Information Security Blog

August 8, 2014

EMET, the security tool you haven’t heard about.

Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, is a free security tool that has been around for some time, but outside of a few circles, it hasn’t received the attention it deserves. Microsoft recently released version 5.0 of this tool, so it’s a great time to get acquainted if you are unfamiliar.

What is EMET?

EMET is a system tool from Microsoft that helps prevent vulnerabilities in software from being exploited.

As Microsoft Windows has matured through XP, Vista, 7, and 8, many security enhancements have been added to the underlying operating system, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). ASLR randomly arranges the positions of key data areas of a program in memory, making it hard to know the memory position of an exploited function. DEP prevents code from being executed from a memory location that has been designated for data only.

Many older applications don’t take advantage of these enhancements unless they are rewritten to do so. EMET forces applications to use the built in security mechanisms in the OS, even if that application wasn’t written to use these enhancements.

Configuring EMET

When you install EMET, there is a configuration wizard. Accept the recommended settings:

Emet Image

Out of the box, EMET will help protect popular applications from Microsoft (Internet Explorer, Microsoft Office, etc.), as well as Adobe (Reader and Flash), and Oracle (Java) - without you having to configure anything!

On EMET’s main screen, a list of all running processes will show you which ones are protected by EMET. You can also toggle global settings. By default, DEP, ASLR, and SEHOP are “Opt In”. These can be set to Disabled, Application Opt In, Application Opt Out, and Always On. 10-D Security recommends experimenting with these settings in your environment. You will likely find that “Opt In” for DEP, SEHOP and ASLR will work best.

Emet Image

When configuring EMET, Microsoft provides a profile that includes other popular software such as Firefox and iTunes (and more!), and we recommend you use it. You can add these applications by clicking Import and selecting “Popular Software”. You will need to restart your machine for the changes to take effect.

Emet Image

EMET should work with most applications, but be aware that some won’t work without tweaking, and some may not work at all. When you manually add an application, EMET will automatically add all protections for that application, and this is where you may run into issues. For example, the first time I ran Google Chrome after adding it to EMET, Chrome griped that it “can’t run shockwave flash plugin”. Some quick Internet searching led to a post describing that SEHOP may need to be disabled for Chrome to work properly. Your mileage may vary.

Emet Image

Certificate Trust Pinning

Beginning in version 4.1 of EMET is Certificate Trust Pinning, which can help mitigate man-in-the-middle attacks that take advantage of revoked certificates. This EMET feature only applies to users of Internet Explorer.

Using EMET

EMET is generally unobtrusive, and only makes itself known if there is an issue.

When EMET detects a process attempting to operate outside of normal boundries, it will terminate that process, pop up an alert, and create an event log entry.

Emet Image Emet Image

Conclusion

Even in its default configuration, EMET offers system protections that aren’t normally available, with no performance or usability impact. Once you spend time with EMET and observe its behavior, start adding additional applications that you use - testing carefully.

Microsoft has also made it easy to deploy across your organization. Look for further information on this blog in the near future.

Ultimately, if you are using Microsoft Windows, there’s little reason not to use EMET, and 10-D Security recommends it as a way to increase workstation and server security.

EMET can be found at http://support.microsoft.com/kb/2458544, or just Google “Microsoft EMET”. There is a world of information on EMET on the web, as many organizations are using it to increase their security posture.

Authored By: David Matt, CEH