How to prevent exploits in Windows 11 with Exploit Protection and hardening

The good news is that Windows 11 includes an arsenal of advanced security features (many inherited and improved from the old EMET) and that, combined with a good hardening strategy, allow greatly reduce the attack surface and stop even zero-day exploits.In the following lines you will see, step by step, how to prevent exploits in Windows 11 by making the most of Exploit Protection, Microsoft Defender, access controls, sandboxing, system hardening and good management practices.

What is Exploit Protection in Windows 11 and why does it matter?

In Windows 11, the so-called Exploit Protection It is a set of mitigations applied both to the operating system itself and to specific programs. Its objective is to make it as difficult as possible for the malware can exploit security flaws, corrupt memory, or inject code into legitimate processes.

Many of the capabilities previously offered by EMET are now natively integrated into Windows, so It is no longer necessary to install external tools to activate high-level mitigationsFurthermore, they can be combined with solutions such as Microsoft Defender for Endpoint to provide detailed visibility into the events, blocks, and audits generated by these defenses.

Exploit Protection can be configured in two main areas: system-level mitigations (which affect all processes that do not have a specific configuration) and mitigations by application (fine-tuned configurations for specific executables). Furthermore, many of these mitigations support audit mode, ideal for testing aggressive policies without disrupting the productive environment.

Prerequisites and best practices for deploying mitigations

Before you start activating mitigations haphazardly, it's crucial to properly prepare your environment. A poor configuration can lead to crashes, incompatibilities, or loss of productivity, so it's advisable to do so. Treat the deployment of Exploit Protection as a risk management project.

The first step is to enable a robust monitoring system: configure event logging with auditpol and wevtutil so that he can collect the application errors (ID 1000 and 1001) and system crashes (ID 1002)This will help you determine if any mitigation changes are causing problems in specific programs.

It is also very useful to activate the recopilation of memory dumps full userThese dumps allow security or support teams to analyze in detail why a process crashes after activating a specific mitigation and, in many cases, to rely on tools such as Process Hacker for research.

Another smart step is to review which critical applications are already being compiled with modern technologies such as Control Flow Guard (CFG)focused on preventing exploits that corrupt memory. You can use the dumpbin tool to check if a binary includes CFG. In many of these apps, It will not be necessary to enforce additional mitigations such as DEP, ASLR, SEHOP, or ACGbecause they already come with standard protections.

All of this is integrated into what Microsoft calls practices of Secure Deployment (Secure Deployment Practices, SDP)The idea is to implement security changes in stages, testing first on a small group of equipment to minimize the risk of massive shutdowns.

How to deploy Exploit Protection without breaking the environment

A recommended approach is to choose between 10 and 50 Windows devices You select representative systems and use them as a laboratory. On these systems, you test the 21 available mitigations, identify which one breaks which application, and refine the policy for your organization or your own workflow.

Mitigations that are shown to be incompatible with a critical app may disable them only for that specific executable.keeping them active in the rest of the system. Then you repeat the process with the key applications (browsers, office suite, business software, etc.) until you have a stable set of rules.

When the policy is ripe, it first unfolds in an environment of User Acceptance Testing (UAT) comprised of IT administrators, security, and support staff. If everything goes as planned, you can begin ramping up: 1%, 5%, 10%, 25%, 50%, 75%, and finally, 100% of the teams.

If you manage many devices, it doesn't make sense to configure each one manually. Windows 11 allows you to do this. Export the Exploit Protection configuration to an XML file and apply it centrally using Intune, Microsoft Configuration Manager, MDM, or Group Policy.

Configure Exploit Protection from the Windows Security app

For an individual team or for testing, the most direct way to work with Exploit Protection is through the app. Windows securityFrom there you can adjust mitigations at the system and application level, as well as export the XML profile.

To access, simply open the shield icon in the system tray or search “Windows Security” in the Start menu. Once inside, enter Application and browser control and look for the link to Vulnerability protection / Vulnerability protection configuration.

The section is divided into two blocks: System settingswhere you adjust global measures, and Program settingswhere you fine-tune by executable. Typical options for each mitigation are:

• Enabled by default: applies to all apps that do not have their own entry.
• Disabled by default: It is not used unless it is forced in a specific app.
• Use default value: respects the value that Windows 11 comes with from the factory (Enabled or Disabled, indicated in brackets).

