Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 08: Exploit Guard and

Application Guard

Microsoft Services
V04.21-2010
Module 8.1 - Exploit Guard
• What is Exploit Guard?
• Exploit Guard Components
• Exploit Guard Requirements
• Lab 08.1: Exploit Guard
• Additional Resources
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

What is Exploit Guard?

Microsoft Confidential
What is Exploit Guard?

• Exploit Guard is a new security feature introduced in the 2017

Fall Creator’s Update to Windows 10.
• Exploit Guard is integrated into the Windows Security UI and
can be enabled/configured through several different
methods.
• The features of Exploit Guard introduce several new scanning
capabilities that increase protection against malware and
suspicious apps.
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Components

Microsoft Confidential
Exploit Guard components

CFA = Controlled Folder Access

EP = Exploit Protection
ASR = Attack Surface Reduction
NP = Network Protection
End to End Protection PRE-BREACH POST-BREACH

OFF ON OFF
MACHINE MACHINE MACHINE

Locked Down Microsoft

O365 (Email)
Devices Defender Exploit
 Reducing email Guard
attack vector  Windows 10S (HIPS)
 Advanced sandbox  Device Guard
detonation  Credential Guard Attack Surface
 VSM
Reduction
• Set of rules to One Drive
customize the attack Microsoft Defender Microsoft Defender Microsoft (Cloud Storage)
surface Antivirus Antivirus Defender for
Controlled Folder (AV)  Reliable versioned
Behavioral Engine Endpoint file storage in the
Access  Improved ML and (Behavior Analysis) cloud
Application Control (Endpoint Protection)
• Protecting data heuristic protection
Microsoft Edge (Browser) (Whitelisting) against access by  Process tree  Point in time file
 Browser hardening  Instantly protected  Enhanced behavioral recovery
 Whitelisting untrusted process and machine visualizations
with the cloud
 Reduce script based application Exploit Protection learning detection  Artifact searching
attack surface  Enhanced Exploit Kit
• Mitigations against  Memory scanning capabilities
Detections
 App container memory based capabilities  Machine Isolation
hardening exploits and quarantine
 Reputation based Network
blocking for Protection
downloads App Guard • Blocking outbound
 SmartScreen (Virtualized Security) traffic to low rep
sources
 App isolation
Exploit Guard UI

Exploit Guard
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Components:

Attack Surface Reduction

Microsoft Confidential
Exploit Guard: Attack Surface Reduction Rules
• Contains over a dozen configurable rules that can enable or disable
specific behaviors
• Prevents actions and apps that are commonly used by malware, such as:
• Launching executables from email
• Scripts or applications that launch child processes
• Most rules can be set to Audit to monitor activity prior to being set to
Block
• Some rules support exclusions based on file or folder names
• Attack surface reduction supports environment variables and wildcards.
Intelligent Attack Surface Reduction Rules
Office Files Example
Smart-ASR control provides the ability to block behavior that balances security &
productivity
Blocking Office files, severely impacts
Office files (e.g. docx, docm, pptx, pptm, etc) productivity (as there are way more good
files than malicious files)

Blocking Office files w/ macros, still

Office files w/ macros impacts productivity (as there might be
the occasional use for legit macro).

Blocking Office files w/ macros that

Office files w/ macros, execute content, is far less impactful on
that execute content legit productivity, while dramatically
Smart controls improving security.

provided by WD
Exploit Guard Office files w/ macros,
Blocking Office files w/ macros that
download and execute content, is almost
Good files that download & exclusive behavior of bad files. Thus
Malicious files execute content negligent impact on productivity, with
dramatic security benefit.
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Components:

Controlled Folder Access

Microsoft Confidential
Exploit Guard: Controlled Folder Access
• CFA helps you protect valuable data from malicious apps and threats, such
as ransomware. It protects your data by checking against a list of known,
trusted apps.

• CFA works by only allowing apps to access protected folders if the app is
included on a list of trusted software. If an app isn't on the list, CFA will block
it from making changes to files inside protected folders.

