Introduction to Exploit Protection

Exploit Protection is a Windows Defender feature in Windows Server 2019 that applies exploit mitigation techniques to operating system processes and individual applications. It is the successor to Enhanced Mitigation Experience Toolkit (EMET) and provides a comprehensive set of memory protection, code execution prevention, and anti-exploit technologies. Exploit Protection mitigations make it significantly harder for attackers to exploit software vulnerabilities—even zero-day vulnerabilities—by disrupting the techniques that exploit code relies on, such as heap spraying, ROP chain construction, and code injection. This tutorial covers configuring both system-level and per-application Exploit Protection settings on Windows Server 2019.

Exploit Protection Mitigation Types

Exploit Protection provides the following mitigation categories: Control Flow Guard (CFG)—validates indirect call targets to prevent ROP attacks; Data Execution Prevention (DEP)—prevents code from executing in non-executable memory regions; Mandatory ASLR—forces Address Space Layout Randomization for all modules; Bottom-up ASLR—randomizes stack and heap base addresses; High-Entropy ASLR—uses 64-bit entropy for ASLR on 64-bit processes; Force Randomize Images—forces ASLR even for modules not compiled with ASLR support; Heap Integrity Validation—detects heap corruption; Stack Pivot Protection—detects stack pointer manipulation; Caller Check—validates that call instructions use proper return addresses.

Accessing Exploit Protection Settings

Configure Exploit Protection through Windows Security Center GUI, PowerShell, or Group Policy. Open Windows Security and navigate to App & browser control > Exploit protection settings. This shows both system settings and individual program settings.

# Open Windows Security to Exploit Protection
Start-Process "windowsdefender://exploitprotection"

# Or via PowerShell - view all current process mitigations
Get-ProcessMitigation -System

Viewing Current System Mitigation Settings

Use Get-ProcessMitigation to view the current state of all system-wide mitigation settings. Each mitigation shows its state: ON (enabled), OFF (disabled), NOTSET (inherits from system default), or OVERRIDE (application-specific setting).

Get-ProcessMitigation -System | Format-List

View mitigations for a specific process by name or PID:

Get-ProcessMitigation -Name "lsass.exe"
Get-ProcessMitigation -Name "explorer.exe"

Configuring System-Level Mitigations

Set system-wide mitigation defaults using Set-ProcessMitigation. These apply to all processes unless overridden by per-application settings. Enable DEP, ASLR, and CFG system-wide.

# Enable DEP system-wide
Set-ProcessMitigation -System -Enable DEP

# Enable mandatory ASLR (force randomization for all modules)
Set-ProcessMitigation -System -Enable ForceRelocateImages

# Enable high-entropy ASLR (64-bit entropy on 64-bit systems)
Set-ProcessMitigation -System -Enable HighEntropy

# Enable bottom-up ASLR (randomize heap and stack)
Set-ProcessMitigation -System -Enable BottomUp

# Enable SEHOP (Structured Exception Handler Overwrite Protection)
Set-ProcessMitigation -System -Enable SEHOP

# Disable MicrosoftDynamicCode (block dynamic code)
Set-ProcessMitigation -System -Enable BlockDynamicCode

Configuring Per-Application Mitigations

Apply stricter mitigations to specific high-risk applications like web browsers, email clients, and any application that processes untrusted content. Configure application-specific overrides that supplement or replace the system defaults.

# Enable strict CFG for Internet Explorer
Set-ProcessMitigation -Name "iexplore.exe" -Enable CFG, StrictCFG, DEP, ForceRelocateImages

# Configure LSASS with enhanced protections
Set-ProcessMitigation -Name "lsass.exe" `
    -Enable DEP, CFG, ForceRelocateImages, HighEntropy, BottomUp, SEHOP, `
             BlockDynamicCode, BlockRemoteImages

# Configure werfault.exe (Windows Error Reporting - can be exploited)
Set-ProcessMitigation -Name "werfault.exe" -Enable DEP, ForceRelocateImages, CFG

Exporting Exploit Protection Configuration

Export the current Exploit Protection configuration to an XML file for backup, documentation, or deployment to other systems via Group Policy.

ConvertTo-ProcessMitigationPolicy -RegistryConfigFilePath `
    "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" `
    -OutputFilePath "C:ExploitProtectionEPConfig.xml"

Import a saved configuration on another system:

Set-ProcessMitigation -PolicyFilePath "C:ExploitProtectionEPConfig.xml"

Deploying Exploit Protection via Group Policy

Deploy Exploit Protection configuration across the domain using Group Policy. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Exploit Guard > Exploit Protection. Set “Use a common set of exploit protection settings” to Enabled and specify the UNC path to the exported XML configuration file.

gpmc.msc

Place the EPConfig.xml file on a file share accessible to all computers: \fileserverExploitProtectionEPConfig.xml. Reference this UNC path in the Group Policy setting.

Enabling Audit Mode for Mitigations

Some mitigations can cause application compatibility issues. Use audit mode to log potential violations without blocking, allowing you to identify compatibility problems before full enforcement.

# Enable audit mode for a specific mitigation on an application
Set-ProcessMitigation -Name "myapp.exe" -Enable CFG -AuditMode

# View audit events for Exploit Protection
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Security-Mitigations/UserMode'
    StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Id, Message | Format-List

Protecting Against Specific Exploit Techniques

Configure additional mitigations targeting specific exploit techniques used in modern attacks:

# Block child process creation (prevents malware from launching child processes)
Set-ProcessMitigation -Name "word.exe" -Enable DisallowChildProcessCreation

# Block low-integrity image loading (prevents loading DLLs from user-writable locations)
Set-ProcessMitigation -Name "outlook.exe" -Enable BlockLowLabelImageLoads

# Enable extension point disabling (blocks legacy extensibility mechanisms)
Set-ProcessMitigation -Name "explorer.exe" -Enable ExtensionPointDisable

# Simulate execution flag (detect CRT return-oriented programming)
Set-ProcessMitigation -Name "powershell.exe" -Enable SimulateExecFlag

Monitoring Exploit Protection Events

Exploit Protection writes events to the Windows event log. Check the Security-Mitigations log for any triggered mitigations that indicate actual exploitation attempts.

Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Security-Mitigations/KernelMode'
    StartTime = (Get-Date).AddDays(-30)
} | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

Conclusion

Exploit Protection on Windows Server 2019 provides a comprehensive set of memory protection technologies that increase the cost and complexity of successful exploitation. DEP, CFG, and ASLR form the foundational triad that disrupts the vast majority of memory corruption exploits. Per-application settings allow you to apply the strictest protections to the highest-risk processes—browsers, email clients, document processors, and LSASS. Combine Exploit Protection with Attack Surface Reduction Rules, Windows Defender Antivirus, and network protection for a layered defense-in-depth strategy.