November 11, 2014
EMET - The Ultimate Installation and Deployment Guide
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
The Enhanced Mitigation Experience Toolkit (EMET) is a free tool from Microsoft that incorporates advanced protection from attackers. The concept allows added protection from methods that hackers use to compromise systems through exploitation. If you are new to this, and aren't super tech savvy and are looking to install EMET for your home or personal use (don't worry! it's easy!!!), skim down to the "Installing EMET Step-by-Step" tutorial located just a little bit down in this article.
Otherwise, keep reading on!
Common protection mechanisms such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Safe Structured Exception Handler (SafeSEH) are protections built inside of Microsoft's newer operating systems. These protections provide a base level of security against known exploit methods. Hackers have gradually increased the sophistication of exploit development and have found ways of circumventing a large portion of these mitigation techniques.
EMET works by injecting an EMET.dll into running executables to provide memory level protections and mitigations against common exploit techniques. Nothing is perfect - several individuals have demonstrated how to circumvent EMET however, it does become much more difficult and has to be built into the exploit. EMET 5.1 was released yesterday (November 10, 2014) by Microsoft which includes their latest iteration of EMET. The folks over at Microsoft continue to move the product forward by including fixes and enhancements each time making it both more compatible with several different products as well as making it more difficult to circumvent and bypass.
EMET 5.1 includes a number of fixes and enhancements which include:
• Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved.
• Certain mitigations have been improved and hardened to make them more resilient to attacks and bypasses.
• Added “Local Telemetry” feature that allows to locally save memory dumps when a mitigation is triggered.
For individuals new to EMET, the way it works is you first need to deploy EMET, baseline applications and create a template of what types of applications you want to cover within EMET. The big misconception for large organizations is that by deploying EMET, it will break everything. The truth of the matter is that EMET only protects what is specified, tested, and configured within your configuration profile (xml). You actually have to specify what applications you want to protect under EMET (there are common templates that include basic applications). TrustedSec has done a number of large-scale implementations for Enterprise customers with tens of thousands of assets - as long as the deployment is appropriately tested, EMET is relatively trivial and easy to deploy.
Then select the msi to download.
Run the MSI file, select next.
Use the default installation path - for added security against automated attacks, you can change this path directory for attackers that may look for the hardcoded EMET.dll. Note that most memory oriented attacks will simply identify if the EMET.dll is loaded, not actually check the path of EMET.
Select "I Agree" and hit next.
This is where the installation takes place, select next to begin the installation phase.
Select "Use Recommended Settings" - we will be changing this shortly.
Select Finish to complete the installation.
Once the installation is complete, you should notice an icon on the bottom right hand side that looks like a lock.
Double click the lock icon, and you will get the default interface for EMET 5.1.
A couple items for explanation, the lower half section of "Running Processes" is the applications that are currently protected by EMET. Notice that in this screenshot we have not configured anything to be protected by EMET. By default, EMET will protect common applications such as Java, Adobe, and Internet Explorer. It does not however protect anything you do not specify other than the common applications. Since we previously specified "Use Recommended Settings" it will select the default applications just mentioned (Java/Adobe/Internet Explorer). We will want to change this shortly. Note that a protected application would have a green check mark under "Running EMET" on the lower right hand side.
Since EMET works by injecting a DLL into the executables memory space, whenever we configure any new process to be protected by EMET, it will require us to close the application and restart it (or service). It does not require a full restart, just the services or applications themselves to be restarted.
In the "System Status" section of EMET, ensure that DEP is set to "Always On", SEHOP to "Always On", and ASLR to "Application Opt In". The next is certificate trust pinning which checks certificate security. This setting can be troublesome when deployed to common workstations and endpoints due to the fact that the certificate management field in most of the Internet is extremely messed up. This will typically trigger alerts for the end user and cause confusion. For endpoints, TrustedSec recommends potentially disabling this feature.
On the top middle, there is a "Quick Profile Name:" field - we recommend configuring the settings to the "Maximum Security Settings" - while we will be doing some additional changes here shortly, the maximum security settings incorporate additional stringent security policies and protections.
Next, select the "Apps" button on the top middle left to open the application window:
On the top left section, ensure that "Deep Hooks", "Anti Detours", and "Banned Functions" are selected. These should all be highlighted as these are default configurations of EMET 5.x. Also ensure "Stop on exploit" is selected. The only time when you may want to deploy "Audit only" is when you are doing initial testing and are experiencing application crashes. EMET will notify you upon a time when it would traditionally block something from running vs. actually stopping it from running and you can fine tune EMET's protections to not block a certain protection for normal application functionality.
We should now see the application fully protected under "Running EMET" on the right hand side, indicated by a green check mark.
That's it! You are now protected. Walk through each of the processes and applications that you want protected to create your baseline.
Next, select a name, in this case we use "EMET Update", navigate to the EMET 5.1 program files directory and select the "EMET_Conf.exe" executable. For arguments use the --import flag with EMET which will import the xml file for us and select our domain controller to pull the group policy from. In this case we use the example of "serverdc1" and provide the path to our new policy we created in group policy and point to our xml that we recently copied over "EMET_Endpoint_Profile.xml".
We can also specify when to run this xml, upon logon, daily, hourly, weekly, whatever your personal preferences are.
That's it! Phew. You should now have a scheduled task and whenever you replace the xml file located in that group policy, it will automatically refresh to your user population without the need to deploy additional packages company wide through something like SCCM.