• Apps are added to the trusted list based upon their prevalence and
reputation. Apps that are highly prevalent throughout your organization,
and that have never displayed any malicious behavior, are deemed
trustworthy and automatically added to the list. Apps can also be manually added to
the trusted list via Configuration Manager and Intune.
Controlled Folder Access
Simplified Approach:
• Protect default known folders

• Smart application whitelisting

• Highly Compatible

Designed to slow down

Ransomware
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Components:

Network protection

Microsoft Confidential
Exploit Guard: Network Protection
• Reduces the attack surface of your devices from Internet-based
events
• Expands the scope of Windows Defender SmartScreen by blocking all
outbound requests to low reputation sources (based on the domain
or hostname).
• When network protection blocks a connection, a notification will be
displayed from the Action Center. You can customize the notification
with your company details and contact information. You can also
enable the rules individually to customize what techniques the feature
monitors.
• Can be configured for audit mode to test prior to blocking
Network Protection: Supported browsers
Network Protection takes Windows Defender SmartScreen’s
industry-leading protection…
makes it available to all browsers and processes.
Network Protection: How
How Network it works
Protection Works

On host device, look at Cloud Intelligence

outbound connections
• HTTP, HTTPS Check URL Reputation
Local cache for Windows
fast lookup Service
Check URL reputation in the Update local cache

cloud Destination IP or Host

• IP, Hostname
HTTPS Outgoing connections
Network Filter
TCP Driver
Block low rep sites IP
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Components:

Exploit Protection

Microsoft Confidential
Exploit Guard: then…
Exploit Protection Exploit Protection than…
Exploit Guard: now…
Exploit Protection Exploit Protection now
Exploit Protection: Settings

• Vast amount of mitigations settings, trying to address common

programming mistakes / attack vectors

• Some settings are system / app level; some app-level only

• Auditing available for some of the settings

• Full list on the next slide

 Exploit Protection Settings – System and App Level
Mitigation Can be applied to Audit
Control flow guard (CFG) System and app-level Audit not available
Data Execution Prevention (DEP) System and app-level Audit not available
Force randomization for images (Mandatory ASLR) System and app-level Audit not available
Randomize memory allocations (Bottom-Up ASLR) System and app-level Audit not available
Validate exception chains (SEHOP) System and app-level Audit not available
Validate heap integrity System and app-level Audit not available
Arbitrary code guard (ACG) App-level only AuditDynamicCode
Block low integrity images App-level only AuditImageLoad
Block remote images App-level only Audit not available
Block untrusted fonts App-level only AuditFont, FontAuditOnly
Code integrity guard App-level only AuditMicrosoftSigned, AuditStoreSigned
Disable extension points App-level only Audit not available
Disable Win32k system calls App-level only AuditSystemCall
Do not allow child processes App-level only AuditChildProcess
Export address filtering (EAF) App-level only Audit not available
Import address filtering (IAF) App-level only Audit not available
Simulate execution (SimExec) App-level only Audit not available
Validate API invocation (CallerCheck) App-level only Audit not available
Validate handle usage App-level only Audit not available
Validate image dependency integrity App-level only Audit not available
Validate stack integrity (StackPivot) App-level only Audit not available
Exploit
Protection:
Demo
(video)
Module 08: Exploit Guard and
Application Guard.
Exploit Guard

Exploit Guard Requirements

Microsoft Confidential
Exploit Guard Requirements
• Features must be configured to enabled.
• Configuration methods:
• Windows Security User Interface
• Group Policy
• PowerShell
• Configuration Service Provider (CSP) such as System Center
Configuration Manager.
• Exploit Guard works best when paired with Microsoft Defender
for Endpoint which provides advanced reporting, monitoring,
and mitigation capabilities.
Lab 08.1: Exploit Guard
• Exercise 1: Create Exploit
Guard Policy
• Exercise 2: Verify Exploit
Guard Policy
Knowledge Measure
1. Which Exploit Guard component protects against
browser exploits?
2. What Exploit Guard component helps stop against the
spread of encrypting files inside specific folders?
3. What methods can be used to enable/configure Exploit
Guard?
Additional Resources

