Lock Down Windows 10/11: Configure Exploit Protection (DEP/ASLR) Per-App

Lock Down Windows 10/11: Configure Exploit Protection (DEP/ASLR) Per-App​

Difficulty: Intermediate | Time Required: 20 minutes
Windows 10 and Windows 11 include a built-in hardening feature called Exploit protection. It lets you enforce (or relax) mitigations like DEP and ASLR on a per-application basis—useful when you want to lock down higher-risk apps (browsers, document viewers, launchers) without breaking older software system-wide.
This tutorial shows how to review your current settings and then configure DEP/ASLR per app using Windows Security. You’ll also learn what to do if an app starts crashing after you tighten protections.

---

Prerequisites​

• Windows 10 (1903+) or Windows 11 (any supported release).
  Exploit protection exists earlier, but the UI and behavior are most consistent on 1903+ and Windows 11.
• An account with Administrator rights (recommended).
• The full path to the app’s executable (.exe) you want to harden (optional but helpful).

Note: Exploit protection settings apply system-wide, but you can override them per app. That’s the safest way to experiment.

---

Step-by-step: Configure Exploit Protection (DEP/ASLR) per app​

Step 1) Open Exploit protection settings​

1. Press Start and type Windows Security, then open it.
2. Select App & browser control.
3. Scroll down and click Exploit protection settings.

You’ll see two sections:

• System settings (global defaults)
• Program settings (per-app overrides)

---

Step 2) Understand the mitigations we’re changing (quick primer)​

In Program settings, you can override specific protections. Two of the most common are:

• DEP (Data Execution Prevention)
  Helps prevent code from running in memory regions that should contain data only.
• ASLR (Address Space Layout Randomization)
  Randomizes memory locations to make exploitation harder.

You may also see options like:

• Force randomization for images (Mandatory ASLR)
• Randomize memory allocations (Bottom-up ASLR)

Tip: If you’re hardening an app you don’t fully trust, start with ASLR-related settings first. DEP is widely compatible, but some older/oddly-packaged apps can still react badly.

---

Step 3) Add the app you want to protect​

1. Under Program settings, click Add program to customize.
2. Choose one of:
   • Add by program name (e.g., app.exe)
   • Choose exact file path (recommended for accuracy)
3. If choosing exact path, browse to the executable, for example:
   • C:\Program Files\AppName\app.exe
   • C:\Program Files (x86)\AppName\app.exe
4. Click Open (or confirm the program name).

Windows will create a per-app entry you can edit.

Warning: “Add by program name” can match multiple copies of an executable name. If you have multiple versions (portable + installed), prefer exact file path.

---

Step 4) Configure DEP for that app​

1. Click the app entry you added in Program settings.
2. Click Edit.
3. Scroll until you find Data Execution Prevention (DEP).
4. Set it to:
   • On by default (uses system default), or
   • On (forces DEP for this app), or
   • Off (not recommended unless troubleshooting)

Recommended approach:

• Set DEP = On for higher-risk apps (browsers, PDF readers, mail clients).
• If an app misbehaves, revert to On by default first before turning it Off.

1. Click Apply.

Note (compatibility): Most modern apps and all major browsers should run fine with DEP enforced. Problems are more likely with very old software, custom launchers, or legacy plugins.

---

Step 5) Configure ASLR for that app (Bottom-up + Mandatory)​

ASLR-related settings may appear as separate toggles. Common ones include:

• Randomize memory allocations (Bottom-up ASLR)
• Force randomization for images (Mandatory ASLR)

To configure:

1. In the same Edit window for the app, find ASLR options.
2. For a stronger posture, try:
   • Bottom-up ASLR = On
   • Mandatory ASLR = On (more aggressive; can impact compatibility)
3. Click Apply.

Suggested starting point (balanced):

• Turn Bottom-up ASLR = On first.
• Turn Mandatory ASLR = On only if the app continues to run normally after testing.

Warning: Mandatory ASLR can break apps that load modules not built with modern relocation support. If an app starts failing to launch after enabling it, disable Mandatory ASLR for that app and retest.

---

Step 6) Test the app and confirm stability​

1. Close and reopen the target app.
2. Perform typical tasks (open files, sign in, run common workflows).
3. If the app is a background service or launcher, restart the PC to be sure everything loads cleanly.

Tip: Change one mitigation at a time, test, then move to the next. That makes it much easier to identify what caused an issue.

---

Step 7) Export your Exploit protection configuration (backup)​

Before you harden lots of apps, export your configuration so you can quickly restore it.

1. In Exploit protection settings, locate Export settings (usually near the bottom).
2. Save the .xml file somewhere safe (e.g., Documents, or a backup drive).

To restore later, use Import settings from the same page.

Note: This is especially useful if you’re experimenting across many apps and want a “known good” baseline.

---

Tips, best practices, and troubleshooting​

Tip: Target “high-risk” apps first​

Good candidates for per-app hardening include:

• Web browsers and browser-based apps
• PDF readers
• Email clients
• Office apps and document viewers
• Chat/voice apps that process links and attachments
• Game launchers and mod managers (often update frequently and handle external content)

Tip: Don’t over-tighten everything at once​

Exploit protection is powerful, but some mitigations are aggressive. Per-app tuning avoids the most common pitfall: system-wide breakage.

Troubleshooting: The app crashes or won’t launch​

If your app starts crashing after enabling DEP/ASLR:

1. Return to Windows Security → App & browser control → Exploit protection settings.
2. Under Program settings, select the app → Edit.
3. Revert changes in this order:
   1. Set Mandatory ASLR back to Off or On by default
   2. Set Bottom-up ASLR back to On by default
   3. Set DEP back to On by default (avoid turning DEP off unless necessary)
4. Click Apply, then retest.

Note: If the app is critical and you can’t get it stable, keep protections at On by default and consider updating/reinstalling the app. Modern builds are usually more compatible with ASLR/DEP.

Troubleshooting: Settings don’t seem to “stick”​

• Make sure you clicked Apply.
• If using Add by program name, switch to exact file path to avoid matching the wrong executable.
• Some apps auto-update and replace the executable in a new location. Re-check the path after major updates.

Best practice: Keep Windows and Defender up to date​

Exploit protection is one layer. You’ll get the best results when combined with:

• Current Windows updates
• Microsoft Defender (or another reputable AV)
• SmartScreen/Reputation-based protection (in Windows Security)

---

Conclusion​

Configuring Exploit protection per app is one of the best “built-in” ways to harden Windows 10/11 without installing extra security tools. By selectively enforcing DEP and ASLR on the programs most likely to encounter untrusted content, you reduce exploit reliability and raise the bar for attackers—while keeping compatibility manageable through per-app overrides and easy export/import backups.
Key Takeaways:

• Exploit protection lets you enforce DEP/ASLR per application, avoiding risky system-wide changes.
• Start with Bottom-up ASLR and DEP, then test before enabling Mandatory ASLR.
• If an app breaks, revert mitigations in a controlled order and keep an exported backup of your settings.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.