Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available
The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.
EMET 5.5 Beta release includes new functionality and updates from EMET 5.2, including:
- Windows 10 compatibility
- Better configuration of various mitigations via GPO
- EAF/EAF+ pseudo-mitigation performance improvements
- Support for Windows 10’s new Untrusted font mitigation
- Various bug fixes
Benefits of EMET
Helps raise the bar against attackers. EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software. EMET includes many security mitigations that complement other defense in-depth security measures, such as Windows Defender and antivirus software. EMET installs with default protection profiles, which are XML files that contain preconfigured settings for common Microsoft and third-party applications.
Works well for the enterprise. Enterprise IT professionals can easily deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. EMET is highly customizable and administrators can choose which applications to protect with each mitigation technique.
EMET can even provide mitigation protections for legacy enterprise software that cannot easily be rewritten, or where the source code is not available.
The reporting capabilities in EMET are provided through a component called the EMET Agent, which allows enterprises to create logs and notifications for audit purposes. EMET customer support is available through Microsoft Premier Support Services. For more information on deploying EMET, visit the EMET Knowledge Base Article: KB2458544
Helps protect in a wide range of scenarios. EMET works for a range of Windows client and server operating systems and is compatible with most commonly used third-party applications, from productivity software to music players. When users browse secure HTTPS sites on the Internet or log on to popular social media sites, EMET can help further protect by validating Secure Sockets Layer (SSL) certificates against a set of administrator-defined rules.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET enables customers to leverage these security mitigation technologies on their systems and provides several unique benefits:
No source code needed: EMET enables administrators to apply several of the available mitigations built-in to Windows (such as Data Execution Prevention) for individual applications without recompilation. This is especially useful for deploying mitigations on legacy software that was written before the mitigations were available, or when source code is not available.
Highly configurable: EMET provides a high degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable the mitigations on an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, the administrator can simply turn that mitigation off for that process.
Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder for hackers to exploit vulnerabilities in the legacy software.
Helps verify SSL certificate trust while surfing websites: Given the increase in incidents of Certificate Authorities allowing the creation of fraudulent SSL certificates used to perform man-in-the middle attacks, EMET offers the possibility to enforce a set of pinning rules that can verify SSL certificates of specified domains against their issuing Root CA (configurable certificate pinning).
Allows granular plugin ‘deny list’ within applications: Modules and plugins, when loaded into an application, can increase its exposure to vulnerabilities and, consequently, to potential attacks. EMET addresses this by allowing the administrator to create ‘deny lists’ to prevent unwanted modules and plugins from loading within an application.
Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface, the command line tool or via Group Policy. There is no need to locate and decipher registry keys, or run platform dependent utilities. With EMET it is possible to adjust settings with a consistent interface regardless of the underlying platform.
The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent systems from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.
Mitigations in Windows 10
One of EMET’s original goals was to be a testbed for mitigations to add to the operating system. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Anti-ROP protection for 3rd party software that may not yet be recompiled using CFG.
Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:
Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.
Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach. It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display). It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations. If that check fails at runtime, the operating system closes the program.
AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.
For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.
EMET 5.5 Beta and Edge
Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.
We welcome feedback via Microsoft Connect.
Install EMET 5.5 Beta today!
We want to particularly thank FireEye for partnering with us.