Friday, August 14, 2015

EMET and You

So first thing’s first. A little explanation of the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft straight from their website:

What is the Enhanced Mitigation Experience Toolkit?
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

EMET also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust. This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).


EMET is free, it’s a great tool from Microsoft, and you can go the manual route for installation, or head over to the TrustedSec blog for a post on how to automate it: https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/


A great team member and friend of mine worked closely with me when implementing this technology across approximately 1,500 end devices including Windows 2008 and above, and Windows XP and above. Due to the sensitive nature of our applications, many of which were not stable or secure builds, we opted to perform the installs on our server platforms manually. We worked through a list of about 300 servers performing anywhere from 5-10 installs daily. As we were going through a PC refresh and upgrading everything to Windows 7 at the time we decided to install EMET on our base images after having our application team test the end user software.

From our experiences we encountered few issues, which were easily solved by adding exceptions into our Group Policy.





Here is a list of some of the issues that we had encountered. While obviously not a comprehensive one, it will give you an idea of some of the more common pieces of software that we had seen issues with.


  • EMET with EAF battles Adobe Reader (All versions)
  • There is a known issue with EMET’s caller mitigation in Chromium since v34 (http://www.chromium.org/Home/chromium-security/chromium-and-emet).  Microsoft and the devs both say that there is no benefit to leaving EMET Caller mitigation turned on for chrome.exe.  They also recommend turning off SEHOP mitigation for chrome.
  • Msaccess.exe has to be allowed in both DEP and Caller.
  • Photoshop.exe has to be allowed in DEP.


With this tool the benefits greatly outweigh the administrative overhead. With a well thought out deployment and the Group Policy to control it. EMET is the icing on your security cake.