Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

EMET best practice

Posted on 2014-07-21
10
Medium Priority
?
789 Views
Last Modified: 2014-07-30
i just started to configure the EMET settngs in GPO,however-i dont know how those settings will affect the software behaviour and how users will be affected.

can somebody give some ideas how to start and what setting does what?

i.e. what happens when ASLR is set to "application opt-in"  or when

deep hooks,anti detours,banned functions,exploit action is set to enabled?
0
Comment
Question by:DukewillNukem
  • 5
  • 3
  • 2
10 Comments
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 2000 total points
ID: 40208679
It depends on the environment (operating system and programs) and you will have to do some testing.  Use EMET V4.1 at this point for production machines and not the V5 Tech Preview.

I use the following settings in the Apps setup: Default (ON) except for:

EAF:  OFF for Acrobat Standard, IE11 (32-bit and 64-bit), Skype Desktop, and Windows Media Player.

Null Page: OFF for Java V8.

SEHOP: OFF for IE11 32-bit and 64-bit, Skype Desktop.

DEP: OFF for IE11 32-bit and 64-bit.

These exceptions arise from searching for issues with the above software sections "stopped working" in Reliability Monitor.

I use EMET V4.1 with Symantec Endpoint Protection V12.1.4a and have no issues.

I have fewer exceptions with Windows 7 and I have EMET V4 and V4.1 installed on client machines.

I always have Deep Hooks, Anti Detours, Banned Functions set ON as is default.

EMET works well and should be used. The concepts are very technical and the document you can download has the information you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40208877
EMET is also aware of some compatibility issues on it's own, and set's a conservative setting for some items.  
emet defautlsThose are some of the defaults EMET uses for different programs, there are others, but that is the basic idea. I would start with the defaults, then read the PDF that accompanies EMET for more details inside each mitigation. OPT-IN is best to start with, you can see also how M$ has chosen other more advanced defaults too, like the forbidding of flash and active-x in office documents:
emet excel forbidden modules-rich
0
 

Author Comment

by:DukewillNukem
ID: 40218737
ok,thx.  i got that far already, now ill have to start with more 3rd party tools-and even tougher-with seldcoded apps.
is there a list that M$ has published whats supported?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 99

Expert Comment

by:John Hurst
ID: 40219190
There are too many applications to list. EMET supports most things. Enable the application and test it.  You may have to adjust the settings. SEHOP, DEP and EAF are the most common to adjust.

If the application is not internet facing or use very much, there is no need to include it in EMET.
0
 

Author Comment

by:DukewillNukem
ID: 40219262
what are the typical internet facing applications?
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 2000 total points
ID: 40219308
IE, Outlook, Skype and others are examples of internet facing applications. These are applications that connect to the internet to browse, chat, download and so on.

Here is an example of stuff I include in EMET.

I have been using EMET for over 3 years now and it does work quite well.

EMET-4.1-Settings.
0
 

Author Comment

by:DukewillNukem
ID: 40228819
ok,thank you. we do have a lot of "selfcoded" application,which im not sure about how they will behave once imported in EMET.
i assume, you would start with the recommended settings first?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40228848
It's more trial and error, but you don't have to expect problems, EMET is made so that it hopefully won't interfere. The techniques in EMET happen around the executable, not to it. You can enable 2 protections without emet, the DEP and ASLR can be set by using the program peflags, and they add two tags inside the exe (emet does not do this), and the OS will read them and apply DEP and ASLR. That is a more obtrusive way to enable some of the protections, but it will follow the exe to every OS. The others would have to be compiled into your EXE's logic and execution trees. EMET allows you to get that advanced functionality without having to recode. EMET also allows you to opt-out, and if you have issues after enabling it, you have to start to opt-out of certain protections.
-rich
0
 
LVL 99

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 40228885
Unless your hard coded applications have deeply embedded networking, you probably won't have to do much.

You need to install EMET and test it. That is what most of us have done. We have given you the outline here, so you just need to start.

Try EMET with recommended settings and see how it works. If that works well with adjustments, then stick with that approach.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40229246
@DukewillNukem  - Good luck with EMET. It is new and it is good. I have every confidence it will improve. EMET 5 is in Tech Preview. I have tried it and I am waiting until the production version comes out.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question