asked on
EMET deprecated but CIS Win 2019 benchmark still recommends enabling it
CIS hardening benchmarks for Win 2016 (pg 534) & 2019 (pg 463 & 690)
both indicated to enable EMET : attached.
However, link below indicates it's been EOL so does it
still make sense to install/enable EMET or there's a newer
version of EMET?
https://support.microsoft.com/en-sg/help/2458544/the-enhanced-mitigation-experience-toolkit
Is ASLR & DEP also deprecated as well?
CIS_Microsoft_Windows_Server_2016_RT.pdf
CIS_Microsoft_Windows_Server_2019_RT.pdf
both indicated to enable EMET : attached.
However, link below indicates it's been EOL so does it
still make sense to install/enable EMET or there's a newer
version of EMET?
https://support.microsoft.com/en-sg/help/2458544/the-enhanced-mitigation-experience-toolkit
Is ASLR & DEP also deprecated as well?
CIS_Microsoft_Windows_Server_2016_RT.pdf
CIS_Microsoft_Windows_Server_2019_RT.pdf
Windows OSSecurity
Last Comment
btan
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
> what is your hardening baseline
In our case, 2 teams of Ernst Young auditors practise
differently: one audit based on our organization's baseline
doc while the other team persisted on using CIS as the
2nd team felt we 'simplified' our baseline (so that we have
less settings to comply to).
So to opt for something deterministic, we install EMET?
So to say, we should still adopt CIS Win 2019's benchmark
of enabling EMET, DEP, SEHOP, ASLR and for crown jewel
like AD/DC, go for the 'high' settings that BTan suggested?
For low-criticality servers, opt for the 'low' settings?
In our case, 2 teams of Ernst Young auditors practise
differently: one audit based on our organization's baseline
doc while the other team persisted on using CIS as the
2nd team felt we 'simplified' our baseline (so that we have
less settings to comply to).
So to opt for something deterministic, we install EMET?
So to say, we should still adopt CIS Win 2019's benchmark
of enabling EMET, DEP, SEHOP, ASLR and for crown jewel
like AD/DC, go for the 'high' settings that BTan suggested?
For low-criticality servers, opt for the 'low' settings?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Any settings in Win2019 or MS has articles for this?
We have Win2019 AD/DC servers.