GRCWatch
Sign inStart free trial

CIS Control 10.5: Enable Anti-Exploitation Features

Anti-exploitation features are critical defenses that prevent attackers from exploiting memory vulnerabilities and executing arbitrary code on your systems. CIS Control 10.5 requires organizations to enable built-in protections like Data Execution Prevention (DEP), Windows Defender Exploit Guard, and Apple System Integrity Protection across enterprise assets. This control significantly reduces your attack surface and strengthens endpoint security posture.

What this means

CIS Control 10.5 requires enabling operating system and application-level exploit mitigation features to protect against code injection and memory-based attacks. These protections include Data Execution Prevention (DEP) on Windows systems, Windows Defender Exploit Guard (WDEG) for advanced threat prevention, and Apple System Integrity Protection (SIP) and Gatekeeper on macOS devices. When enabled, these features prevent malicious code execution, restrict unsigned application installation, and block exploitation techniques that bypass traditional security controls.

How to comply

  1. 1.Inventory all enterprise assets (Windows, macOS, Linux) and document current anti-exploitation feature status
  2. 2.Enable Data Execution Prevention (DEP) on Windows systems through Control Panel or Group Policy
  3. 3.Activate Windows Defender Exploit Guard (WDEG) and configure exploit protection rules on Windows 10/11
  4. 4.Enable System Integrity Protection (SIP) on macOS by restricting kernel extensions and code injection
  5. 5.Configure Gatekeeper on macOS to allow only signed applications to run
  6. 6.Test exploit protection configurations in your environment before full rollout
  7. 7.Document enabled features, configuration settings, and any exceptions by asset
  8. 8.Implement monitoring and alerting for exploit guard events and bypasses
  9. 9.Establish a quarterly review schedule to verify anti-exploitation features remain enabled

Evidence auditors look for

  • Windows Group Policy screenshots showing DEP and WDEG enforcement across domain-joined devices
  • Windows Defender Exploit Guard policy configuration reports with enabled protections
  • macOS System Preferences documentation showing System Integrity Protection status enabled
  • Gatekeeper configuration verification and signed application installation logs
  • Asset inventory spreadsheet with anti-exploitation feature status by device
  • Endpoint security tool reports confirming exploit protection policies are active
  • Change logs documenting when anti-exploitation features were enabled
  • Incident response logs showing blocked exploitation attempts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the inventory and continuous monitoring of anti-exploitation feature status across all Windows and macOS endpoints, generating audit-ready evidence for CIS 10.5 compliance without manual scripting.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 2.1 - Address Unauthorized SoftwareCIS Control 4.1 - Establish and Maintain a Secure Configuration Management ProcessCIS Control 10.1 - Deploy and Maintain Endpoint ProtectionCIS Control 10.2 - Configure Endpoint Protection Tools