PingSentry   |   Blog   |   System32   |   GitHub   |   Free tools

Exploit Protection: system-level mitigation, Validate exception chains (SEHOP) must be on

3f0d630e-d744-450e-8e8a-6478118649fb

Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate exception chains (SEHOP)", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.

Remediation

Ensure Exploit Protection system-level mitigation, "Validate exception chains (SEHOP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement.

Open "Windows Defender Security Center"
|_ Select "App & browser control".
|_ Select "Exploit protection settings".
|_ Under "System settings", configure "Validate exception chains (SEHOP)" to "On by default" or "Use default ()".

STIG:
https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93317

NIST 800-53: SI-18
CSCv7: 8.3
Shared Assessments SIG 2022: P.10, P.10.3, P.10.3.1, P.10.3.2



Tags

stig-medium-desktop stig-medium-server nist800-53-desktop nist800-53-server desktop server sig-desktop sig-server