It’s becoming increasingly common to hear about vulnerabilities that are being actively exploited without a patch available for the affected product. At the same time, there are organizations that for a myriad of reasons (compatibility, budget, support or numerous other issues) have to rely on software that cannot be upgraded/patched, does not follow secure coding practices, or does not apply security features. To protect Windows PCs in these scenarios, Microsoft developed the free Enhanced Mitigation Experience Toolkit (EMET).
The Enhanced Mitigation Experience Toolkit is essentially an anti-exploit tool, applying exploit mitigation technologies such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to applications and processes that don’t use them natively. It provides a simple interface that allows administrators to harden any number of applications, whether they’re from Microsoft or from other vendors. You can find the latest version (version 3.0 at this time) of EMET here. The .NET Framework 2.0 must be installed for EMET to work with Windows XP and Windows Server 2003. For all other supported versions of Windows, there are no additional requirements and it can be used on both 32 or 64-bit systems.
Once installed, you can launch EMET from the command-line or the GUI. The GUI interface is divided into two parts, one for the system status and one for the running processes. Figure A shows the interface on a Windows 7 system:
Click on images to enlarge.
In the System Configuration section (Figure B) mitigations are configured system-wide, without having to specify the individual processes that should use them. The system options available differ depending on the operating system where EMET is installed. On Windows XP for instance, SEHOP (Structured Exception Handler Overwrite Protection) and ASLR are not available, although this in no way diminishes the usefulness of the tool for this operating system. At first it’s best to only use the recommended system security settings, since forcefully applying these mitigations to the entire system has the greatest potential for causing compatibility or stability issues.
The Application Configuration section (Figure C) is where you can enable individual mitigations to the different applications or processes in the system. By default the list is blank, but you can click the Add button to find specific executables on your system and enable the specific security mechanisms you want it to use. Since most zero-day attacks focus on Internet-facing applications, you might want to add all the web browsers installed on your system, installed Java instances, media players (Windows Media Player, VLC, QuickTime, etc), and Adobe products.
Alternatively, EMET includes a number of predefined profiles covering common applications that can help you get started. These profiles (in XML format) can found in the EMET installation folder under Deployment\Protection Profiles. There are three profiles included: Internet Explorer.xml that enables mitigations for supported versions of that browser, Office Software.xml that adds Microsoft Office and some Adobe products, and All.xml that additionally covers common applications. Figure D shows a portion of the products included in the All profile:
Notice that for individual applications there are additional mitigations available, including protections against techniques such as “heap spraying” and null dereferences. The EMET’s User Guide included in the installation folder provides a very good overview of all these mitigations and a compatibility guide for the different operating systems.
EMET 3.0 provides support for enterprise deployments using Group Policy or management tools such as Configuration Manager. For Group Policy, EMET includes an ADMX file with the same predefined profiles mentioned before that can be enabled or disabled using GPOs. For those wishing to use scripts for deployment, EMET can also be configured using the command line. The EMET Notifier, a new feature added in this version, also helps organizations in monitoring EMET, as it can write events to the Application log and present the user with notifications on the taskbar area when an application has been terminated due to an attempted exploit. Before performing a massive deployment however, you should thoroughly test EMET with your applications because there is the real risk of encountering compatibility or stability issues. Older applications in particular are more susceptible to compatibility problems.
EMET is definitely not a silver bullet. It increases a PC’s security posture by making it very difficult to successfully exploit certain types of vulnerabilities, but it will not protect against others, such as cross-site scripting vulnerabilities. It’s best to consider it as part of your defense-in-depth strategy, to be used in tandem with standard tools such as anti-malware and firewalls. That said, EMET is a very interesting security tool, with an easy-to-use interface and simple deployment options that would make a fine addition to any Windows user security arsenal.