EMET 2.1 Deployment

Posted on Updated on

If you have not used Microsoft EMET and your in charge of managing or securing Windows PC’s then you need to start looking at it. In short, EMET uses a number of techniques (DEP, ASLR, HeapSpray prevention ect…) to make it much more difficult to exploit an application.  The latest versions allows you to import and export a xml file to make it easy to deploy. There is still no direct management from GPO, but this new update makes it very easy.

(UPDATE) Scripts posted to dropbox due to weirdness (Formatting and omissions of partial lines) . You can get them here config.xml  and  emet_network.vbs.

 

 

Step 1 Testing your applications for Compatibility

While EMET does some cool tricks to prevent exploitation of applications, it can cause some stabilitity issues.  I’ve been running it for a while and have not had any issues with applications.  You will want to add any application that the user directly interacts with untrusted networks or with files received from untrusted network. Adding an application to be protected can be done from the GUI or the console. Startup the GUI  and Select configure Apps.

Then select add and then browse to the desired location.

Once you have selected the application, you can then change what security settings you want applied. The default is to include all and I would leave it that way unless you run into issues. To troubleshoot, clear all the settings for an app and start by adding each protecting until you crash the application. Leave that one protection unselected.

Step 2 Export your Settings

By default EMET is installed at C:\Program Files (x86)\EMET\.  You will need to run the command-line version  of the tool  (as Admin)to export your settings.

Select Start -> Accessors -> and right click on Command Prompt and select “Run as Administrator”

>cd "C:\Program Files (x86)\EMET\"
>emet_config.exe --export config.xml

I have included a version of a EMET Config  below (Available to download due to WordPress issues posting the code) .  It list both 32 and 64 bit versions of Office version 12 and 14, Firefox, IE, Itunes and others…

Step 3 Copy Emet to Network drive

Emet does come as a MSI file, but you do not need to install it on every computer to make these changes. Just copy the entire C:\Program Files (x86)\EMET\ along with your config file to a network share that all users can access.

Step 4 Deploy Script

I wrote a script  (Available to download due to WordPress issues posting the code) to import the settings because I wanted to add Google Chrome to the protected list. Chrome is installed under each user directory, so you have to dynamically generate its setting to work properly. (The current version does not support system variables). If you are not using chrome, then you can reduce the complexity of the script to just run the import from the network config file.  The script only needs to be run once for each user,  and then only when you update the config file. A typical deployment would have the script run at login via GPO or setup a scheduled task for the user.

To get the script to work in your environment you will need to make changes to the variables at the top of the script.

The basics steps of the script are:

  1. Download the xml file to local tmp drive
  2. Add Google chrome to the XML
  3. Run Emet from the network to import local xml file.

Advertisements

2 thoughts on “EMET 2.1 Deployment

    Stephen Reese said:
    May 27, 2011 at 11:39 am

    Tom, I saw this come through the PDC list. Thanks for publishing this.

      twsecblog said:
      May 27, 2011 at 2:50 pm

      Thanks for the comment. I’ve been playing around this and figured a lot of other people would benefit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s