Some mitigations accept a special mode of AuditIn that case, the system logs events as if mitigation were active, but It doesn't actually block the operationIt's perfect for seeing what would break an aggressive policy before implementing it.

If you want to adjust a specific application, in Program Settings you can select one from the list or use the options Add program to customizeeither by executable name (affects any process with that name, optionally limiting by path), or by selecting the exact file path with the Windows Explorer dialog.

Once you've selected the app, you'll see all the available mitigations for it. You can enable them, disable them, or put them into audit mode. If you enable the checkbox for “Invalidate system configuration” For a specific mitigation, what you send is always the program configuration, even if the system configuration says otherwise.

Practical examples of combining mitigation

The way system and program options are combined can be a little confusing. The general behavior is that Program-level settings take precedence over system-level settings In case of conflict, and if nothing is defined, it sends the value "Use default value".

Imagine that someone configures the Data Execution Prevention (DEP) at the system level as “Disabled by default”. If you then add test.exe in Program Settings, check the option to override system settings and set DEP to “Enabled”, the actual effect is that Only test.exe will work with DEPwhile the rest of the applications will not have it applied.

In a slightly more complex scenario, imagine an administrator who leaves DEP disabled by default on the system, creates a program entry for test.exe with DEP enabled and overriding the global policy, and another for miles.exe where only activates Control Flow Protection (CFG) without touching DEP. The practical result is that test.exe will have DEP active, miles.exe will still have CFG but without DEP, and the rest of the system will continue without DEP.

This model allows fine-tune the protection of critical applicationswithout forcing the same level of hardening on legacy or particularly sensitive programs.

Available mitigations and how they help against exploits

Exploit Protection includes a very broad set of mitigations, many of them inherited from EMET but integrated and optimized in Windows 10/11. Some can be applied to the entire system and applications, others only at the application level.

Among the most important for prevent exploits in Windows 11 include:

• Control flow protection (CFG): ensures that indirect calls follow planned routes, preventing malicious deviations from the execution flow.
• Data Execution Prevention (DEP): prevents code from being executed in memory regions marked as data only (heaps, stacks).
• ASLR and variants: forces image relocation (ForceRelocateImages) and randomizes memory allocations (BottomUp, HighEntropy), complicating exploits based on static addresses.
• SEHOP: validates the integrity of exception handler chains, cutting off a classic exploitation technique.
• ACG (Arbitrary Code Guard): prevents the introduction of executable code that does not come from legitimate images and blocks modifications to code pages.
• Blocking remote or low-integrity images: prohibits loading binaries from network resources or with low integrity tags, a method commonly used by malware.
• Code integrity protection: restricts the uploading of binaries to those signed by Microsoft, WHQL or trusted sources, with the option to include the Microsoft Store.
• Disable Win32k system calls: isolates certain applications from the Win32k call table, mitigating attacks that target that subsystem.
• DisallowChildProcessCreation: prevents an app from creating child processes, ideal for containing macros or viewers that shouldn't launch anything else.
• EAF and IAF (Export/Import Address Filtering): detect suspicious access to exported/imported function tables, typical of complex ROP chains.

Many of these mitigations can also be put into audit modelogging what they would have blocked without actually interfering. Others, like CFG or DEP, only work in applied mode.

In current versions of Windows 11, older EMET mitigations such as NullPage or heap spray They are already integrated directly into the kernel, so they are considered always active and do not require additional configuration.

Centralized management: Intune, MDM, Configuration Manager, and GPO

In corporate environments, exploit protection is typically managed centrally. This involves starting with a "master" machine where mitigations are configured using Windows Security, and then... export the configuration to an XML file.

With Microsoft Intune, you can go to the section of Device configuration profilesCreate a new profile for Windows 10 and later, and choose the template from Endpoint protection Then, load the XML file with the Exploit Protection options. After that, assign the profile to all users and devices or to specific groups.

If you work with a generic MDM configuration service provider, you can use the CSP. ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings to apply or disable mitigations, as well as activate audit mode.

