nsacyber/Windows-Secure-Host-Baseline

SEHOP not enforced

mlosapio opened this issue · 2 comments

This STIG doesn't appear to be applied anywhere.

https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-68849

It does flag on the compliance report:

FAILED WN10-00-000150: Structured Exception Handling Overwrite Protection (SEHOP) must be turned on.

Clarifying on this issue:

When attempting to use the SHB and subsequent compliance checks on a v1709 host, it returns a finding as listed above. This is due to the deprecation of EMET on v1709 and higher builds of W10.

The correct COA here would be to port over the EMET ruleset into exploit guard as a separate lgpo pack that can be applied to more modern versions of W10.

Ultimately this will be resolved once we post materials for when the next SHB is out (soon).