Deploying EMET via group policy.

On September 20, 2012, in Security, by

First off,  I think we’re acting like Chicken Littles a bit.  Once we patch for the latest zero day, there’s nothing preventing another one popping up the next day.  On any browser.  On any platform.  So I think we need to step back and bit and think about how we’re protecting machines.

Are they still XP?  This one is being targeted to XP machines.

Are they still local admin?

Are we just relying on patching?

How about we investigate this EMET thing they keep talking about.

Using EMET mitigations

We also observed that the Enhanced Mitigation Experience Toolkit offers a good set of additional mitigations for Internet Explorer that can thwart many of the attacks in the wild. Enabling HeapSpray, MandatoryASLR and EAF mitigations for Internet Explorer will make reliable exploitation of this vulnerability more complicated. Users testing EMET 3.5 Tech Preview can use also the new set of mitigations able to break ROP-based exploits, which is also a recommended setting in the current situation.”

Firstly we need to install the EMET 3.5 tech preview as that’s the one that works to protect in this instance. 

Once we’ve installed it on one machine – there’s an EMET user guide document … it says “EMET 3.0 comes with group policy support. When you install EMET, EMET.admx and EMET.adml files are also installed to the “Deployment\Group Policy Files” folder. These files can then be copied onto \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US folders respectively. Once this is done, EMET system and application mitigation settings can be configured via Group Policy.”

There are three sets of policies that EMET exposes. Below is a description of each. More information can be found at the policy editor for each policy.

1. System Mitigations: Named ASLR, DEP and SEHOP, these policies are used to configure system mitigations. Please note that modifying system mitigation settings may require a reboot to be effective.

2. Default Protection Profiles: There are three: Internet Explorer, Office applications and other popular software. Protection Profiles are pre-configured EMET settings that cover common home and enterprise software. Apply these policies to enable them.

3. Application Settings: This leads to a freeform editor where you can configure any additional applications not part of the default protection profiles. The syntax is application executable name followed by an optional list of mitigations you don’t want to enable. If you don’t specify any mitigation, all seven EMET application mitigations will be enabled.

Once you enable EMET Group Policies, they will be written out to the registry at HKLM \SOFTWARE\Policies\Microsoft\EMET. To make them effective in EMET, you have to run the following command using the EMET Command Line Tool.

EMET_Conf –refresh

Please note that when you apply a Group Policy in Windows, there is often a short delay before Group Policy writes them out to the registry.

You can run this command separately, at startup or at logon time according to your deployment strategy.

To view the Group Policy controlled EMET settings, run the following command using the EMET Command Line Tool.

EMET_Conf –list

There’s also a forum –

Okay so the first thing of note — I still see that you’ll need to install this somehow to all of your machines.  All the group policy does is control the settings as I see it.

Hang loose while I figure this out.


Comments are closed.