Uploaded on


More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Prior-service Army, Pre-WarBoth Private Sector and Defense experience
  • Man has used firewalls to protect our assets (our flock)Worked very well for a long time – only security strategyFlaming brick wall, good to goFirewalls became more advanced, so did attacksEvading firewall, going for weaker members of the flock
  • These days difficult to protect the flockIt can be so difficult, in part sheep don’t protect themselves
  • So what have we done?
  • Building fences to corral the sheep Intended boundaries – sheep don’t knowThis worked pretty wellThen what happened?
  • The pentesters come inAs soon as ASLR created, bypass naturally followed
  • Security Development Lifecycle Progress Report2004 – 2010 41 consumer apps, millions of usersDEP without ASLRLine-of-business apps
  • Two Drop Down listsSo what’s better than a fence?
  • Sheepdog
  • Version 4.0 released June 2013Version 1.0 released Oct 2009Both servers and workstationsFree utility from MS .net 4.0 – No other dependenciesNo signatures or updatingNo whitelist or blacklistNo guessingJust good programmingPart of Windows 8 STIG
  • Blacklisting is deadHBSS can’t provide good defaults
  • So let’s go through an EMET installation
  • One choice to makeService is installed and running, launch client
  • This is GUIBottom is the list of running processes
  • Sheepdog
  • Calls to external binary files go through the Import Address TableWorks for both static and dynamically linked dllRedirects call to windows to Shim addressWhat all this means – you don’t talk to Windows without EMET
  • All happen simultaneously
  • 14 Default Trusted Roots – Necessary?
  • Sheepdog
  • Sheepdog
  • Some code so bad
  • Sheepdog
  • Whatever you’re using now
  • GPO or script through CLISupport with existing contract
  • Jonathan Ness from MSSupport with valid Support Contract or through forum


  • 1. Employing EMET for Application Security
  • 2. GCIA, GCIH, GSEC, CCNA, CISSP @dacoursey
  • 3. EMET
  • 4. MS Office Acrobat Flash Java
  • 5. DEP ASLR SEHOP etc…
  • 6. Progress Report ASLR DEP
  • 7. What is it?
  • 8. But what about…
  • 9. What does it NOT do?
  • 10. Deployment
  • 11. Management
  • 12. Microsoft’s Strategy
  • 13. Questions?
  • 14. http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true https://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx?Redirected=true https://blogs.technet.com/b/security/archive/2012/08/08/microsoft-s-free-security-tools-enhanced-mitigation-experience-toolkit.aspx?Redirected=true http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx