Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EMET_USER_Guide

149 views

Published on

  • Be the first to comment

  • Be the first to like this

EMET_USER_Guide

  1. 1. 3/1/2016 EMET User Guide By Marc Larouche 1
  2. 2. 3/1/2016 TABLE OF CONTENTS Introduction................................................................................................................2 System Requirements.................................................................................................3 Configuration..............................................................................................................3 Capabilities.................................................................................................................6 Mitigations..................................................................................................................7 SEHOP..................................................................................................................... 7 DEP..........................................................................................................................7 Heapspray Allocation...............................................................................................7 Null Page Allocation.................................................................................................7 ASLR........................................................................................................................ 7 EAF.......................................................................................................................... 7 Bottom-up Randomization.......................................................................................8 ROP..........................................................................................................................8 ASR..........................................................................................................................8 Advanced Mitigation for ROP...................................................................................8 Certificate Trust.......................................................................................................8 Untrusted Font Mitigation........................................................................................8 Conclusion..................................................................................................................8 2
  3. 3. 3/1/2016 Introduction EMET stands for Enhanced Mitigation Experience Toolkit, a relatively new and free security tool by Microsoft. This utility helps prevent software exploitation even before a vendor can release a fix. This utility helps prevent “Zero Day Exploits” although it cannot guarantee to prevent vulnerabilities from being exploited; it will make it much more difficult. EMET is able to do this by looking at 12 different techniques that exploit memory corruption. EMET can also help secure any application regardless of what language it is written in and how old that application may be. The EMET tool is very easy to install and configure and provides another layer of security for hardening your applications and Microsoft Window’s computer. You can download EMET 5.5 System Requirements Major versions of EMET are supported for a 24-month period by Microsoft after its release date or for 12 months after the release date of the next major version or whichever comes first. Operating System EMET 5.2 EMET 5.5 Windows 10 - Yes Windows 8.1 Yes Yes Windows Server 2012 R2 Yes Yes Windows Server 2012 Yes Yes Windows 7 Service Pack 1 Yes Yes Windows Server 2008 R2 Service Pack 1 Yes Yes Windows Server 2008 Service Pack 1 Yes Yes Windows Vista Service Pack 2 Yes Yes EMET requires Microsoft .Net Framework 4.5 to install and if it is not present EMET will automatically install it for you. 3
  4. 4. 3/1/2016 Configuration  Profiles EMET comes with two ready-made protection profiles. One is called Recommended and the other is called Popular. These protection profiles are xml files and refer to the software monitored and protected by EMET. Recommended Software.xml: Enables mitigations for Microsoft Internet Explorer, WordPad, Word, Outlook, and applications that are part of the Microsoft Office suite, Adobe Acrobat, Adobe Reader, and Oracle Java. Popular Software.xml: Enables mitigations for all those in Recommended plus a dozen other common applications like Chrome, RealPlayer, and Skype. EMET also lets you modify and add programs of your choosing for protection.  Configure EMET Using Graphical User Interface In Windows 7 and 10 enter “EMET” in the start menu Search Box and Click EMET GUI In Windows 8 and 8.1 open the start screen by hitting the windows key then click on EMET GUI. You can also launch and configure EMET via the following steps below. Step 1 Right click the EMET icon in the bottom right hand of the Taskbar and click Open EMET. 4
  5. 5. 3/1/2016 Step 2 Click Import Step 3 Highlight Popular Software xml file and click Open to import 5
  6. 6. 3/1/2016 Step 4 Click X in the upper right hand corner to close EMET. The following dialog box will appear. Click OK then restart. Step 5 Applications that are being protected by EMET will show the green dot. In this image Firefox is being protected by EMET mitigations. 6
  7. 7. 3/1/2016 Capabilities With EMET you can configure system policies or configure mitigations on a per executable basis. Certificate pinning rules help prevent man in the middles attacks and bind SSL certificates to legitimate Root Certificate Authority. There is the possibility of compatibility issues with EMET and some applications so testing is advised. Applications can be opted out of the EMET mitigation if needed. Mitigations  SEHOP SEHOP is Structured Exception Handler Overwrite Protection. SEH is a common exploit method that target browser based vulnerabilities. SEHOP mitigation prevents an attacker from being able to use SEH overwrite exploitation technique.  DEP DEP is Data Execution Prevention. DEP is a software and hardware solution that prevents execution of code from memory not explicitly marked as executable.  Heapspray Allocation Heapspray allocation is an attempt to insert and run code at a predetermined location. This mitigation pre-allocates these memory addresses thus blocking these attempts.  Null Page Allocation Null Page Allocation block attackers from using Null dereferences in user mode. It mitigates this by pre-allocating the first page of memory before a program starts.  ASLR ASLR places addresses where modules are loaded in a random order to prevent an attacker from using data at predictable locations.  EAF EAF is Export Address Table Access Filtering. This mitigation blocks the bad code from locating the address of where an API has been loaded. 7
  8. 8. 3/1/2016  Bottom-up Randomization Bottom-up Randomization randomizes the base address of bottom-up allocations (including stack, heaps and other memory allocations).  ROP This is Return Oriented Programming mitigation; it is experimental and tries to block any exploit that relies on this technique.  ASR ASR is Attack Surface Reduction. ASR reduces the exposure of at risk applications for attacks by blocking the use of certain modules or plugins within the target application.  Advanced Mitigation for ROP These are additional mitigations such as; Deep Hooks: which protects lower level APIs, and Anti detours: which blocks attempts to bypass hooks by executing a copy of the hooked function, with this option enabled shellcode that tries this technique is blocked.  Certificate Trust This is an additional check by EMET to prevent man-in-the-middle attacks. EMET validates that the website certificate is valid and chains properly to the Root CA specified.  Untrusted Font Mitigation This helps prevent both remote and local font-processing attacks and blocks font loading outside of the %windir%Fonts directory. Conclusion EMET is a fine addition to a layered security approach that everyone should consider using, not just in the professional work arena but also at home. This security application is provided free of charge by Microsoft and can definitely help secure your systems and prevent a bad actor from compromising your home system. If you do on-line banking I highly recommend you consider this along with your other security measures. Like that old saying goes, better an ounce of prevention than a pound of cure :) Marc Larouche 8

×