exploit-protection-policy

May 22, 2024 · 1 min read
project

Exploit-Protection-policy provides a production-hardened Exploit Protection (EP) policy tailored for Windows 10 and Windows 11 systems. It combines multiple industry-standard security baselines with advanced restrictions to maximize security without breaking compatibility with everyday applications.

This policy has been tested in air-gapped systems to protect endpoints from advanced threat vectors while maintaining productivity.

Merged Security Baselines

  • DISA STIG Exploit Protection v3.
  • Microsoft Security Baseline Exploit Protection policy (specifically aligned for enterprise systems).
  • milgradesec’s custom Exploit Protection rule configurations.

Key Protections Enforced

  • System-Wide Mitigations: Enforces fundamental protections such as Control Flow Guard (CFG), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Heap Protection by default.
  • Advanced Payload Controls: Restricts execution vectors using Export Address Filtering (EAF/EAF+), Import Address Filtering (IAF), and Return-Oriented Programming (ROP) mitigations.
  • Image & Code Integrity Restrictions: Blocks loading of low-integrity or remote images, preventing malicious library injection.
  • Application-Specific Tuning: Includes pre-configured exceptions and application rules to balance high-security containment with software compatibility.
Florian Stosse
Authors
Cybersecurity engineer
Cybersecurity engineer at the European Space Agency, specializing in space systems security, embedded platform hardening, and software security defenses.