Using EMET.

Hello,

We are being advised by our security vendor about installing EMET to all of our production servers.  

I have never heard of EMET before.  I know it comes from Microsoft.  If someone has used it, please share your experience as for it there is any side effect on servers especially on SQL, Exchange, Active Directory domain controller servers?  

We already have antivirus software running on each server.  I have not seen the advantage of running this additional tool yet and not sure if it will cause any issue.    

Please advise.  

Thanks.
nav2567Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
EMET 5.5 is a security add-in to Windows and is no longer being developed. Windows 10 Defender V1709 includes the necessary elements of EMET

So I would suggest you do not need to use it at this point. Use your own AV and keep your Windows Servers fully patched.

Here is information on the EMET Toolkit.

https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
btanExec ConsultantCommented:
EMET is not a AV and supposedly is MS way to augment other AV free. It has evolved and its latest 5.5 will EoL by July 31, 2018. MS has no intent to extend or further enhance it. Any way, EMET is not that bad if you wanted extra check on machine and using template of its best practice to protect against other malware from exploiting on the common vulnerable software - like MS office, Adobe, IE etc, can help.

But note that it is not of Enterprise calibre as it does not provide any centralised management capability - standlone still for individual users. See these feedback
First, many of EMET’s features were not developed as robust security solutions. As such, while they blocked techniques that exploits used in the past, they were not designed to offer real durable protection against exploits over time. Not surprisingly, one can find well-publicized, often trivial bypasses, readily available online to circumvent EMET.

Second, to accomplish its tasks, EMET hooks into low-level areas of the operating system in ways they weren’t originally designed. This has caused serious side-effects in both performance and reliability of the system and the applications running on it. And this presents an ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET.

Finally, while the OS has evolved beneath it, EMET hasn’t kept pace. While EMET 5.5x was verified to run on Windows 10, its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built-in to Windows 10.
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
But if you are into this defending by MS, you should check out their ATP. Recently it reported detecting spy tools used by LE too.
https://www.securityweek.com/windows-defender-atp-detects-spyware-used-law-enforcement-microsoft

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
to be honest, i am wondering if your security vendor really understands what EMET is...
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

Shaun VermaakTechnical SpecialistCommented:
CIS Microsoft Windows Server 2012 R2 Benchmark v1.1.0 still contained EMET. Since CIS Microsoft Windows Server 2012 R2 Benchmark v2.1.0 it was removed. It was a valid security recommendation at the time.
nav2567Author Commented:
Thanks All.  

Is there a guideline as for how to use GPO to configure EMET globally?
JohnBusiness Consultant (Owner)Commented:
You can use this management guide for EMET and adapt to V5. Remember that it is not supported so documents are not necessarily kept up

https://cloudblogs.microsoft.com/enterprisemobility/2012/05/15/deploying-and-configuring-the-enhanced-mitigation-experience-toolkit-emet-3-0-with-system-center-configuration-manager/
btanExec ConsultantCommented:
Here is another guide
If you have deployed EMET in an enterprise setting you have probably realized there are basically 2 different ways to push a configuration to the clients.  One is to the use the .admx/.adml files that are under the deployment folder when you install EMET and the other method is to export a configuration from a client and import it on another client via usage of the emet_conf –export / –import command line tool
https://blogs.technet.microsoft.com/kfalde/2014/04/29/configuring-emet-via-gpogpp-wo-using-the-admx-files/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.