There are two approaches in Microsoft Configuration Manager. Endpoint security → Attack surface reduction You can create a "Vulnerability Protection" policy, select the XML file, and distribute it. From the area of Assets and Compliance → Endpoint Protection → Windows Defender Exploit Guard You can also upload the XML, review the configuration, and deploy the resulting directive.

Group Policy remains another widely used method: simply open the GPO management console, edit the desired object, and navigate to Computer Configuration → Administrative Templates → Windows Components → Windows Defender → Vulnerability ProtectionThere you will find the option to use a common configuration set and point to the path where the XML resides.

PowerShell to view and precisely adjust mitigations

In addition to the graphical interface, Windows 11 offers a very powerful cmdlet for managing these defenses: Get-ProcessMitigation / Set-ProcessMitigationWith it you can inspect and modify the status of each mitigation at the system or application level.

If you want to see the mitigations that affect a specific process, simply run a command like this: Get-ProcessMitigation -Name processName.exeTo change settings, the general syntax is:

General syntax: Set-ProcessMitigation -<scope> <objetivo> -<acción> <mitigation, opciones>

Where he scope It can be -Name (for a specific app) or -System (for the entire system); the action can be -Enable o -Disable; and mitigations are keywords such as DEP, CFG, BottomUp, DynamicCode, DisallowChildProcessCreation, etc.

For example, if you want to enable DEP with thunks ATL emulation and prevent child processes for C:\Apps\LOB\tests\testing.exe, you could use something like Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreationTo force system-wide DEP, you would use Set-ProcessMitigation -System -Enable DEP.

If you need to revert a mitigation to the system default after having modified it for an app, you should combine -Remove with action and mitigation, for example: Set-ProcessMitigation -Name test.exe -Remove -Disable DEP.

Mitigations that accept audit mode use specific parameters, such as AuditDynamicCode, AuditImageLoad, AuditFont, AuditChildProcessetc. To activate them, they are included in the list using -Enable; to deactivate them, they are passed to -Disable with the same syntax.

Monitoring Exploit Protection events in Defender and Event Viewer

A crucial part of exploit prevention is monitor what is really happeningIf you use Microsoft Defender for Endpoint, you can use the advanced threat scan to see all events related to Exploit Guard (which includes Exploit Protection).

A basic query might be something like: DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'This gives you back the audited or blocked violations related to mitigations such as ACG, EAF, IAF, child process blocking, code integrity protection, etc.

Each mitigation has certain associated measures. ActionTypes specific ones, for example ExploitGuardAcgEnforced/ExploitGuardAcgAudited for ACG, ExploitGuardChildProcessBlocked for child process blocking, ExploitGuardRopExploitBlocked for ROP detections (SimExec, CallerCheck, StackPivot), or ExploitGuardWin32SystemCallBlocked for denied Win32k calls.

If you don't have Defender for Endpoint, you can always resort to Windows Event ViewerIn the Application log, the "Security Mitigations" provider generates a multitude of IDs (1-24) for audit and application events of ACG, child process, remote images, untrusted sources, EAF, IAF, ROP, etc.

In addition, components such as WER (Diagnostics) issue IDs related to CFG blockWin32K can log specific events when it detects untrusted sources. This telemetry is invaluable for refining policies and understanding the true impact of your hardening rules.

Additional hardening in Windows 11 against exploits and ransomware

Exploit Protection is just one piece of the puzzle. Windows 11 incorporates other security features that, when combined effectively, They make a big difference when it comes to stopping exploits, ransomware, and browser attacks..

One of the most important is the Controlled folder accessThis defense is specifically designed to block suspicious changes to critical directories, protecting against ransomware and data espionage. The system works by using a whitelist of trusted applications that are allowed to modify certain paths (Documents, Pictures, working folders, etc.).

To configure it, you go into Settings → Privacy and security → Windows Security → Virus and threat protection And within “Ransomware Protection”, you manage controlled access to folders and protected folders. This way you ensure that Only legitimate programs can encrypt or alter your sensitive files.

Another key piece is SmartScreen within “Application and Browser Control”This component analyzes in real time the downloads, the executables and pages you visit, comparing with cloud reputation to nip many phishing or malware download attempts in the bud.

