EMET #rdproud


Security is gaining importance, allways connected, different devices, different cloud services, security is key in all of these scenarios.

Let’s talk about an older but not well-known security addon from Microsoft : EMET ( Enhanced Mitigation Experience Toolkit )


The toolset is designed to detect and block something from exploiting an existing application vulnerability. The most important part is that it is not depending on updated signature files but focuses on patterns so it can block new exploits before these are commonly known.

The toolset also has a feature that allows you to link one or more specific root CA’s to a ssl website. For more info you can read this blog : http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx

It can be deployed by ESD and configured for the enterprise using standard AD policies. The emet policies are also part of the MS baseline policies. ( ex- EC or SSLF policies : see http://www.microsoft.com/en-us/download/details.aspx?id=16776 )

Okay , sound good let’s install the toolset and see what it does.


It’s an easy MSI setup, after setup


Let’s be wild and use the recommended settings.

As stated in the support documentation you can set rules on apps, executables and you can select allwayson, on if app opts in for the possibility or disabled.

The guide contains detailed information about how you could use enterprise tools ( such as system center configuration manager ) for deployment of applications and activation of the default configuration.


Looking at the settings we see that we can activate system wide settings and decide whether or not we allow specific apps to run the protection.


We’ve got a view on the running process and see if they are using EMET or not.


Looking at the apps page you can see that the recommended config enables protection for office apps and IE.


You can add applications by the GUI or you can use the commandline for importing an existing prefdefined list ( or you can create your custom list )

For example you can use emet_conf –import .\deployment\protection profiles\popular software.xml


You can see now that we have activated protection on a larger set of applications


It is considered good practice to run the tool in “audit only” mode before activating it on the environment.


This will not stop the process but will only report it to :

-> Eventviewer

-> Tray icon

-> Early warning ( this will send the info to Microsoft using error reporting )


You can then use scom to consolidate the event logs and verify the informatio. It would be very usefull to have the possbility to add a custom action to detection so we could customise our logging possbility.

So let’s give it a go, it’s a free toolset and adds an additional layer of security on your device.


Gino D


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s