sunhux
asked on
EMET deprecated but CIS Win 2019 benchmark still recommends enabling it
CIS hardening benchmarks for Win 2016 (pg 534) & 2019 (pg 463 & 690)
both indicated to enable EMET : attached.
However, link below indicates it's been EOL so does it
still make sense to install/enable EMET or there's a newer
version of EMET?
https://support.microsoft.com/en-sg/help/2458544/the-enhanced-mitigation-experience-toolkit
Is ASLR & DEP also deprecated as well?
CIS_Microsoft_Windows_Server_2016_RT.pdf
CIS_Microsoft_Windows_Server_2019_RT.pdf
both indicated to enable EMET : attached.
However, link below indicates it's been EOL so does it
still make sense to install/enable EMET or there's a newer
version of EMET?
https://support.microsoft.com/en-sg/help/2458544/the-enhanced-mitigation-experience-toolkit
Is ASLR & DEP also deprecated as well?
CIS_Microsoft_Windows_Server_2016_RT.pdf
CIS_Microsoft_Windows_Server_2019_RT.pdf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> what is your hardening baseline
In our case, 2 teams of Ernst Young auditors practise
differently: one audit based on our organization's baseline
doc while the other team persisted on using CIS as the
2nd team felt we 'simplified' our baseline (so that we have
less settings to comply to).
So to opt for something deterministic, we install EMET?
So to say, we should still adopt CIS Win 2019's benchmark
of enabling EMET, DEP, SEHOP, ASLR and for crown jewel
like AD/DC, go for the 'high' settings that BTan suggested?
For low-criticality servers, opt for the 'low' settings?
In our case, 2 teams of Ernst Young auditors practise
differently: one audit based on our organization's baseline
doc while the other team persisted on using CIS as the
2nd team felt we 'simplified' our baseline (so that we have
less settings to comply to).
So to opt for something deterministic, we install EMET?
So to say, we should still adopt CIS Win 2019's benchmark
of enabling EMET, DEP, SEHOP, ASLR and for crown jewel
like AD/DC, go for the 'high' settings that BTan suggested?
For low-criticality servers, opt for the 'low' settings?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any settings in Win2019 or MS has articles for this?
We have Win2019 AD/DC servers.