Exploit Protection Settings

ExploitProtectionSettings.xml is my Windows 10/11 Exploit Protection settings. They are based on a mixture of Microsoft recommendations, requirements from DoD STIGs, and customizations for my own use case.

This repository exists to get my exploit mitigations under version control and consistent across my endpoints. You're free to use these settings, but it is likely to break a lot of programs as I have it set as strict as possible for my use case, and added exceptions where I encounter issues. If you find a compatibility issue with common software, please submit an issue with the mitigation settings required to get it working.

Applying these settings on an endpoint

You can download and run Update-ExploitProtectionSettings.ps1 in PowerShell as an admin to automatically apply this policy. Run it again at any time to update the policy with any new changes posted here -- no need to install Git on the endpoint. To manually apply the settings, see the following section.

Applying exploit protection policies

The settings XML files found here can be applied via PowerShell with the following commands (as admin):

1. Verify that the file is valid:

Set-ProcessMitigation -PolicyFilePath .\ExploitProtectionSettings.xml -IsValid

2. Apply the policy:ExploitProtectionSettings.xml

Set-ProcessMitigation -PolicyFilePath .\ExploitProtectionSettings.xml

Note that applying settings using this method will not remove existing settings. However, existing settings that conflict with the applied settings will be overwritten.

Formatting XML files

I find it easier to read and maintain the XML files in the current format, but Get-ProcessMitigation writes the XML with all attributes on the same line. The following are ways you can put attributes on their own line in the XML files.

In PowerShell:

$settings = Get-Content .\ExploitProtectionSettings.xml
$settings -replace "([A-z`"]{1}) ([A-z]{1})", "`${1}`n      `${2}"

In Sublime Text:

In regex replace mode, replace this:

([A-z"]{1}) ([A-z]{1})

With this:

$1
      $2

Glossary

The table below provides a glossary of Process Mitigation-related terms and how they relate to each other throughout the different shells and interfaces.

Component	XML / PowerShell Name	Exploit Protection App Name	Description
ASLR	BottomUp	Randomize memory allocations (Bottom-up ASLR)	Randomize locations for virtual memory allocations.
ASLR	HighEntropy	Don't use high entropy
ASLR	ForceRelocateImages	Force randomization for images (Mandatory ASLR)	Force relocation of images not compiled with /DYNAMICBASE.
ASLR	RequireInfo	Do not allow stripped images
BinarySignature	MicrosoftSignedOnly	Code integrity guard	Only allow the loading of images to those signed by Microsoft.
BinarySignature	AllowStoreSignedBinaries	Also allow loading of images signed by Microsoft Store
BinarySignature	EnforceModuleDependencySigning	Validate image dependency integrity	Enforces code signing for Windows image dependency loading.
CFG	Enable	Control flow guard (CFG)	Ensures control flow integrity for indirect calls.
CFG	StrictControlFlowGuard	Use strict CFG
CFG	SuppressExports	(not visible)
Child Process	DisallowChildProcessCreation	Do not allow child processes	Prevents programs from creating child processes.
DEP	EmulateAtlThunks	Enable ATL thunk emulation
DEP	Enable	Data Execution Prevention (DEP)	Prevents code from being run from data-only memory pages.
DynamicCode (ACG)	AllowThreadsToOptOut	Allow thread opt-out
DynamicCode (ACG)	BlockDynamicCode	Arbitrary code guard (ACG)	Prevents non-image backed code, and code page modifications.
ExtensionPoint	DisableExtensionPoints	Disable extension points	Disables various extensibility mechanisms that allow DLL injection into all processes, such as windows hooks.
FontDisable	DisableNonSystemFonts	Block untrusted fonts	Prevents loading any GDI-based fonts not installed in the system Fonts directory.
Heap	TerminateOnError	Validate heap integrity	Terminates a process when heap corruption is detected.
ImageLoad	BlockLowLabelImageLoads	Block low integrity images	Prevents loading of images marked with low-integrity.
ImageLoad	PreferSystem32	(not visible)
ImageLoad	BlockRemoteImageLoads	Block remote images	Prevents loading of images from remote devices.
Payload	EnableExportAddressFilter	Export address filtering (EAF)	Detects dangerous exported functions being resolved by malicious code.
Payload	EnableExportAddressFilterPlus	Validate access for modules that are commonly abused by exploits.
Payload	EnableImportAddressFilter	Import address filtering (IAF)	Detects dangerous imported functions being resolved by malicious code.
Payload	EnableRopCallerCheck	Validate API invocation (CallerCheck)	Ensures that sensitive APIs are invoked by legitimate callers.
Payload	EnableRopSimExec	Simulate Execution (SimExec)	Ensures that calls to sensitive functions return to legitimate callers.
Payload	EnableRopStackPivot	Validate stack integrity (StackPivot)	Ensures that the stack has not been redirected for sensitive functions.
SEHOP	Enable	Validate exception chains (SEHOP)	Ensures the integrity of an exception chain during dispatch.
SEHOP	TelemetryOnly	(not visible)
StrictHandle	Enable	Validate handle usage	Raises an exception on any invalid handle references.
System Call	DisableWin32kSystemCalls	Disable Win32k system calls	Stop programs from using the Win32k system call table.