EMET #rdproud

July 31, 2015

Hello,

Security is gaining importance, allways connected, different devices, different cloud services, security is key in all of these scenarios.

Let’s talk about an older but not well-known security addon from Microsoft : EMET ( Enhanced Mitigation Experience Toolkit )

https://technet.microsoft.com/en-us/security/jj653751

The toolset is designed to detect and block something from exploiting an existing application vulnerability. The most important part is that it is not depending on updated signature files but focuses on patterns so it can block new exploits before these are commonly known.

The toolset also has a feature that allows you to link one or more specific root CA’s to a ssl website. For more info you can read this blog : http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx

It can be deployed by ESD and configured for the enterprise using standard AD policies. The emet policies are also part of the MS baseline policies. ( ex- EC or SSLF policies : see http://www.microsoft.com/en-us/download/details.aspx?id=16776 )

Okay , sound good let’s install the toolset and see what it does.

clip_image002

It’s an easy MSI setup, after setup

clip_image004

Let’s be wild and use the recommended settings.

As stated in the support documentation you can set rules on apps, executables and you can select allwayson, on if app opts in for the possibility or disabled.

The guide contains detailed information about how you could use enterprise tools ( such as system center configuration manager ) for deployment of applications and activation of the default configuration.

clip_image006

Looking at the settings we see that we can activate system wide settings and decide whether or not we allow specific apps to run the protection.

clip_image008

We’ve got a view on the running process and see if they are using EMET or not.

clip_image010

Looking at the apps page you can see that the recommended config enables protection for office apps and IE.

clip_image012

You can add applications by the GUI or you can use the commandline for importing an existing prefdefined list ( or you can create your custom list )

For example you can use emet_conf –import .\deployment\protection profiles\popular software.xml

clip_image014

You can see now that we have activated protection on a larger set of applications

clip_image016

It is considered good practice to run the tool in “audit only” mode before activating it on the environment.

clip_image018

This will not stop the process but will only report it to :

-> Eventviewer

-> Tray icon

-> Early warning ( this will send the info to Microsoft using error reporting )

clip_image020

You can then use scom to consolidate the event logs and verify the informatio. It would be very usefull to have the possbility to add a custom action to detection so we could customise our logging possbility.

So let’s give it a go, it’s a free toolset and adds an additional layer of security on your device.

Enjoy.

Gino D

Advertisements

Activating EndPoint Protection

June 12, 2012

Hello,
Using the config manager to provide security for your endpoint has never been easier. Let’s see how to activate the protection feature in config manager 2012.


Step 1 : Install the necesarry components.
You’ll need the EndPoint Protection Point and the Software Update Point in order to deploy signature updates.


Step 2 : Deploy signature updates for endpoint protection
Create automatic deployment rule.


Select the correct parameters.


Choose minimal detail level in order to reduce CPU on Config manager servers.


Select Definition Updates and product Forefront EndPoint Protection.

Run according to the proposed schedule.


Specify deployment details.


Hide notifications and supress reboots.


Generate an alert in order to be notified if compliancy or time offset is beyond the requested limits.


Set the additional options.

Create a new deployment package.



Complete the rest of the wizard.



Step 3 : activate the Endpoint protection client
Create a new client setting or update the default setting in order to activate the end-point protection.


Step 4 : Create antimalware and/or firewall policies


Step 5 : Verify the result !



Enjoy…
Technet Link : http://technet.microsoft.com/en-us/library/hh508770.aspx#BKMK_Step4