Beefing up Windows End Station Security with EMET
After my post last week on things a System Administrator can do to protect against zero days in your browser, operating systems and applications, one of the biggies for Windows is to deploy EMET - Microsoft's Enhanced Mitigation Experience Toolkit. EMET implements advanced security controls that are not native to the operating system. Using EMET, you can take advantage of security features from Windows 8, even if you are running Windows 7 or even to some extent on XPSP3. Or you can beef up what's in Windows 8 with features that aren't anywhere but in EMET yet.
I've been running EMET for some time on my "production" laptop, and haven't had it cause an issue - ever. However, I don't run any "corporate applications", and lots of the dedicated security tools I use are either in VMs or are deployed on different machines. In a corporate environment, I'd still suggest that EMET is a great way to go, but you'll want to test this tool on a small but representative user group, then deply in stages. If you've got a reasonably complex environment with apps that have been around since the 90's, then you are like most shops, and you can expect EMET to break things here or there - you'll really want to test this thoroughly before you roll it out en masse.
But there's the rub - how do you deploy EMET to a 20. 200, 2,000 or 20,000 desk environment, without going to every desk?
And once it's there, how do you manage settings?
A really simple deploy can be done from the login script. Something like works in lots of cases:
if exist "C:\Program Files (x86)\EMET 4.1\EMET_GUI.exe" goto EMETISOK
msiexec /i "\\uncpath\EMET Setup.msi" /qn /norestart
:EMETISOK
This assumes you're allowing users to install applications (which I'm hoping you don't do!)
At the other end of the spectrum, Microsoft documents rolling EMET out using SCCM in the EMET User's Guide.
However, if you want something between these two extremes - something more reliable than the login script, but you don't have SCCM in your environment, Carlos Perez has a great "How to deploy EMET using WSUS" doc, found here:
http://www.darkoperator.com/blog/2013/8/28/deploying-emet-40-in-small-to-medium-environments-using-wsus.html
OK, now it's installed, how do you manage all the dials and knobs that make up the dozens of options within EMET?
You can go a long way down this road with Group Policy. There are two files you need - EMET.adml and EMET.admx, located in the EMET directory: Deployment\Group Policy Files. On the host you'll be building your Group Policies (usually on one or more of your Domain Controllers) copy EMET.adml to \Windows\PolicyDefinitions\en-US. Copy EMET.admx to \Windows\PolicyDefinitions. Once this is done, you'll have access to many of the EMET settings in Group Policy.
Computer Settings:


And User Settings:

You can also manage EMET from the CLI - you can export your EMET settings to an XML file once it's tuned (Microsoft includes 3 XML files with the tool), and you can import settings stored in XML from the CLI. If you have a group of stations or users with settings that are complex enough that Group Policy won't do the trick for you, you can can work out procedures using XML files for these users, either using a login script or a centralized script that might use psexec from Microsoft's sysinternals.
This is a really high level description of how you'd deploy EMET in a typical Windows shop. Where I've done this, it really has been this simple - this is one of those tools that just works. But if you've found a "gotcha", or a slick way of getting someting done in EMET, please add to the conversation in our comment form.
===============
Rob VandenBrink
Metafore
 
              
Comments
Tests have shown that both XP and Vista are able to parse all involved certificates. Also, processing SHA256 based digital signatures seems to work. However, either XP and Vista do not support SHA256 signed timestamps, or have problems with some other change in Authenticode structures.
Note that this issue is not restricted to EMET, Microsoft is gradually abandoning SHA-1.
Anonymous
May 12th 2014
1 decade ago
It was causing app crashes with no logs and no evidence that it was the culprit but disabling it or disabling most of its protections (like DeepHooks) fixed the issues.
Anonymous
May 12th 2014
1 decade ago
Interesting enough, we did run into issues during testing with some apps crashing. This just required finding the offending mitigation and disabling it.
Overall great tool.
And by the way, we followed a very similar approach to what is recommended here, such as pilot groups...
Anonymous
May 12th 2014
1 decade ago
http://blogs.technet.com/b/kfalde/archive/2014/04/30/configuring-emet-via-gpo-gpp-w-o-using-the-admx-files.aspx
2) Another thing to note for deployment is that EMET has an "Audit Only" option. This allows for deploying EMET without potentially causing unforeseen application crashes and angry users, and allows IT to monitor event logs in order to get a more realistic view of the impact of EMET on users and to fine-tune the settings for applications prior to switching the mode to "Stop On Exploit". (In the GPO, this is under "Default Action and Mitigation Settings").
Anonymous
May 12th 2014
1 decade ago
Anonymous
May 13th 2014
1 decade ago
Could you please let me know whether there is any impact of EMET 4.1 on windows xp SP3 workstations.whether all the setting pushed through EMEt GPO will be inherit by EMEt client.Also what are the negative impact of EMEt 4.1 on Windows xp SP3 workstations.
Anonymous
May 13th 2014
1 decade ago
Anonymous
May 13th 2014
1 decade ago
Can you add EMET as an exclusion to the AV suite?
Anonymous
May 13th 2014
1 decade ago
I've never heard of ERS. I wonder if they mean SSRS (SQL Server Reporting Services)?
In any case, EMET events would usually be logged to the Application eventlog with eventsource=EMET. So, one could use SCOM/SCE or other eventlog tool to capture these event for alerts and/or reporting.
Since it was a pilot, it might be they chose to use LogParser (http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx) to read the events, store them in a SQL DB, and then use SSRS for the reporting. Just a guess.
Anonymous
May 13th 2014
1 decade ago
Anonymous
May 13th 2014
1 decade ago