Implement Exploit Protection
Exploit Protection helps to protect your users’ devices against malware that uses exploits to spread through your organization. Exploit Protection consists of a number of specific mitigations that you must enable and configure separately.
By default, Exploit Protection already enables several mitigations that apply to the operating system and to specific apps. However, if you want to configure these and other mitigations, use the following procedure:
- Open the Windows Security app.
- Select the App & Browser Control tab.
- Scroll down and select the Exploit Protection Settings link.
- On the Exploit protection page, shown in Figure 3-3, configure the required settings. You can configure System settings and also specific Program settings. Review Table 3-2 for an overview of available settings.
Figure 3-3 Configuring exploit protection settings
TABLE 3-2 Exploit Protection mitigations
| Mitigation | Explanation |
| Control Flow Guard (CFG) | Control Flow Guard combats memory corruption vulnerabilities. |
| Data Execution Prevention (DEP) | Helps to prevent executable code from being run from pages that contain data. |
| Force Randomization For Images (Mandatory ASLR) | Helps prevent attacks by putting processes into memory at random locations. |
| Randomize Memory Allocations (Bottom-Up ASLR) | Helps prevent attacks by putting processes into memory at random locations. |
| High-Entropy ASLR | Helps prevent attacks by increasing variability when using Randomize Memory Allocations. |
| Validate Exception Chains (SEHOP) | Helps prevent the use of a structured exception-handler attack. |
| Validate Heap Integrity | Helps prevent attacks that seek to use memory corruption. |
| Arbitrary Code Guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). |
| Block Low Integrity Images | Prevents the loading of images marked with Low Integrity. |
| Block Remote Images | Prevents the loading of images from remote devices. |
| Block Untrusted Fonts | Prevents loading any Graphics Device Interface (GDI)-based fonts not installed in the system fonts directory, notably fonts from the web. |
| Code Integrity Guard | Restricts loading of images signed by Microsoft, Windows Hardware Quality Labs (WHQL), or higher. Can optionally allow Microsoft Store–signed images. |
| Disable Extension Points | Disables various extensibility mechanisms that allow dynamic-link library (DLL) injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. |
| Disable Win32k System Calls | Prevents an app from using the Win32k system call table. |
| Do Not Allow Child Processes | Prevents an app from creating child processes. |
| Export Address Filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. |
| Import Address Filtering (IAF) | Detects dangerous operations being resolved by malicious code. |
| Simulate Execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG. |
| Validate API Invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG. |
| Validate Handle Usage | Causes an exception to be raised on any invalid handle references. |
| Validate Image Dependency Integrity | Enforces code signing for Windows image dependency loading. |
| Validate Stack Integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG. |
- Select the Export settings link to export the settings to an XML file.
- Distribute the XML file to other devices by using Group Policy Objects (GPOs).
Exam Tip
You can also enable mitigations in audit mode; doing so allows you to determine the effect of enabling a specific mitigation without affecting the user’s device usage.
In addition to using the Windows Security app to configure Exploit Protection, you can use Windows PowerShell cmdlets. You can use either the Get or Set verb with the ProcessMitigation cmdlet. For example, to enable the Data Execution Prevention (DEP) mitigation for the MyLOB.exe program located in the C:\Apps\LOB folder and to prevent that executable from creating child processes, run the following PowerShell command:
Click here to view code image
Set-ProcessMitigation -Name C:\Apps\LOB\MyLOB.exe -Enable DEP, EmulateAtlThunks,
DisallowChildProcessCreation
Exam Tip
To review further details about enabling and configuring Exploit Protection, refer to the Microsoft website at https://docs.microsoft.com/microsoft-365/security/defender-endpoint/customize-exploit-protection.
To use GPOs to distribute the exported settings, use the following procedure:
- On a domain controller, open the appropriate GPO for editing.
- In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Exploit Guard > Exploit Protection.
- Select Use a common set of exploit protection settings.
- Select Enabled, as displayed in Figure 3-4, and then enter a valid UNC path to the XML file that contains the necessary settings.
Figure 3-4 Configuring a common set of exploit protection settings using GPOs
5. Select OK, and then close the Group Policy Management Editor.
