Exploit Protection mitigations in Windows 10 must be configured for VISIO.EXE.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-77255	WN10-EP-000260	SV-91951r1_rule		Medium

Description
Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.

STIG	Date
Windows 10 Security Technical Implementation Guide	2017-12-01

Details

Check Text ( C-77425r5_chk )
This is NA prior to v1709 of Windows 10. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-ProcessMitigation -Name VISIO.EXE". (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) If the following mitigations do not have a status of "ON", this is a finding: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.

Check Text ( C-77425r5_chk )

This is NA prior to v1709 of Windows 10.

Run "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Get-ProcessMitigation -Name VISIO.EXE".
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)

If the following mitigations do not have a status of "ON", this is a finding:

DEP:
Enable: ON

ASLR:
ForceRelocateImages: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.

Fix Text (F-84507r4_fix)
Ensure the following mitigations are turned "ON" for VISIO.EXE: DEP: Enable: ON ASLR: ForceRelocateImages: ON Payload: EnableExportAddressFilter: ON EnableExportAddressFilterPlus: ON EnableImportAddressFilter: ON EnableRopStackPivot: ON EnableRopCallerCheck: ON EnableRopSimExec: ON Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.

Fix Text (F-84507r4_fix)

Ensure the following mitigations are turned "ON" for VISIO.EXE:

DEP:
Enable: ON

ASLR:
ForceRelocateImages: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder.

The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.