microsoft
/
SecCon-Framework
зеркало из https://github.com/microsoft/SecCon-Framework.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fixed rows

This commit is contained in:
Justin Hall 2019-04-01 16:37:39 -07:00
Родитель 97524989d1
Коммит 785ae8483d
1 изменённых файлов: 3 добавлений и 18 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

21
SecCon-4/Controls.md
Просмотреть файл

@ -8,14 +8,9 @@ is anticipated to be slightly longer than the process in SECCON 5.
| Feature Set | Feature | Description |
|-------------------------------------------------------------|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Windows Defender | Enforce memory protection for OS-level controls: | Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. |
| Exploit Guard | | |
| Exploit Protection | | |
| Windows Defender | Configure and Enforce Attack Surface Reduction Rules: | Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here): |
| Exploit Guard | | |
| Attack Surface Reduction (ASR) | | |
| Windows Defender | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
| Exploit Guard | | |
| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. | |
| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) | Configure and Enforce Attack Surface Reduction Rules: | Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):<br>1) Audit – enable the controls in audit mode, and gather audit data in a centralized location<br>2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure<br>3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
| Network Protection | | |
- Control flow guard (CFG)
@ -61,13 +56,3 @@ is anticipated to be slightly longer than the process in SECCON 5.
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
1. Audit – enable the controls in audit mode, and gather audit data in a
centralized location
2. Review – review the audit data to assess potential impact (both positive and
negative) and configure any exemptions from the security control you need to
configure
3. Enforce – Deploy the configuration of any exemptions and convert the control
to enforce mode