Small Business Susan

EMET part two – setting up the group policy files

So we’ve installed EMET on one computer.  We then take the EMET files from the following subdirectory



 


And we place them in the following directory up on our server


The EMET.admx file goes in c:\Windows\PolicyDefinitions folder



The EMET.adml goes in the c:\windows\policydefinitions\en-us



Now we go into Group policy console and find our EMET settings.


Launch group policy management.  Now go to the top of the group policy structure, right mouse click on the domain name and click on “Create a GPO in this domain, and link it here”.  Call the GPO EMET so you know what it is.  Click OK.  Right mouse click on EMET that built itself in your group policy listing and click edit.


Drill down under Computer configuration



 


On mine set up at home I specifically added iexplore.exe application to the EMET protection.



System wide I opted into DEP, SEHOP and ASLR



So lets see if we can do likewise via group policy.


The first group policy setting is ASLR


Let’s set it to enabled and application opt in



Let’s skip over application settings for a moment and hop over to DEP


Let’s set that for DEP always on



Let’s hop over the SEHOP



Let’s set that to application opt out.


Now let’s choose the default protection for Internet explorer



Now the next step is you have to deploy the EMET package to all the workstations you want covered by this.


Because it’s a MSI download – you can follow this – http://www.advancedinstaller.com/user-guide/tutorial-gpo.html 


The final step to enable the settings I just set up is that you have to run the EMET command line tool and type in EMET_Conf –refresh


You can run this command at startup or logon time.


hmmmm okay is there a better way to do that other than to do a logon script – which I really don’t want to do in the Vista and later era?


Hang on for part three of EMET via group policy.


 



1 comment so far ↓

  • #   Aleksiv95 on 09.23.12 at 8:27 am     

    Please let us know if you find a good way to automatically refresh emet configurations (=automatically run emet_conf.exe –refresh when user logs on or computer is restarted). You could make a section “for dummies: how to auto-refresh” cause I can’t even make a logon script to refresh configurations :D

    Thank you! :)))