Windows 10 Fall update 1709 Security Feature 3: Exploit Guard Protection Settings

Posted by Ahmed Nabil | 3 comments»
Exploit Guard as you may have noticed is very exciting security feature in Windows 10 1709, they are set of host/endpoint Intrusion Prevention tools defending against malicious macro, email and script based threats.

For those familiar with Microsoft free EMET (Enhanced Mitigation Experience Toolkit) tool they will find that Exploit Guard is the natural successor to EMET where its used to limit an block attacks on the application level using memory mitigation techniques as well as other options.

It should be noted that EMET end of support is July 31, 2018. You can easily import and convert your EMET configuration and settings to Exploit Guard. For detailed comparison between both EMET and Exploit Guard check the below link

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard

To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:


  1. Conversion:                                                                                                                                                                                                                                                                             ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml                                                                                                                                                                        
  2. Importing your converted file to Exploit Guard:                                                                                                                                                                                                                                         Set-ProcessMitigation -PolicyFilePath filename.xml


Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:


  1. Attack surface Reduction: Protect entry vectors as Macros  -Office files with Macros that download and execute content (Office rules, script rules and mail rules) - This will be discussed in my next blog post.                                                                                                                                
  2. Controlled Folder Access: Protecting Files in your critical folders on your system (Ransomware). Check my earlier post http://itcalls.blogspot.com.eg/2017/10/windows-10-fall-update-1709-security_25.html                                                                                                                              
  3. Network Protection: Part of the Exploit Guard protecting against internet based attacks (building on the earlier browser smart screen protection......etc)
In this article i am mainly discussing the Exploit protection settings for both the systems and applications (Mitigation similar to former EMET tool)



Configuring Exploit Protection settings on Standalone machine:

You can open the Exploit Protection smadav antivirus as well protection settings from the Windows Defender Security Center - App and Browser Control - Scroll down and click on Exploit Protection


Two main things to note is the export settings option at the end of the page which is very beneficial to export all settings once you have a well tested and appropriate settings for your windows 10 machines and need to deploy it via group policy to all other clients in your organization.

Also Exploit protection includes both the System settings and Program settings, in the system area you will find mostly memory mitigation settings similar to the ones we used to have in EMET and then the program settings were you have your programs protected and you can add other programs by name or path to be protected as shown below







Configuring Exploit Protection settings on domain machines using group policy:

As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.

This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers,  navigate to Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Exploit Guard - Exploit Protection




There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)


That's it for now and see you on my next post and Exploit Guard Attack Surface reduction.




3 Comments
Comments

3 comments:

rohan rj Says:

It looks very spectacular. And article gives me a lot of information .be thankful, I truly discovered very awesome and exclusive concepts. So this might be useful to everybody... Thanks for creating this interesting blog. security guards

Security Services Australia Says:

Safehands Security Services have been founded with a motive to provide highly specialised security services in the entire Adelaide, Australia within budget.

Hire Security Guards | Security Guards Companies | Security Guards Services | Security Services Australia | Security Companies Australia | Event Security Services | Private Party Security | K9 Security Services | Mobile Patorls & Alarm Response Service | Crowd Control Services | Security Guards Agencies | Security Companies | Security Services | Security Agencies


Amazing Quotes Says:

Very Nice And Interesting Post, thank you for sharing
Inspirational Quotes - Gym Quotes
Best Quotes - Success Quotes
Positive Life Quotes - Image Bank
Future Quotes - Excellence Quotes
كلام جميل - Keep Smiling Quotes

Post a Comment