EMET Security Tool

EMET - The Hidden Gem in Security Tools

Microsoft's Enhanced Mitigation Experience Toolkit, or EMET, is a free security tool that has been around for some time, but outside of a few circles, it hasn't received the attention it deserves. Microsoft recently released version 5.0 of this tool, so it's a great time to get acquainted if you are unfamiliar.

Understanding EMET and Its Functionality

EMET is a system tool from Microsoft that helps prevent vulnerabilities in software from being exploited.

As Microsoft Windows has matured through XP, Vista, 7, and 8, many security enhancements have been added to the underlying operating system, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). ASLR randomly arranges the positions of key data areas of a program in memory, making it hard to know the memory position of an exploited function. DEP prevents code from being executed from a memory location that has been designated for data only.

Role of EMET with Legacy Applications

Many older applications don't take advantage of these enhancements unless they are rewritten to do so. EMET forces applications to use the built in security mechanisms in the OS, even if that application wasn't written to use these enhancements.

A Step-by-Step Guide to Configuring EMET

When you install EMET, there is a configuration wizard. Accept the recommended settings:

Emet-1

Out of the box, EMET will help protect popular applications from Microsoft (Internet Explorer, Microsoft Office, etc.), as well as Adobe (Reader and Flash), and Oracle (Java) - without you having to configure anything!

On EMET's main screen, a list of all running processes will show you which ones are protected by EMET. You can also toggle global settings. By default, DEP, ASLR, and SEHOP are"Opt In". These can be set to Disabled, Application Opt In, Application Opt Out, and Always On. 10-D Security recommends experimenting with these settings in your environment. You will likely find that"Opt In" for DEP, SEHOP and ASLR will work best.

Emet-2

Adding Popular Software to EMET

When configuring EMET, Microsoft provides a profile that includes other popular software such as Firefox and iTunes (and more!), and we recommend you use it. You can add these applications by clicking Import and selecting"Popular Software". You will need to restart your machine for the changes to take effect.

Emet-3

Addressing Application Compatibility with EMET

EMET should work with most applications, but be aware that some won't work without tweaking, and some may not work at all. When you manually add an application, EMET will automatically add all protections for that application, and this is where you may run into issues. For example, the first time I ran Google Chrome after adding it to EMET, Chrome griped that it"can't run shockwave flash plugin". Some quick Internet searching led to a post describing that SEHOP may need to be disabled for Chrome to work properly. Your mileage may vary.

Emet-4

Enhanced Security with EMET: Certificate Trust Pinning

Beginning in version 4.1 of EMET is Certificate Trust Pinning, which can help mitigate man-in-the-middle attacks that take advantage of revoked certificates. This EMET feature only applies to users of Internet Explorer.

Interacting with EMET: User Experience

EMET is generally unobtrusive, and only makes itself known if there is an issue.

When EMET detects a process attempting to operate outside of normal boundries, it will terminate that process, pop up an alert, and create an event log entry.

Emet-5