Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-77217 | WN10-EP-000140 | SV-91913r1_rule | Medium |
Description |
---|
Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits. |
STIG | Date |
---|---|
Windows 10 Security Technical Implementation Guide | 2017-12-01 |
Check Text ( C-77265r6_chk ) |
---|
This is NA prior to v1709 of Windows 10. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name iexplore.exe". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. |
Fix Text (F-84347r4_fix) |
---|
Ensure the following mitigations are turned "ON" for iexplore.exe: DEP: Enable: ON ASLR: BottomUp: ON ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. |