Exploit Guard Documentation:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-a
tp/enable-exploit-protection

Windows Defender Testground:

http://demo.wd.microsoft.com

Microsoft Defender for Endpoint

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-at
p/windows-defender-advanced-threat-protection
Module 8.2 - Application Guard

• Overview and System Requirements

• Prepare and Install
• Configure Application Guard
• Lab 08.2: Application Guard
• Knowledge Measure
Module 08: Exploit Guard and
Application Guard.
Application Guard

Overview and System

Requirements

Microsoft Confidential
What is Application Guard?
• Hardware Isolation leveraging a Hyper-V enabled container
• Administrator defines trusted sites through GPOs, Configuration Manager,
or Intune
• Untrusted sites launch in the isolated Hyper-V container
• Intended for:
• Enterprise Desktops and Laptops -Domain-joined and managed by your
organization.
• Bring your own device - Personally-owned laptops are not domain-joined, but are
managed by your organization through tools, such as Microsoft Intune.
• Personal devices - Personally-owned desktops or mobile laptops are not domain-
joined or managed by an organization. The user is an admin on the device and uses
a high-bandwidth wireless personal network while at home or a comparable public
network while outside.
 So what’s changed? Why do we need to isolate our browser?

Apps

Windows Platform

Traditional
Services

platform stack Kernel

Device Hardware
 So what’s changed? Why do we need to isolate our browser?

Apps

Credential
Hardware

Trustlet
Device
Guard

Guard
based
Windows Platform
Services

isolation Kernel
Kernel

Windows 10
System Guard Container

Device Hardware
Hypervisor
Microsoft Edge with Application Guard

Microsoft
Apps
Edge

• Moves browser sessions to Critical

System
an isolated, virtualized Windows Windows Processes
environment Platform
Services
Platform
Services
Kernel
• Provides significantly Kernel Kernel
increased protection and System Container
hardens attacker favorite
entry-point

Device Hardware
Hypervisor (Hyper-V)
Application Guard and the
Anatomy of an Attack
Application Guard: Anatomy of an Attack
ATTACK

USER
PHISHING

Browser or
DEVICE Doc Exploit
Execution

PASS-THE-HASH NETWORK

ENDGAME
User receives
a suspicious email,
unwittingly the
user clicks the link
A new browser
Natoint.com

Natoint.com

window appears,
with window
decoration and
notification that
the site the user
wants
to open is not an
enterprise site and
needs to open in
a container
A new browser
Natoint.com

Natoint.com

window appears,
with window
decoration and
notification as
the user lands on an
untrusted website.
The user clicks to
allow the malware
to run and the
container is infected
 Natoint.com

Natoint.com

The user closes

the Microsoft Edge
window and the
session is discarded
when the user logs
off
Back on the host,
all is good. The
malware was not
able to jump out
of the container;
it’s isolated to
the container
Protection for Google Chrome and Mozilla Firefox
• Security Goals
• Extend Application Guard protection to other widely used
browsers
• Audience
• Win 10 Pro, Ent, Edu SKU with Application Guard
enabled
• Extensions can be enterprise managed
• Untrusted sites open in Application Guard for
Microsoft Edge
• Trusted sites continue to open in Chrome or
Firefox
• Release for Production: Version 1803 (RS4) and
later
Integration with Microsoft Defender for Endpoint
Cloud SecOps Console Windows Security Microsoft
Center Console Defender for
Endpoint
Integration

Host

Encrypted
Container
Files
Host SENSE
Agent

Container Processes
SENSE Agent

Registry
data
Windows 10
Service Agents
Network
pocket data
Events
Office Threat Landscape – Adding in Office
Application Guard
Office documents are a popular vector for
attacks
• Office as a vector
• Abusing extensibility points (e.g. macros)
• Targeting vulnerable components (e.g.
Flash) from Office
• Social engineering end users to achieve
exploitation is common