It's advisable to enable options like "Check apps and files", "SmartScreen for Microsoft Edge", and "Phishing protection", thus maintaining a fairly aggressive filter that It stops exploits that arrive via browser or email..

For riskier scenarios, Windows Sandbox is a lifesaver. It works as an ultra-lightweight virtual machine integrated into the system (in Pro/Enterprise editions), ideal for opening suspicious attachments, testing unknown software, or visiting dubious websites. Everything that happens inside It is destroyed when the window is closed., without touching your main installation.

Core isolation, VBS, HCCI and safe startup

Windows 11 is heavily invested in isolation based on hardware. Options like the Core Isolation and Memory Integrity They isolate critical processes so that they cannot be manipulated by arbitrary code in memory, which greatly complicates exploits that target the kernel or vulnerable drivers.

These functions rely on technologies such as Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), which place sensitive components in a separate environment (Virtual Secure Mode) and enforce strict code signing policies.

For all of this to work you need Enable hardware virtualization in the BIOS/UEFI and make sure the computer meets the Windows 11 requirements, including TPM 2.0. It's also a good idea to activate the start Secure Bootwhich ensures that only signed and trusted components are loaded during startup.

Combining Secure Boot, TPM, VBS, and HVCI provides a very solid foundation for preventing attacks that load rootkits, modify the firmware, or attempt to inject themselves into the kernel. While nothing is foolproof, these layers ensure that Exploiting low-level vulnerabilities is much more costly and complex..

If you want to learn more about how this isolation works and is configured, see the article on kernel isolation in Windows 11.

Other recommended hardening measures for Windows 11

Beyond specific mitigations, there are several general practices which greatly help to prevent exploits and limit their impact if they are executed:

Keep Microsoft Defender Antivirus (or Microsoft Defender for Endpoint) active and updated It is essential. Real-time protection, up-to-date signatures, and regular analysis detect many exploitation attempts before they can successfully chain together the vulnerability.

The Windows updates and third-party applications They remain the first line of defense. Critical flaws like CVE-2023-28252 (a privilege escalation vulnerability in the CLFS file system, exploited to deploy Nokoyawa ransomware) demonstrate that criminals do not hesitate to use zero-days against medium and large enterprises; review your policies on windows updates to balance speed and stability.

When Microsoft releases patches for these problems, it's vital Apply them as soon as possible, especially on servers and equipment with sensitive data.Leaving systems unpatched opens the door for publicly available or black market exploits to be used against your organization.

At the network level, implement strict rules in the Windows firewall This helps reduce the exposed surface area, allowing only the incoming/outgoing traffic that is truly needed; also check how to detect open network ports To limit exposure. Activating "stealth" or silent mode on public networks also makes it harder for an attacker to detect you easily.

In professional environments, it is worth considering more advanced solutions such as EDR, Managed Detection and Response and Threat Intelligence platformsThese services allow for the detection of anomalous activity, in-depth investigation of incidents, and a response before an attack encrypts or exfiltrates information.

Backups, application control, and minimal services

No matter how well your mitigations are configured, there's always some residual risk. That's why it's critical to combine exploit prevention with a robust backup policy, ideally following the 3-2-1 rule (three copies, on two different media, one outside the main location).

Perform regular backups of documents, configurations, and critical data, test restores from time to time, and store at least one offline copy. It makes the difference between a scare and a total disaster. when something goes wrong; it also includes registry backups (see how to make one) registry backup) as part of your plan.

Another very effective layer is the app controlIn professional editions, you can use AppLocker or equivalent policies to define which binaries, scripts, and installers are authorized to run; support these policies with permission auditing tools, for example. AccessChkThis minimizes the possibility of an exploit downloading and launching an arbitrary payload.

Finally, turn off services and features you don't use This helps to further reduce the attack surface. The fewer exposed services and enabled components, the fewer opportunities an attacker will have to find vulnerabilities. For procedures and practical guides on this, see how Modify services in Windows 11However, it's important to document changes thoroughly and periodically review what is active and what is not.

By sensibly combining Exploit Protection, advanced Windows 11 security features, fast updates, modern antivirus, system hardening, application control, and good backups, you can achieve Exploits are becoming increasingly difficult to compromise your team or organization.even when it comes to zero-day vulnerabilities or particularly sophisticated ransomware campaigns.