the Network Isolation policies for the computers. You need to create a new Group policy for the computers OU - Edit Policy - Computer Configuration - Policies - Administrative Templates - Network - Network Isolation                                                                                                                                                                                                                                                                     
  8. There are two main settings that you need to configure as shown in the above image                                                                                                                                                                             Enterprise Resource Domain hosted in the cloud: These are enterprise approved Cloud resource domain URLs that will be opened in the normal Edge, for example * or/and *                                                                                                                                                                                                                 Domains Categorized as both work and personal: You can add list of your internal or external work domains as well as personal domains used by users to be safely opened by normal Edge browser.                                                                                                                                                       
  9.  Next step is to enable the Application Guard for Enterprise mode using group policy settings from Administrative Templates - Windows Components - Windows Defender Application Guard                                                                                                                                                                                                                                                                                                                               
  10. Other settings in the same location (Step 9) allows you to set the behavior of copying and pasting from sites opened in Application Guard with other components in Desktop as well as print settings. You can enable or disable copying from this virtualized container to other systems.

So this concludes the first blog post in our new Windows 10 version 1709 Security features. Hopefully you are getting excited and see you on our next episode.


LepideAuditor Suite Review

Posted by Ahmed Nabil | 0 comments»
Securing the Infrastructure and company domain is one step and auditing is another step that works side by side to close any gap. Unfortunately some system admin or security admins invest time, effort and money in several solutions and devices to protect their network under the assumption that these devices or software are working out of the box with no need to continuously monitor and audit them.

Most of your domain infrastructure as Active Directory, Exchange, File servers, SQL.........etc generate a lot of log files and we as administrators tend to turn on logging for everything but the question is do you periodically check these intense detailed deep logs and the answer is that only few admins periodically check it while others will only check the log when a problem occur as User lockout, file deletion............etc

Auditing is very crucial and it need to be done periodically and not after the fact, you need to have a system that fully audit your Infrastructure and generate easy to use reports and provide the capability to customize your reports as per your domain. This will help draw a baseline of your environment and alert you with any abnormal behavior. Being proactive and fully visualizing your environment will surely pay off than being reactive.

During the last week i have been reviewing the LepideAuditor Suite and I thought of sharing my feedback for this Audit tool starting by the setup, configuration till the reporting phase.

Setup and Installation:

  1. The full auditor suite can be downloaded from Lepide website, the trial version runs for 15 days with all needed features.                                                                                                                      
  2. The Suite was installed on a Windows 10 (1703) machine.                                                                        
  3. SQL 2016 Express was installed and a DB for Lepide was created (Installed SQL Management Studio).                                                                                                                                                         
  4. Group Policy Management console need to be installed to collect/get Group policy data.                             
  5. After downloading the LepideAuditor Suite, you get a Zip folder with 4 files as shown below                                                                                                                                                                                                                          
  6. I picked the LepideAuditor Suite and installed the EXE in this folder.                                                    
  7. It took me another 3 or 4 clicks (Next) and the suite was installed. The overall process is around 7-8 minutes.


  1. After Installation and opening the Lepide Icon you get prompted to either use the logged in account or another account.
  2. The Next screen is to start adding the components that you would like to Audit                                                                                                                                                                                                                                          
  3. For the trial purpose I picked the AD, Exchange, GP........etc components which will give you great details and deep auditing on your domain, Exchange, Usernames.....etc since everything is tied to the Active directory. For the configuration type you get the Express option and the advanced option, as the name implies the express is the quicker way to setup your domain configuration with default values and you have the flexibility to change it later from the Lepide settings. I picked the Express option to get my system up and running in few clicks.                                                                                                                                                                                                                                              
  4. Enter your domain credentials and pick the option of Auditing with or Without agent. I tried both and i can't see major difference regarding the audit data. For large Organizations with huge data activity the agent option can provide better option for data compression and reporting.                                                                                                                                                                                                                                                                                                                            
  5. I picked all options on the next configuration screen, the wizard already listed all Domain controllers, Exchange servers in the environment and Group policy servers with health monitoring and change Auditing enabled.                                                                                                                                                                                             
  6. The next step is to configure the SQL DB, I already installed SQL express on my PC and I created a DB named Lepide using the SQL Management studio. I entered my local machine details and picked the DB I created earlier.                                                                                                                                                              
  7. Finish and that's it, you have a running Auditing system for your AD, Exchange, Group Policy, User modifications in 5 clicks. LepideAuditor Suite will restart and you will get the dashboard/360view and it start pulling data within few minutes.                                                                                                                                                                                                                                    

Example of Auditing report:

I started to run several changes and check whether they are reflected in the LepideAuditor Suite, One of the changes was moving a mailbox from one Exchange DB to another Exchange DB (This is common task for Exchange admins to provide the user with better mailbox storage or even move him to the cloud)

I moved the user mailbox and after the batch move was done i checked Lepide Audit Reports - Domain - Exchange Modification Reports - MS Exchange Modification Reports - Mailbox Modifications - Mailbox Moved and it was logged as shown below.

The change is already logged in the Exchange changes from the Main Dashboard change.

Active Directory has several detailed reports including computer, user, printers, containers, OUs and many other reports.

File Server Audit Setup/Installation:

The Next thing i planned to do during my Lepide test was Auditing the file share server and the installation was straight forward as shown below:

  1. Go to Settings - Component Management and add component (File Server)                                                    
  2.  In the File server Console Settings, click on the + Icon to add the Windows File server                                                                                                                                                                        
  3. You need to enter the Server IP, Domain and User credentials.                                                                                                                              
  4. Enter the SQL settings. You can use an existing DB or create a new one to host your File Server Audit changes.Tracking.                                                                                                                                                                      
  5. The Wizard will install the agent and then Finish.  
  6. The File Server Reports in the Audit Reports are very detailed including file modifications, deletions, permissions.......etc                                                                                                                                                                                                                                                                                     
  7. The first thing to test the FileServer Audit was to delete a test file from one of the shares and check the Audit Reports (File and Folder Deletion) for the File Server and it was clearly shown with all details on which file, who deleted, when..........etc                                                                                                                                                                                                                                                                                                                             

Compliance Reports:

One very nice feature that might be required by several organizations is the compliance reports. The LepideAuditor Suite provides detailed list for several regulatory reports.                                                                            

The Reports in general in Lepide can be easily grouped, filtered as if you are playing with native SQL reporting system with enhanced GUI options and you can save all these reports to PDF or CSV.

Health Monitoring:

This a nice feature added to the Auditor Suite which monitors the health of your servers (Active Directory, Exchange........etc) and lists the general health (Processors and RAM), services status, AD DB performance, Replication status, LDAP status, NTDS counters and many other indicators. This option is not present in several other Audit tools and i find it very beneficial.


Auditing is very critical and should be thoroughly considered for all Organisations since we all depend on our systems and use them on our day to day operations, I have seen several issues that were re-mediated at early stages due to a correct audit and alerting rule. LepideAuditor Suite provides an easy to use and very simple installation and setup tool to audit your environment. The reporting will provide with huge amount of data and the nice thing is that you can customize a lot of your audit and reporting settings.

For more Information on LepideAuditor Suite -

To download LepideAuditor Suite -