• Office as a target
• Exploiting code vulnerabilities in Office
(e.g. CVE-2017-11882)

• Attacker having increasing success

breaking out of user mode sandboxes

Data from Office 365 ATP

Application Guard for Office Configuration

Copy-Paste*
Printers • Enable
Office • PDF, XPS • Disable

(Group Policy, • Local\Network Printers

*Only text, images are allowed
Cloud Policy)
Use App Guard
• Enable
• Disable

Allow vGPU
File Trust Setting
rendering
• Allow
• Enable
• Deny
• Disable

Windows


(Group Policy, MDM) Turn On/Off Windows Defender Application Guard

Application Guard for Office-Security, User Experience
Enhanced Security Improved User Experience Microsoft O365/ATP

HV isolation offers enhanced Users can securely interact with WDAG

WDAGforfor
Office provides
Office deep
provides
security providing the strongest untrusted Office files removing integration
integrated with
valueOffice/Defender
for enterprise
possible isolation for Office the need for UI friction for Endpoint and other M365
threats services
(Integration with Office/Defender for
(Office has the strongest sandbox on (A richer experience than Protected Endpoint and other M365 services)
Windows) View)

1. Contain existing and Office 0-day 1. Provide the full office experience 1. Provide on-client detonation
exploits (including kernel) for trusted documents outside the capability from any source
2. Dispose threats by recycling the container 2. Leverage ATP to identify safe
container 2. Provide Beyond read-only documents before promotion
3. Leverage state of the art Windows experience by allowing users to outside of container and auditing
isolation technology edit and save untrusted for SecOps visibility
documents from within the
container
Advanced threat isolation with Application Guard
Application Guard Host
Untrusted Document Container Trusted Document
Office Office
TLDR; Same as
Protected View
1. Document downloaded
from a trusted site
1. Document Windows Platform Windows Platform
Services Services
downloaded from
2. Attachment from
an untrusted site
someone inside your
tenant
2. Attachment from
someone outside Kernel Kernel
3. Documents opened
your tenant
from your tenant
Copy/Paste
3. Documents opened
Save 4. Documents opened
from another tenant
from your OneDrive
PrintAccess
Brokered (Consumer)
4. Document opened
from someone
5. Document from local
else's OneDrive
Hypervisor (Hyper-V) network shares
(Consumer)

Device hardware
 Trusted Productivity
Deliver security without compromising productivity

SAFE ATTACHMENTS1 SAFE DOCUMENTS2 SENSITIVITY LABELS and POLICY TIPS 3

Protect users from malicious email attachments before they Test files against the Intelligent Security Graph before Share files (and emails) with confidence, identifying,
reach the inbox leaving safety of Protected View or Application Guard labeling, and setting custom protection settings

APPLICATION GUARD2 SAFE LINKS and URL DETONATION3 ADVANCED REPORTING4

Open untrusted files in a secure micro-VM container, Test links within both trusted and untrusted files, protecting Complete tracking, alerts, and audit capabilities including
leveraging Windows 10 to protect even against never- users even if external sites are exploited specific files, users, events, and outcomes
before-seen attacks and exploits

NOTES: (1) Requires O365/M365 Security; (2) Must be using ProPlus, requires M365 Security; (3) Must be using ProPlus, requires O365/M365 Security; (4) Reporting varies by offering
Trusted Productivity: Deliver security without compromising productivity
Safe Documents
Desktop users can verify external
documents are safe no matter the source

Bring Microsoft Threat Protection to the

desktop and verify docs are safe at the
endpoint itself

Verify documents are safe before leaving

Protected View or Application Guard

Enables minimal trust practices, removing

critical security decisions from users and
allowing them to focus on the work

Scenario:
• Untrusted documents in Protected View (or AG) are verified against MDATP
• MDATP determines if docs are safe and allowed to open outside a container
• Docs verified by MDATP + found safe no longer open in a sandbox
Trusted Productivity: Deliver security without compromising productivity
Application Guard
Users stay protected and productive with
container-based isolation

