exploit-protection-policy

May 22, 2024 · 1 min read
project

Exploit-Protection-policy provides a production-hardened Exploit Protection (EP) policy tailored for Windows 10 and Windows 11 systems. It combines multiple industry-standard security baselines with advanced restrictions to maximize security without breaking compatibility with everyday applications.

This policy has been tested in air-gapped systems to protect endpoints from advanced threat vectors while maintaining productivity.

Merged Security Baselines

  • DISA STIG Exploit Protection v3.
  • Microsoft Security Baseline Exploit Protection policy (specifically aligned for enterprise systems).
  • milgradesec’s custom Exploit Protection rule configurations.

Key Protections Enforced

  • System-Wide Mitigations: Enforces fundamental protections such as Control Flow Guard (CFG), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Heap Protection by default.
  • Advanced Payload Controls: Restricts execution vectors using Export Address Filtering (EAF/EAF+), Import Address Filtering (IAF), and Return-Oriented Programming (ROP) mitigations.
  • Image & Code Integrity Restrictions: Blocks loading of low-integrity or remote images, preventing malicious library injection.
  • Application-Specific Tuning: Includes pre-configured exceptions and application rules to balance high-security containment with software compatibility.
Windows Hardening Exploit Protection GPO Cybersecurity Security Baseline Systems Administration
Florian Stosse
Authors
Florian Stosse
Cybersecurity engineer

About Me

Hi, I’m Florian Stosse, just another information security engineer !

Current work

I currently work at the European Space Agency, as a cybersecurity engineer for the Galileo programme, specifically for the Galileo Mission Segment (GMS).

Experience summary

I previously worked at Safran Data Systems, in the Space & Communications business unit. I focused on hardening and securing our embedded Windows 7 and 10/11 platforms (Cortex family of TT&C and high data rate receivers), among other cool things :)

Before that, in October 2018, I started a PhD thesis at CEA-List and ANSSI to work on formal methods applied to software security. More specifically, I was working on software defenses and hardening against hardware vulnerabilities, such as Spectre and Meltdown, using sound static analysis tools (Frama-C in particular).

My thesis was under the supervision of Julien Signoles (CEA), and my advisors were Patricia Mouy (ANSSI) and Florent Kirchner (CEA).

Unfortunately, we had to put a stop to the thesis, but hey, that’s life !

Education summary

I graduated with a M.Sc in Computer Science (major in cybersecurity, minor in embedded systems) from ESIEA Paris (a top French engineering school, part of the “Grandes écoles”) in August 2018. During my graduate studies, I was an apprentice at Bureau Veritas’ R&D center in La Défense, Paris.

I worked in the RAMS department, and my main areas of work were:

  • software security (e.g. static analysis, SDLC),
  • connected/autonomous vehicles security (e.g. ISO 21434 for automotive security engineering),
  • and industrial systems security (e.g. ISO 62443 certification).

Do not hesitate to get in touch if you want to chat about these topics (or anything else, really) !