Solved

EMET best practice

Posted on 2014-07-21
10
739 Views
Last Modified: 2014-07-30
i just started to configure the EMET settngs in GPO,however-i dont know how those settings will affect the software behaviour and how users will be affected.

can somebody give some ideas how to start and what setting does what?

i.e. what happens when ASLR is set to "application opt-in"  or when

deep hooks,anti detours,banned functions,exploit action is set to enabled?
0
Comment
Question by:DukewillNukem
  • 5
  • 3
  • 2
10 Comments
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 40208679
It depends on the environment (operating system and programs) and you will have to do some testing.  Use EMET V4.1 at this point for production machines and not the V5 Tech Preview.

I use the following settings in the Apps setup: Default (ON) except for:

EAF:  OFF for Acrobat Standard, IE11 (32-bit and 64-bit), Skype Desktop, and Windows Media Player.

Null Page: OFF for Java V8.

SEHOP: OFF for IE11 32-bit and 64-bit, Skype Desktop.

DEP: OFF for IE11 32-bit and 64-bit.

These exceptions arise from searching for issues with the above software sections "stopped working" in Reliability Monitor.

I use EMET V4.1 with Symantec Endpoint Protection V12.1.4a and have no issues.

I have fewer exceptions with Windows 7 and I have EMET V4 and V4.1 installed on client machines.

I always have Deep Hooks, Anti Detours, Banned Functions set ON as is default.

EMET works well and should be used. The concepts are very technical and the document you can download has the information you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40208877
EMET is also aware of some compatibility issues on it's own, and set's a conservative setting for some items.  
emet defautlsThose are some of the defaults EMET uses for different programs, there are others, but that is the basic idea. I would start with the defaults, then read the PDF that accompanies EMET for more details inside each mitigation. OPT-IN is best to start with, you can see also how M$ has chosen other more advanced defaults too, like the forbidding of flash and active-x in office documents:
emet excel forbidden modules-rich
0
 

Author Comment

by:DukewillNukem
ID: 40218737
ok,thx.  i got that far already, now ill have to start with more 3rd party tools-and even tougher-with seldcoded apps.
is there a list that M$ has published whats supported?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 94

Expert Comment

by:John Hurst
ID: 40219190
There are too many applications to list. EMET supports most things. Enable the application and test it.  You may have to adjust the settings. SEHOP, DEP and EAF are the most common to adjust.

If the application is not internet facing or use very much, there is no need to include it in EMET.
0
 

Author Comment

by:DukewillNukem
ID: 40219262
what are the typical internet facing applications?
0
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 40219308
IE, Outlook, Skype and others are examples of internet facing applications. These are applications that connect to the internet to browse, chat, download and so on.

Here is an example of stuff I include in EMET.

I have been using EMET for over 3 years now and it does work quite well.

EMET-4.1-Settings.
0
 

Author Comment

by:DukewillNukem
ID: 40228819
ok,thank you. we do have a lot of "selfcoded" application,which im not sure about how they will behave once imported in EMET.
i assume, you would start with the recommended settings first?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40228848
It's more trial and error, but you don't have to expect problems, EMET is made so that it hopefully won't interfere. The techniques in EMET happen around the executable, not to it. You can enable 2 protections without emet, the DEP and ASLR can be set by using the program peflags, and they add two tags inside the exe (emet does not do this), and the OS will read them and apply DEP and ASLR. That is a more obtrusive way to enable some of the protections, but it will follow the exe to every OS. The others would have to be compiled into your EXE's logic and execution trees. EMET allows you to get that advanced functionality without having to recode. EMET also allows you to opt-out, and if you have issues after enabling it, you have to start to opt-out of certain protections.
-rich
0
 
LVL 94

Accepted Solution

by:
John Hurst earned 500 total points
ID: 40228885
Unless your hard coded applications have deeply embedded networking, you probably won't have to do much.

You need to install EMET and test it. That is what most of us have done. We have given you the outline here, so you just need to start.

Try EMET with recommended settings and see how it works. If that works well with adjustments, then stick with that approach.
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 40229246
@DukewillNukem  - Good luck with EMET. It is new and it is good. I have every confidence it will improve. EMET 5 is in Tech Preview. I have tried it and I am waiting until the production version comes out.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question