If you read the computer security news feeds, you’ve probably heard about the recent Java 7 and IE 6-9 exploits. The problem is that these exploits are discovered before there are any patches or reasonable workarounds for them. Fortunately, there is something that can be done to provide some additional protection that doesn’t involve an anti-virus company. Earlier this year, Microsoft released the Enhanced Mitigation Experience Toolkit (or EMET) version 3. The goal of EMET is to make exploitation of Windows applications difficult or impossible using the common attack techniques we see today. It’s not a silver bullet and won’t protect against every type of attack. But it does add additional layers of protection to your system by enforcing DEP, ASLR, Heap Spray Protection and more.
Standalone Installation
The EMET installation is just an MSI file, so go download it from Microsoft to get started. Before EMET can do anything, you have to tell it which applications to protect. If you don’t configure it, EMET won’t do anything. After EMET is installed, go to Start -> Programs -> Enhanced Mitigation Experience Toolkit -> EMET 3.0. In EMET, click on the Configure Apps button in the lower left-hand corner.
EMET 3 Configure Apps
The Application Configuration window should now be displayed. You can manually add and remove applications with the Add and Remove buttons, but there is an easier way. Microsoft has provided configurations for most common applications like IE, Java, Adobe Reader, Firefox, WinZip, Office, and more. These configurations are contained in 3 XML files (All, IE, or Office) within the EMET installation folder. To apply these settings go to File-> Import from the Application Configuration window. Navigate to the following location:
C:\Program Files (x86)\EMET\Deployment\Protection Profiles
To apply one of the configurations, select one of the XML files.
EMET Protection Profiles
Some programs might need to be restarted before they are protected by EMET.
Enterprise Installation
The good news is that EMET is pretty easy to deploy and manage in an enterprise environment. Because EMET is just one MSI file, it is easily handled by any software deployment mechanism.
Management is handled through the use of ADMX templates. These can be found in the “EMET\Deployment\Group Policy Files” folder of the EMET installation. Once they are imported into AD, EMET configuration is found in Computer Policy -> Policies -> Administrative Templates -> Windows Components -> EMET.
EMET Group Policy
From the Group Policy template, you can enable the same protections that were available with the 3 XML files. The “Application Settings” option allows you to add custom applications.
After the Group Policy is applied to a machine, the EMET configuration might need to be refreshed to pick up the new configuration. This is done with the command line tool EMET_conf.exe with the –refresh option.
EMET_Conf –refresh
Conclusion
I’m actually pretty excited about EMET v3. It’s a low resource, low impact tool that provides additional layers of protection against newly found and 0-day exploits.