Solved

EMET best practice

Posted on 2014-07-21
10
761 Views
Last Modified: 2014-07-30
i just started to configure the EMET settngs in GPO,however-i dont know how those settings will affect the software behaviour and how users will be affected.

can somebody give some ideas how to start and what setting does what?

i.e. what happens when ASLR is set to "application opt-in"  or when

deep hooks,anti detours,banned functions,exploit action is set to enabled?
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 96

Assisted Solution

by:Experienced Member
Experienced Member earned 500 total points
ID: 40208679
It depends on the environment (operating system and programs) and you will have to do some testing.  Use EMET V4.1 at this point for production machines and not the V5 Tech Preview.

I use the following settings in the Apps setup: Default (ON) except for:

EAF:  OFF for Acrobat Standard, IE11 (32-bit and 64-bit), Skype Desktop, and Windows Media Player.

Null Page: OFF for Java V8.

SEHOP: OFF for IE11 32-bit and 64-bit, Skype Desktop.

DEP: OFF for IE11 32-bit and 64-bit.

These exceptions arise from searching for issues with the above software sections "stopped working" in Reliability Monitor.

I use EMET V4.1 with Symantec Endpoint Protection V12.1.4a and have no issues.

I have fewer exceptions with Windows 7 and I have EMET V4 and V4.1 installed on client machines.

I always have Deep Hooks, Anti Detours, Banned Functions set ON as is default.

EMET works well and should be used. The concepts are very technical and the document you can download has the information you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40208877
EMET is also aware of some compatibility issues on it's own, and set's a conservative setting for some items.  
emet defautlsThose are some of the defaults EMET uses for different programs, there are others, but that is the basic idea. I would start with the defaults, then read the PDF that accompanies EMET for more details inside each mitigation. OPT-IN is best to start with, you can see also how M$ has chosen other more advanced defaults too, like the forbidding of flash and active-x in office documents:
emet excel forbidden modules-rich
0
 

Author Comment

by:DukewillNukem
ID: 40218737
ok,thx.  i got that far already, now ill have to start with more 3rd party tools-and even tougher-with seldcoded apps.
is there a list that M$ has published whats supported?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 96

Expert Comment

by:Experienced Member
ID: 40219190
There are too many applications to list. EMET supports most things. Enable the application and test it.  You may have to adjust the settings. SEHOP, DEP and EAF are the most common to adjust.

If the application is not internet facing or use very much, there is no need to include it in EMET.
0
 

Author Comment

by:DukewillNukem
ID: 40219262
what are the typical internet facing applications?
0
 
LVL 96

Assisted Solution

by:Experienced Member
Experienced Member earned 500 total points
ID: 40219308
IE, Outlook, Skype and others are examples of internet facing applications. These are applications that connect to the internet to browse, chat, download and so on.

Here is an example of stuff I include in EMET.

I have been using EMET for over 3 years now and it does work quite well.

EMET-4.1-Settings.
0
 

Author Comment

by:DukewillNukem
ID: 40228819
ok,thank you. we do have a lot of "selfcoded" application,which im not sure about how they will behave once imported in EMET.
i assume, you would start with the recommended settings first?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40228848
It's more trial and error, but you don't have to expect problems, EMET is made so that it hopefully won't interfere. The techniques in EMET happen around the executable, not to it. You can enable 2 protections without emet, the DEP and ASLR can be set by using the program peflags, and they add two tags inside the exe (emet does not do this), and the OS will read them and apply DEP and ASLR. That is a more obtrusive way to enable some of the protections, but it will follow the exe to every OS. The others would have to be compiled into your EXE's logic and execution trees. EMET allows you to get that advanced functionality without having to recode. EMET also allows you to opt-out, and if you have issues after enabling it, you have to start to opt-out of certain protections.
-rich
0
 
LVL 96

Accepted Solution

by:
Experienced Member earned 500 total points
ID: 40228885
Unless your hard coded applications have deeply embedded networking, you probably won't have to do much.

You need to install EMET and test it. That is what most of us have done. We have given you the outline here, so you just need to start.

Try EMET with recommended settings and see how it works. If that works well with adjustments, then stick with that approach.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40229246
@DukewillNukem  - Good luck with EMET. It is new and it is good. I have every confidence it will improve. EMET 5 is in Tech Preview. I have tried it and I am waiting until the production version comes out.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question