Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Beefing up Windows End Station Security with EMET - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Beefing up Windows End Station Security with EMET

After my post last week on things a System Administrator can do to protect against zero days in your browser, operating systems and applications, one of the biggies for Windows is to deploy EMET - Microsoft's Enhanced Mitigation Experience Toolkit.  EMET implements advanced security controls that are not native to the operating system.  Using EMET, you can take advantage of security features from Windows 8, even if you are running Windows 7 or even to some extent on XPSP3.  Or you can beef up what's in Windows 8 with features that aren't anywhere but in EMET yet.

I've been running EMET for some time on my "production" laptop, and haven't had it cause an issue - ever.  However, I don't run any "corporate applications", and lots of the dedicated security tools I use are either in VMs or are deployed on different machines.  In a corporate environment, I'd still suggest that EMET is a great way to go, but you'll want to test this tool on a small but representative user group, then deply in stages.  If you've got a reasonably complex environment with apps that have been around since the 90's, then you are like most shops, and you can expect EMET to break things here or there - you'll really want to test this thoroughly before you roll it out en masse.

But there's the rub - how do you deploy EMET to a 20. 200, 2,000 or 20,000 desk environment, without going to every desk?  

And once it's there, how do you manage settings?

A really simple deploy can be done from the login script.  Something like works in lots of cases:

if exist "C:\Program Files (x86)\EMET 4.1\EMET_GUI.exe" goto EMETISOK
msiexec /i "\\uncpath\EMET Setup.msi" /qn /norestart
:EMETISOK

This assumes you're allowing users to install applications (which I'm hoping you don't do!)

At the other end of the spectrum, Microsoft documents rolling EMET out using SCCM in the EMET User's Guide.

However, if you want something between these two extremes - something more reliable than the login script, but you don't have SCCM in your environment, Carlos Perez has a great "How to deploy EMET using WSUS" doc, found here:
http://www.darkoperator.com/blog/2013/8/28/deploying-emet-40-in-small-to-medium-environments-using-wsus.html

OK, now it's installed, how do you manage all the dials and knobs that make up the dozens of options within EMET? 

You can go a long way down this road with Group Policy.  There are two files you need - EMET.adml and EMET.admx, located in the EMET directory: Deployment\Group Policy Files.  On the host you'll be building your Group Policies (usually on one or more of your Domain Controllers) copy EMET.adml to \Windows\PolicyDefinitions\en-US.  Copy EMET.admx to \Windows\PolicyDefinitions.  Once this is done, you'll have access to many of the EMET settings in Group Policy.

Computer Settings:

 

And User Settings:

You can also manage EMET from the CLI - you can export your EMET settings to an XML file once it's tuned (Microsoft includes 3 XML files with the tool), and you can import settings stored in  XML from the CLI.  If you have a group of stations or users with settings that are complex enough that Group Policy won't do the trick for you, you can can work out procedures using XML files for these users, either using a login script or a centralized script that might use psexec from Microsoft's sysinternals.

This is a really high level description of how you'd deploy EMET in a typical Windows shop.  Where I've done this, it really has been this simple - this is one of those tools that just works.  But if you've found a "gotcha", or a slick way of getting someting done in EMET, please add to the conversation in our comment form.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

516 Posts
ISC Handler
XP and Vista cannot reliably validate Authenticode signatures of recent EMET distributions and installed executables. Symptoms are "missing signature timestamps" or simply "bad signature". Windows 7 (both 32 and 64) have no such problems.

Tests have shown that both XP and Vista are able to parse all involved certificates. Also, processing SHA256 based digital signatures seems to work. However, either XP and Vista do not support SHA256 signed timestamps, or have problems with some other change in Authenticode structures.

Note that this issue is not restricted to EMET, Microsoft is gradually abandoning SHA-1.
Erik van Straten

122 Posts
Using EMET on my system broke my apps enough times that I had to disable it for IE, Firefox, and Adobe Reader.
It was causing app crashes with no logs and no evidence that it was the culprit but disabling it or disabling most of its protections (like DeepHooks) fixed the issues.
Jasey

93 Posts
I actually deployed in a corporate environment to over 1000 machines and had no problems.
Interesting enough, we did run into issues during testing with some apps crashing. This just required finding the offending mitigation and disabling it.
Overall great tool.
And by the way, we followed a very similar approach to what is recommended here, such as pilot groups...
Jasey
4 Posts
1) This article might be helpful when trying to decide whether to use GPO or XML export/import for deployment:
http://blogs.technet.com/b/kfalde/archive/2014/04/30/configuring-emet-via-gpo-gpp-w-o-using-the-admx-files.aspx

2) Another thing to note for deployment is that EMET has an "Audit Only" option. This allows for deploying EMET without potentially causing unforeseen application crashes and angry users, and allows IT to monitor event logs in order to get a more realistic view of the impact of EMET on users and to fine-tune the settings for applications prior to switching the mode to "Stop On Exploit". (In the GPO, this is under "Default Action and Mitigation Settings").
T

31 Posts
Thank you for this post! I started using EMET at home a couple weeks ago with default settings and no issues. I asked our Microsoft premier support rep if he had any good info on deploying EMET in an enterprise and he gave me a PDF describing their 8-week engagement to deploy it (to a pilot group) and also setup Enterprise Reporting Service (to have a centralized reporting dashboard). Has anyone heard of or used this ERS?
KeizerBill

5 Posts
Hi All,
Could you please let me know whether there is any impact of EMET 4.1 on windows xp SP3 workstations.whether all the setting pushed through EMEt GPO will be inherit by EMEt client.Also what are the negative impact of EMEt 4.1 on Windows xp SP3 workstations.
KeizerBill
1 Posts
I'm still debating things on our end... I have to disable a large chunk (not all) of the protections on IE and all the Office components or our AV security suite kills them because it detects EMET's hooks and decides that these programs are being tampered with.
Eric

12 Posts
Quoting Eric:I'm still debating things on our end... I have to disable a large chunk (not all) of the protections on IE and all the Office components or our AV security suite kills them because it detects EMET's hooks and decides that these programs are being tampered with.


Can you add EMET as an exclusion to the AV suite?
T

31 Posts
Quoting KeizerBill:Thank you for this post! I started using EMET at home a couple weeks ago with default settings and no issues. I asked our Microsoft premier support rep if he had any good info on deploying EMET in an enterprise and he gave me a PDF describing their 8-week engagement to deploy it (to a pilot group) and also setup Enterprise Reporting Service (to have a centralized reporting dashboard). Has anyone heard of or used this ERS?


I've never heard of ERS. I wonder if they mean SSRS (SQL Server Reporting Services)?

In any case, EMET events would usually be logged to the Application eventlog with eventsource=EMET. So, one could use SCOM/SCE or other eventlog tool to capture these event for alerts and/or reporting.

Since it was a pilot, it might be they chose to use LogParser (http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx) to read the events, store them in a SQL DB, and then use SSRS for the reporting. Just a guess.
T

31 Posts
They could mean Microsoft Dynamics - which would report to a dash.
MarkZ

4 Posts
MS and CIS recommend using EMET for Server 2012 hardening. Does anyone have any experience and/or thoughts surrounding installing it in a server environment? This would be for servers that have internet access.

Thanks!
MarkZ
1 Posts

Sign Up for Free or Log In to start participating in the conversation!