EMET best practice

i just started to configure the EMET settngs in GPO,however-i dont know how those settings will affect the software behaviour and how users will be affected.

can somebody give some ideas how to start and what setting does what?

i.e. what happens when ASLR is set to "application opt-in"  or when

deep hooks,anti detours,banned functions,exploit action is set to enabled?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
It depends on the environment (operating system and programs) and you will have to do some testing.  Use EMET V4.1 at this point for production machines and not the V5 Tech Preview.

I use the following settings in the Apps setup: Default (ON) except for:

EAF:  OFF for Acrobat Standard, IE11 (32-bit and 64-bit), Skype Desktop, and Windows Media Player.

Null Page: OFF for Java V8.

SEHOP: OFF for IE11 32-bit and 64-bit, Skype Desktop.

DEP: OFF for IE11 32-bit and 64-bit.

These exceptions arise from searching for issues with the above software sections "stopped working" in Reliability Monitor.

I use EMET V4.1 with Symantec Endpoint Protection V12.1.4a and have no issues.

I have fewer exceptions with Windows 7 and I have EMET V4 and V4.1 installed on client machines.

I always have Deep Hooks, Anti Detours, Banned Functions set ON as is default.

EMET works well and should be used. The concepts are very technical and the document you can download has the information you need.
Rich RumbleSecurity SamuraiCommented:
EMET is also aware of some compatibility issues on it's own, and set's a conservative setting for some items.  
emet defautlsThose are some of the defaults EMET uses for different programs, there are others, but that is the basic idea. I would start with the defaults, then read the PDF that accompanies EMET for more details inside each mitigation. OPT-IN is best to start with, you can see also how M$ has chosen other more advanced defaults too, like the forbidding of flash and active-x in office documents:
emet excel forbidden modules-rich
DukewillNukemAuthor Commented:
ok,thx.  i got that far already, now ill have to start with more 3rd party tools-and even tougher-with seldcoded apps.
is there a list that M$ has published whats supported?
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

JohnBusiness Consultant (Owner)Commented:
There are too many applications to list. EMET supports most things. Enable the application and test it.  You may have to adjust the settings. SEHOP, DEP and EAF are the most common to adjust.

If the application is not internet facing or use very much, there is no need to include it in EMET.
DukewillNukemAuthor Commented:
what are the typical internet facing applications?
JohnBusiness Consultant (Owner)Commented:
IE, Outlook, Skype and others are examples of internet facing applications. These are applications that connect to the internet to browse, chat, download and so on.

Here is an example of stuff I include in EMET.

I have been using EMET for over 3 years now and it does work quite well.

DukewillNukemAuthor Commented:
ok,thank you. we do have a lot of "selfcoded" application,which im not sure about how they will behave once imported in EMET.
i assume, you would start with the recommended settings first?
Rich RumbleSecurity SamuraiCommented:
It's more trial and error, but you don't have to expect problems, EMET is made so that it hopefully won't interfere. The techniques in EMET happen around the executable, not to it. You can enable 2 protections without emet, the DEP and ASLR can be set by using the program peflags, and they add two tags inside the exe (emet does not do this), and the OS will read them and apply DEP and ASLR. That is a more obtrusive way to enable some of the protections, but it will follow the exe to every OS. The others would have to be compiled into your EXE's logic and execution trees. EMET allows you to get that advanced functionality without having to recode. EMET also allows you to opt-out, and if you have issues after enabling it, you have to start to opt-out of certain protections.
JohnBusiness Consultant (Owner)Commented:
Unless your hard coded applications have deeply embedded networking, you probably won't have to do much.

You need to install EMET and test it. That is what most of us have done. We have given you the outline here, so you just need to start.

Try EMET with recommended settings and see how it works. If that works well with adjustments, then stick with that approach.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
@DukewillNukem  - Good luck with EMET. It is new and it is good. I have every confidence it will improve. EMET 5 is in Tech Preview. I have tried it and I am waiting until the production version comes out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.