Solved

EMET best practice

Posted on 2014-07-21
10
724 Views
Last Modified: 2014-07-30
i just started to configure the EMET settngs in GPO,however-i dont know how those settings will affect the software behaviour and how users will be affected.

can somebody give some ideas how to start and what setting does what?

i.e. what happens when ASLR is set to "application opt-in"  or when

deep hooks,anti detours,banned functions,exploit action is set to enabled?
0
Comment
Question by:DukewillNukem
  • 5
  • 3
  • 2
10 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
Comment Utility
It depends on the environment (operating system and programs) and you will have to do some testing.  Use EMET V4.1 at this point for production machines and not the V5 Tech Preview.

I use the following settings in the Apps setup: Default (ON) except for:

EAF:  OFF for Acrobat Standard, IE11 (32-bit and 64-bit), Skype Desktop, and Windows Media Player.

Null Page: OFF for Java V8.

SEHOP: OFF for IE11 32-bit and 64-bit, Skype Desktop.

DEP: OFF for IE11 32-bit and 64-bit.

These exceptions arise from searching for issues with the above software sections "stopped working" in Reliability Monitor.

I use EMET V4.1 with Symantec Endpoint Protection V12.1.4a and have no issues.

I have fewer exceptions with Windows 7 and I have EMET V4 and V4.1 installed on client machines.

I always have Deep Hooks, Anti Detours, Banned Functions set ON as is default.

EMET works well and should be used. The concepts are very technical and the document you can download has the information you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
EMET is also aware of some compatibility issues on it's own, and set's a conservative setting for some items.  
emet defautlsThose are some of the defaults EMET uses for different programs, there are others, but that is the basic idea. I would start with the defaults, then read the PDF that accompanies EMET for more details inside each mitigation. OPT-IN is best to start with, you can see also how M$ has chosen other more advanced defaults too, like the forbidding of flash and active-x in office documents:
emet excel forbidden modules-rich
0
 

Author Comment

by:DukewillNukem
Comment Utility
ok,thx.  i got that far already, now ill have to start with more 3rd party tools-and even tougher-with seldcoded apps.
is there a list that M$ has published whats supported?
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
There are too many applications to list. EMET supports most things. Enable the application and test it.  You may have to adjust the settings. SEHOP, DEP and EAF are the most common to adjust.

If the application is not internet facing or use very much, there is no need to include it in EMET.
0
 

Author Comment

by:DukewillNukem
Comment Utility
what are the typical internet facing applications?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
Comment Utility
IE, Outlook, Skype and others are examples of internet facing applications. These are applications that connect to the internet to browse, chat, download and so on.

Here is an example of stuff I include in EMET.

I have been using EMET for over 3 years now and it does work quite well.

EMET-4.1-Settings.
0
 

Author Comment

by:DukewillNukem
Comment Utility
ok,thank you. we do have a lot of "selfcoded" application,which im not sure about how they will behave once imported in EMET.
i assume, you would start with the recommended settings first?
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It's more trial and error, but you don't have to expect problems, EMET is made so that it hopefully won't interfere. The techniques in EMET happen around the executable, not to it. You can enable 2 protections without emet, the DEP and ASLR can be set by using the program peflags, and they add two tags inside the exe (emet does not do this), and the OS will read them and apply DEP and ASLR. That is a more obtrusive way to enable some of the protections, but it will follow the exe to every OS. The others would have to be compiled into your EXE's logic and execution trees. EMET allows you to get that advanced functionality without having to recode. EMET also allows you to opt-out, and if you have issues after enabling it, you have to start to opt-out of certain protections.
-rich
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
Comment Utility
Unless your hard coded applications have deeply embedded networking, you probably won't have to do much.

You need to install EMET and test it. That is what most of us have done. We have given you the outline here, so you just need to start.

Try EMET with recommended settings and see how it works. If that works well with adjustments, then stick with that approach.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@DukewillNukem  - Good luck with EMET. It is new and it is good. I have every confidence it will improve. EMET 5 is in Tech Preview. I have tried it and I am waiting until the production version comes out.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now