Deploying EMET 4.1

Author by Rob Plank

In this blog post we are going to cover how to deploy and configure EMET with Configuration Manager and Group Policy. EMET provides 10 mitigations that are not part of operating system or adds additional features to mitigations that are part of the operating system. EMET allows you to log attempted attacks to the event log that you can monitor for with Operations Manager or a central logging solution. EMET has the following mitigations to protect your computers from attackers. · Structured Exception Handler Overwrite Protection (SEHOP) · Data Execution Prevention (DEP) · Heap spray Allocations · Null page allocation · Mandatory Address Space Layout Randomization (ASLR) · Export Address Table Access Filtering (EAF) · Bottom-up randomization · ROP mitigations · Attack Surface Reduction · Advanced Mitigations for ROP and EAF I’m not going to dive into these in this blog post but you can get a summary of the mitigations in the user guide or search Bing.com for more information. Deploying EMET to your workstations with Configuration Manager is fairly straight forward, create a new Application in ConfigMgr and point to the msi. You will need to make a few small changes to the application set up in ConfigMgr. The installation program string should be msiexec /I “EMET Setup.msi” /qn /norestart and the install behavior should be install for system clip_image002 If you didn’t read the EMET User guide you may think that EMET is now protecting your systems after you have deployed via ConfigMgr. I am going to cover most of the major settings but strongly suggest that you read the guide for yourself. You will need to create a collection of machines you want to deploy the configuration package too. My suggestion is to start with a few test machines or deploy to a lab. Here is the WQL query I used for my lab. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "EMET 4.1" Next create a package in ConfigMgr to configure EMET - copy the following files to a source directory. · EMET_Config.exe · HelperLib.dll · MitigationInterface.dll · PKIPinningSubsystem.dll · Popular Software.xml · SdbHelper.dll These files can be found in C:\Program files(x86)\EMET4.1 or C:\Program files(x86)\EMET4.1\Deployment\Protection Profiles directory. Here is the steps to create the package to configure EMET clip_image004 clip_image006 Next deploy the package to the Collection we created earlier clip_image008 This is what the EMET applications look like before the configuration has been run clip_image010 And the Main EMET Window clip_image012 Post configuration screen shots clip_image014 Main EMET Window after Configuration has been run, notice running applications that have EMET mitigations enabled have a green checkbox now. clip_image016 EMET Application configuration after the configuration has been run on a machine. You can also configure these setting with the EMET GPO policies – you will need to copy the ADMX and ADML files to your central repository for GPOs \\\sysvol\\Policies\PolicyDefinitions the EMET GPO policy files can be found in C:\Program Files (x86)\EMET 4.1\Deployment\Group Policy Files. These are the options you have to configure via the GPO clip_image017 There is one important setting that I have not found a way to set via the command line or with the GPO. clip_image018 There is a known way to bypass EMET if the Deep Hooks setting is not enabled. Enabling this setting is important (see the user guide for details of what additional protections this adds). You can enable deep hooks by setting the following Registry setting HKLM\Software\Microsoft\EMET\DeepHooks(Dword) set to a value of 1. See this TechNet article if you need to know how to set a registry value via a GPO. This setting is enabled by default in the upcoming EMET version 5 that should be relased later this year. If you want to test out the preview you can get the documentation and the link to the connect site here.
Author

Rob Plank

Systems Engineer