EMET is a product from Microsoft that further restricts access to system-level files, folders, and processes. It is like a step above User Access Control. It can be used to restrict access and keep a computer safe. Users primarily use it to mitigate risks associated with browser plugins that are known vectors for infecting computers. When set up properly, this can add another level of protection to devices. Reference materials and downloads can be found here: https://support.microsoft.com/kb/2458544.
Risks
The first thing to understand is that there are risks to using EMET. Theoretically, you can make a computer unusable if you implement a bad rule in EMET. Using EMET might produce application-compatibility risks because they rely on behavior that EMET prohibits.
Fortunately, EMET rules can be created with such granularity that administrators can usually create a rule that still protects a device while still allowing applications to run. The most important thing to remember when deploying EMET is to test your rules in a test environment before deploying them in production.
Installation
Installation is pretty straightforward. You can download the installer for the link above. It is a simple MSI, so it can be deployed fairly easy with either a GPO or SCCM. There is an ADMX template that is included with the install. You must install EMET on a machine, then look in Program Files for a “Deployment” folder. The ADMX template will be in there. This can be imported into Group Policy and deployed to all machines. This gives administrators a central way of managing policies.
“Popular Software” Template
The installation of EMET comes with three built-in templates. We will focus on the “popular software” template. This template includes rules for programs such as Internet Explorer, 7zip, Adobe Reader, Firefox, Chrome, and Office. This template is pre-configured with Microsoft-recommended settings. To import it, open the EMET console and click “Import” in the ribbon. It should open to the templates directory. Select “Popular Software.xml” and import it. I also recommend setting “Data Execution Prevention” and “Structured Exception Handles Overwrite Protection” to “Always On”. This provides the maximum amount of protection for your device. One important note: activating DEP changes the boot configuration for your device. If you have BitLocker enabled, you will have to input your BitLocker key.
I also have my “Quick Profile Name” set to “Maximum security settings”. This is optional, and probably not recommended for users who must make a lot of system changes or run software that requires system-level access.
Application Rules
To see the application rules, click the “Apps” button in the ribbon. This will present the list of applications that are being protected. You can add additional applications here by clicking “Add Application” and navigating to the executable. I have personally added all SCCM processes and PowerShell to see what happens. As far as I can tell, these processes run fine when guarded by EMET.
Group Policy Configuration
By using Group Policy, administrators can control the EMET policies centrally and all devices. Options can be set to automatically enable DEP, SEHOP, and ASLR. Application settings can also be specified here. This ensures that all devices are running exactly the same.
Summary
EMET is a great tool for adding another level of security to your devices. Like anything though, test it carefully before deploying to all devices.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.
