Hardening MS Office with Windows Defender Exploit Guard

Windows Defender Exploit Guard runs all the security benefits necessary to keep intrusion threats at bay. A characteristic feature of this tool is ‘Exploit Protection’. It automatically applies to many exploit mitigation techniques. This capability can be tested inside the Windows Defender Security Center under App & browser control >  Exploit protection. By accessing the Exploit protection settings, you can control system-wide settings and program-specific overrides. Let us learn how to configure, and manage Windows system and application exploit mitigations using Windows Defender Exploit Guard (WDEG).

Windows Defender Exploit Guard
Windows Defender Exploit Guard

Exploit Guard can be found in the Security Analytics dashboard of the Windows Defender ATP console. Its primary function is to enable enterprises to view how the feature is configured across their device and to drive compliance with recommendations based on best practice security configurations.

You can configure Windows Exploit Guard for:

  • Attack surface reduction
  • Exploit Protection
  • Network Protection
  • Controlled Folder Access

All the Windows Defender Exploit Guard components can be readily managed by:

  • Group Policy (GP)
  • System Center Configuration Manager (SCCM)
  • Mobile Device Management (MDM) such as Microsoft Intune.

These components can run in both Audit and Block modes. If any instance of malicious behavior is observed, when Block mode is enabled, Windows Defender Exploit Guard automatically blocks the event from occurring in real-time.

I think the new Microsoft features are good and they can definitely help keep an end-point secure, there’s no doubt about that. As long as they are used correctly and all work properly. I’ve not tested them all of course, I’ve experimented with a few Anti-Exploit features in Windows 10 though.

Features & Benefits

  • Exploit Guard per-application mitigation for Windows Word, PowerPoint & Excel.
  • Block remote images – Prevents loading of images from remote devices.
  • Code integrity guard, restricts loading of images signed by Microsoft, WQL and higher. Can optionally allow Microsoft Store signed images.
  • Disable extension points – Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
  • Do not allow child processes – prefer this one through GUI instead of clunky ps1 script. – Prevents an app from creating child processes.

    ASR rules through PS-1 script. Run powershell as admin and copy these lines.

    # Block Office applications from injecting code into other processes
    Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled

    # Block Office applications from creating executable content
    Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

    # Block JavaScript or VBScript from launching downloaded executable content
    Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled

    # Block execution of potentially obfuscated scripts
    Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled

    # Block executable content from email client and webmail
    Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

    # Block Win32 API calls from Office macro
    Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled

Windows Registry Editor Version 5.00

; Block wscript.exe from creating the child processes
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe]
“MitigationOptions”=hex:00,00,00,00,00,00,00,00,00,00,00,00,10,00,00,00
“MitigationAuditOptions”=hex:00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe]
“MitigationOptions”=hex:00,00,00,00,00,00,00,00,00,00,00,00,10,00,00,00
“MitigationAuditOptions”=hex:00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,00

Research

Advertisements

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: