Advanced Windows security using EMET
Solid Defense
Using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) [1], you can prevent attackers from exploiting security gaps in the software that you have installed on Windows computers. The security technologies used to limit damage cannot completely eliminate security risks, but instead, they meaningfully serve to complement other security measures.
Such measures include installing the latest security updates using Windows Firewall with Advanced Security and using User Account Control (UAC). Additionally, EMET provides a configurable function for determining the trustworthiness of SSL certificates. This function aims to detect and prevent man-in-the-middle attacks.
Installing EMET
You can download EMET for free from Microsoft's website [2]. For use in companies, you have the option of distributing EMET using the System Center Configuration Manager (SCCM) or the software distribution functions of Active Directory's group policies (more on that later). The configuration of EMET can be automated using group policies and administrative templates (ADMX files). EMET supports all current versions on Windows platforms. For clients, these are:
- Vista SP2
- 7 SP1
- 8
- 8.1
The tool supports the following versions on the Windows Server side:
- 2003 SP2
- 2008 SP2
- 2008 R2 SP1
- 2012
- 2012 R2
On Windows Server 2003, a few limitations are described in the release notes and the EMET user guide, which are part of the EMET downloads. Read the user guide before using EMET, because it expands on the important configuration steps and provides an overview of the EMET protection technologies.
Centralized Rollout
You can use software distribution such as SCCM, group policies, or any other method that is capable of distributing MSI packages for large-scale distribution of EMET. The steps for distributing the EMET application using SCCM are:
- Create an application in the SCCM management console based on the MSI file from the EMET download (Figure 1).
- Create an SCCM package and program.
- Assign the package to an SCCM device collection or create a new device collection.
The EMET user guide and the TechNet websites provide detailed information about distributing EMET using SCCM. Microsoft KB article 816102 [3] provides further information if you want to distribute EMET using group policies.
You can centralize configuration using group policies and administrative template files if you have successfully distributed EMET in your network. Copy the files EMET.ADMX
and EMET.ADML
from the installation directory into the PolicyDefinitions
directory on a domain controller or a workstation with the Remote Server Administration Tools (RSAT) installed. Then, use the central group policies' memory and copy the ADMX and ADML file into the PolicyDefinitions
directory of the Active Directory domain's SYSVOL share.
EMET on the Command Line
The EMET_Conf.exe
tool is available to administrators wanting to configure EMET on the command line. This approach does not, however, offer the full scope of the EMET GUI. Running EMET_Conf.exe
without specifying configuration switches lists all available command-line options. You can determine which protection function should be active for an application in the application settings (Figure 2).
Buy this article as PDF
(incl. VAT)