EMET: Enhanced Mitigation Experience Toolkit

EMET is a product from Microsoft that further restricts access to system-level files, folders, and processes. It is like a step above User Access Control. It can be used to restrict access and keep a computer safe. Users primarily use it to mitigate risks associated with browser plugins that are known vectors for infecting computers. When set up properly, this can add another level of protection to devices. Reference materials and downloads can be found here: https://support.microsoft.com/kb/2458544.

Risks

The first thing to understand is that there are risks to using EMET. Theoretically, you can make a computer unusable if you implement a bad rule in EMET. Using EMET might produce application-compatibility risks because they rely on behavior that EMET prohibits.

Fortunately, EMET rules can be created with such granularity that administrators can usually create a rule that still protects a device while still allowing applications to run. The most important thing to remember when deploying EMET is to test your rules in a test environment before deploying them in production.

Installation

Installation is pretty straightforward. You can download the installer for the link above. It is a simple MSI, so it can be deployed fairly easy with either a GPO or SCCM. There is an ADMX template that is included with the install. You must install EMET on a machine, then look in Program Files for a “Deployment” folder. The ADMX template will be in there. This can be imported into Group Policy and deployed to all machines. This gives administrators a central way of managing policies.

“Popular Software” Template

The installation of EMET comes with three built-in templates. We will focus on the “popular software” template. This template includes rules for programs such as Internet Explorer, 7zip, Adobe Reader, Firefox, Chrome, and Office. This template is pre-configured with Microsoft-recommended settings. To import it, open the EMET console and click “Import” in the ribbon. It should open to the templates directory. Select “Popular Software.xml” and import it. I also recommend setting “Data Execution Prevention” and “Structured Exception Handles Overwrite Protection” to “Always On”. This provides the maximum amount of protection for your device. One important note: activating DEP changes the boot configuration for your device. If you have BitLocker enabled, you will have to input your BitLocker key.

1

I also have my “Quick Profile Name” set to “Maximum security settings”. This is optional, and probably not recommended for users who must make a lot of system changes or run software that requires system-level access.

Application Rules

To see the application rules, click the “Apps” button in the ribbon. This will present the list of applications that are being protected. You can add additional applications here by clicking “Add Application” and navigating to the executable. I have personally added all SCCM processes and PowerShell to see what happens. As far as I can tell, these processes run fine when guarded by EMET.

Group Policy Configuration

By using Group Policy, administrators can control the EMET policies centrally and all devices. Options can be set to automatically enable DEP, SEHOP, and ASLR. Application settings can also be specified here. This ensures that all devices are running exactly the same.

Summary

EMET is a great tool for adding another level of security to your devices. Like anything though, test it carefully before deploying to all devices.

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Cybersecurity Briefings No. 005
Cyber Security

WME Security Briefing 15 April 2024

E-Commerce Security Alert: Unveiling Magecart’s Persistent Backdoor Overview Malicious activities by Magecart attackers have been reported. They are targeting Shopify’s content delivery network (CDN) by creating fake Shopify stores. The backdoor method has enabled them to

Read More »
WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=