Blue Team Starter Kit - Computer hardening with EMET
EMET is awesome.
Microsoft's Enhanced Mitigation Experienced Toolkit (EMET) is also free and adds an extra layer of protection to computers. Released in the fall of 2009, EMET is currently at version 5.2, with a 5.5 beta available for download. Each application and program on a Windows-based computer runs in a predefined way on a Windows-based OS. When malware infects a machine, it tries to take advantage of the predefined interaction. EMET attempts to hide that interaction from malicious software. This article will explore more of this idea, as well as talk about how to deploy it to an organization.
What is EMET?
When Windows XP was nearing end of support, we realized that we weren’t going to meet that date. This lead me to research ways of mitigating this issue. Soon after I discovered the EMET.
This wonderful tool added another layer of protection to our machines. The user guide has a good technical breakdown on all the protection features. The gist of it is that EMET attempts to randomize or hide how applications interact with the Windows OS. When malicious code attempts to run using a predictable process, EMET blocks and alerts on it.
EMET can be installed in the enterprise or even on a home computer. At home, simply download and install.
It's interface is easy to use. The main window features the ability to enable, disable, or opt-in applications to the defense features. It also shows the processes EMET is protecting. Navigate to the "Application Configuration" window by clicking the Apps button. Here is where individual protections can be enabled or disabled for applications.
These two windows are the main windows for configuring most of EMET's functionality. We'll talk more about configuration as we dive into deploying EMET.
How to deploy EMET
EMET can be deployed any number of ways. If your organization has Microsoft System Center Configuration Manager, congratulations you win! If you don’t deployment will be a bit trickier, but still painless. The article next week will cover PDQ Deploy. Which is a low-cost option for deploying EMET (as well as other software). Before EMET can be deployed some preperation work needs to be done..
I would highly recommend deploying it to a group of test users. To setup a test group, identify one user and computer from each department. The more people added to the group the better. Try to have a good relationship with these people. A relationship is key to getting prompt and informative feedback on any issues. Offer up something like personalized help for issues with EMET.
The reason for the test group is to ensure that the computers in an organization work with EMET. As great as EMET is, it can have issues with certain programs on the computer. I deployed EMET 4.0 to my organization without a hitch. I tried to push 5.0 and derped Microsoft Office and IE on all developer and mainframe machines. That was a fun morning! I resolved the issue on each computer quickly, but it caused some consternation. Do it once or twice and people will eventually forgive you. Do it more than that and it will be much harder to get new security initiatives deployed.
To configure EMET, Open the interface by right clicking on the icon in the bottom right corner of the screen. The main interface shows the protections and the process EMET is running on. Protection profiles can be imported or exported. Clicking the Import button will have some predefined profiles to use including:
CertTrust
Popular Software
Recommended Software
Start with Recommended Software.
Next, click Apps to open the Application Configuration interface. This interface allows for the configuration of each individual protection on specific applications. When an application is blocked by EMET, a small pop-up will appear in the bottom right corner of the screen. The pop-up contains information for what application and what defense fired. This is useful for troubleshooting when a legitimate application is blocked. To resolve the issue, uncheck the protection for the that application. EMET requires a reboot after each change, but the issue may be resolve after unchecking the box.
That's the general idea of configuring EMET. Each organization and department is unique. Finding the right configuration can take time.
After finding the best configuration for your organization, you'll want to have central control of the configuration. This is possible with Group Policy. Group Policy allows for control of the options on the main interface. To gain control of the Application Configuration window a logon script will need to be setup.
There are a few different ways to get the options for EMET to show up in Group Policy. There will be links at the bottom of this post leading to those options. One of the great things about EMET is that a lot of information security professionals have written about it. The method I used was to drop an .adml and .admx file onto one of the Domain Controllers.
Check the more resources section for different methods on getting control of EMET.
Conclusion
I'll reiterate the opening statement: EMET is awesome. It's free. Easy to use. There's been a lot of article and guides written on it. Best of all it adds an extra layer of protection to machines. There is some work and planning involved, but it will pay off in the end.
More resources
This post first appeared on Exploring Information Security.