Protect users against zero-day exploits

and advanced attacks

Deploy with the change of a setting and

manage with existing tools

Microsoft Secure Graph gets stronger with

every malicious attack contained,
benefiting everyone

First truly Microsoft 365 experience that

combines the best of Windows 10 + Scenario:
Office 365 ProPlus + MD ATP • Untrusted documents opened in an isolated but functional virtualized container
• Event if fully compromised, user data and internal enterprise network unaffected
• Container is sufficiently functional to keep the users from exiting early
Today

Today
Safe Documents
App Guard
Microsoft
Defender for
Endpoint
Integration
System Requirements – Hardware
Hardware Description
64-bit CPU A 64-bit computer with minimum 4 cores is required for
hypervisor and virtualization-based security (VBS). For
more info about Hyper-V, see
Hyper-V on Windows Server 2016 or
Introduction to Hyper-V on Windows 10. For more info
about hypervisor, see Hypervisor Specifications.
CPU virtualization Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
One of the following virtualization extensions for VBS:
VT-x (Intel)
-OR-
AMD-V
Hardware Memory Microsoft recommends 8GB RAM for optimal performance.

Hard Disk 5 GB free space, solid state disk (SSD) recommended.

Input/Output Memory Management Unit (IOMMU) Not required, but strongly recommended.
support.
System Requirements – Software
Software Description
Operating system Windows 10 Enterprise edition, version 1709

Browser Microsoft Edge and Internet Explorer

Management system Microsoft Intune

-OR-
System Center Configuration Manager
-OR-
Group Policy
-OR-
Your current company-wide 3rd party mobile device
management (MDM) solution. For info about 3rd
party MDM solutions, see the documentation that
came with your product.
Module 08: Exploit Guard and
Application Guard.
Application Guard

Prepare and Install

Microsoft Confidential
Prepare and Install
Choose Implementation Method:
• Standalone Mode
• Enterprise Mode

Installation Options: • MBAM is only supported in Domain Environment (not in

workgroup)
• Enable via “Turn Windows Features on or off.
• Via PowerShell Comand.
• Enable-WindowsOptionalFeature -online -
FeatureName Windows-Defender-
ApplicationGuard
Module 08: Exploit Guard and
Application Guard.
Application Guard

Configure Application Guard

Microsoft Confidential
Configure Application Guard - Intune
Create a new Device Configuration Profile:
Create Profile->Win10, Endpoint Protection->Windows Defender Application
Guard->Enable, Configure all settings

• MBAM is only supported in Domain Environment (not in

workgroup)
Configure Application Guard - SCCM
Create a new Endpoint Protection/Windows Defender Application Guard policy:
Assets and Compliance->Endpoint Protection->Windows Defender Application
Guard

• MBAM is only supported in Domain Environment (not in

workgroup)
Lab 08.2: Application Guard

Exercise 1: Create a Custom

Application Guard Policy
Knowledge Measure
• How much RAM is recommended to enable Application Guard?

• What are three methods you can use to configure Application Guard?

• What browsers support Application Guard?

• What type of profile is configured in Intune to enable App Guard?

Module Summary
• Microsoft Defender Application Guard designed from the ground up
using next generation Hyper-V client containers
• Completely isolates Microsoft Edge from the host PC using hardware-
based isolation with IE11 integration
• Integrated with Microsoft Defender for Endpoint for threat detection
• Support to Enterprise and Stand-alone modes
• Application Guard will change the attacker playbook
• Available in Windows 10 Enterprise Edition
• Windows 10 Fall Creators Update
• Supported in the new Microsoft Edge Chromium Browser!
© 2015 Microsoft Corporation. All rights reserved.