Part 2: Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Exploit Guard & SmartScreen
In my previous blog I highlighted the Security Analytics Dashboard of the Windows Defender Advanced Threat Protection and how to improve your organizations security excellence covering two improvement area’s: Windows Defender Antivirus and Windows Defender Application Guard.
In this blog I’ll cover two other improvement areas: Windows Defender Exploit Guard and SmartScreen
Windows Defender Exploit Guard
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
There are four features in Windows Defender Exploit Guard:
- Exploit Protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
- Attack Surface Reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
- Network Protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization’s devices
- Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
The score of Windows Defender Exploit Guard is measured against the below improvement areas including cloud-based protection.
The configuration of Windows Defender Exploit Guard is currently documented for using PowerShell and Group Policies. However there is a Windows 10 Configuration Service Provider (CSP) for Windows Defender Exploit Guard which make it’s possible to configure Exploit Guard using Microsoft Intune (or other MDM solutions).
Note: At time of writing there is no Windows Defender Exploit Guard profile available neither in Configuration Manager & Microsoft Intune. I expect this will become available soon as Windows 10 Fall Creators Update is general available now. Windows Defender Exploit Guard will work with Windows 10 Fall Creators Update (1709) and Windows Defender Antivirus real-time protection must be enabled.
Attack Surface Rules (ASR)
Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually initiated during normal day-to-day work
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
| Rule name | GUIDs |
| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
| Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 |
| Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 |
| Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC |
| Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B |
The Exploit Guard Attack Surface Rules are configured by using the Defender node of the Policy CSP.
| CSP Node | Description | Value |
| Defender/AttackSurfaceReductionRules | This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off).
The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. Value type is integer. |
{ASR GUID}=<0,1,2>|{ASR GUID}=<0,1,2> |
Controlled Folder Access
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware.
The protected folders include common system folders, and you can add additional folders. You can also allow or whitelist apps to give them access to the protected folders.
| CSP Node | Description | Value |
| Defender/EnableControlledFolderAccess | This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 – 2. | 0 (default) – Disabled
1 – Enabled 2 – Audit Mode |
| Defender/ControlledFolderAccessProtectedFolders | This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. | <folder>|<folder> |
| Defender/ControlledFolderAccessAllowedApplications | This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode as the substring separator. | <folder\application>|<folder\application> |
Network Protection
Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
| CSP Node | Description | Value |
| Defender/EnableNetworkProtection | This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. | 0 (default) – Disabled
1 – Enabled (block mode) 2 – Enabled (audit mode) |
In order to enable Windows Defender Exploit Guard using Microsoft Intune, we created a custom profile which contains the required settings to improve our organization security score.
Remark! In order to reflect your improvement of your security score from in Windows Defender ATP Security Analytics dashboard take into account the following:
- You have to configure all Exploit Guard feature in block mode (1) in order to improve your security score;
- You have to configure all Attack Surface Rules in order to improve your security score;
Note: The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.
SmartScreen
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
SmartScreen determines whether a site is potentially malicious by:
- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.
You can take the following actions to increase the overall security score of your organization:
- Set Check app and files to Warn or Block
- Set SmartScreen for Microsoft Edge to Warn or Block
- Set SmartScreen for Microsoft store apps to Warn or Off
SmartScreen can be configured using the Microsoft Intune UI or by configuring a custom profile (OMA-URI). The SmartScreen UI section is split in a browser part and a system part.
Windows 10 Device Restrictions\Windows Defender SmartScreen
Endpoint protection\Windows Defender SmartScreen
If you manage your policies using Microsoft Intune, you’ll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
| Setting | Supported versions | Details |
| AllowSmartScreen | Windows 10 |
|
| EnableAppInstallControl | Windows 10, version 1703 |
|
| EnableSmartScreenInShell | Windows 10, version 1703 |
|
| PreventOverrideForFilesInShell | Windows 10, version 1703 |
|
| PreventSmartScreenPromptOverride | Windows 10, Version 1511 and later |
|
| PreventSmartScreenPromptOverrideForFiles | Windows 10, Version 1511 and later |
|
The Results…
Now we configured the device restriction profiles in Microsoft Intune for both Windows Defender Exploit Guard and Windows Defender SmartScreen let’s have a look at the improvements areas.
Now we configured and enabled Exploit Guard in block mode we do see a significant improvement over time for this improvement area.
In my previous blog we’d reported a score of 35,8 for Exploit Guard, after applying the security baseline configuration we’ve a new score of 66,7 which is almost doubling the score.
Recap
The Security Analytics dashboard provide organizations valuable insights of their endpoint security and enables to easily enhances and maximize their security potential. Where Windows Defender Advanced Threat Protection provides organization continues valuable insides of their current security operations- and analytics performance, Microsoft Intune enables you to translate the useful insights into enforceable measures. Special thanks to Ran Mitelman (MSFT) for providing valuable insights.
Sources
Reduce attack surfaces with Windows Defender Exploit Guard
Windows Defender Exploit Guard
Protect your network with Windows Defender Exploit Guard
Reduce attack surfaces with Windows Defender Exploit Guard
Protect important folders with Controlled Folder Access
Windows Defender SmartScreen
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
Modern Workplace 
3 thoughts on “Part 2: Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Exploit Guard & SmartScreen” Leave a comment ›