For those familiar with Microsoft free EMET (Enhanced Mitigation Experience Toolkit) tool they will find that Exploit Guard is the natural successor to EMET where its used to limit an block attacks on the application level using memory mitigation techniques as well as other options.
It should be noted that EMET end of support is July 31, 2018. You can easily import and convert your EMET configuration and settings to Exploit Guard. For detailed comparison between both EMET and Exploit Guard check the below link
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard
To import older EMET configuration to Exploit Guard you need first to covert it and then import it. Both conversion and Import are done using Power Shell Commands as follows:
- Conversion: ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- Importing your converted file to Exploit Guard: Set-ProcessMitigation -PolicyFilePath filename.xml
Exploit Guard is a family of tools and they fall in the pre-breach threat resistance, there are mainly three tools under Exploit Guard as follows:
- Attack surface Reduction: Protect entry vectors as Macros -Office files with Macros that download and execute content (Office rules, script rules and mail rules) - This will be discussed in my next blog post.
- Controlled Folder Access: Protecting Files in your critical folders on your system (Ransomware). Check my earlier post http://itcalls.blogspot.com.eg/2017/10/windows-10-fall-update-1709-security_25.html
- Network Protection: Part of the Exploit Guard protecting against internet based attacks (building on the earlier browser smart screen protection......etc)
In this article i am mainly discussing the Exploit protection settings for both the systems and applications (Mitigation similar to former EMET tool)
Configuring Exploit Protection settings on Standalone machine:
You can open the Exploit Protection settings from the Windows Defender Security Center - App and Browser Control - Scroll down and click on Exploit Protection
Two main things to note is the export settings option at the end of the page which is very beneficial to export all settings once you have a well tested and appropriate settings for your windows 10 machines and need to deploy it via group policy to all other clients in your organization.
Also Exploit protection includes both the System settings and Program settings, in the system area you will find mostly memory mitigation settings similar to the ones we used to have in EMET and then the program settings were you have your programs protected and you can add other programs by name or path to be protected as shown below
Configuring Exploit Protection settings on domain machines using group policy:
As we discussed earlier in the standalone configuration, normally you will start configuring one client, testing all applications and mitigation techniques and once satisfied you will export the settings and will deploy it to all the computers in your enterprise running Windows 10 1709 or later.
This is where the group policy kicks in, you will create a new GP and link it to your Windows 10 1709 computers, navigate to Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Exploit Guard - Exploit Protection
There is only one setting available where you can point to the settings file (Exported from any tested standalone machine)
That's it for now and see you on my next post and Exploit Guard Attack Surface reduction.
