Deploying and Configuring EMET 4.1 with System Center Configuration Manager 2012 R2

Posted: May 7, 2014 in Configuration Manager, System Center Configuration Manager 2012
Tags: ,

In this posting I will walk through deploying and configuring the Enhanced Mitigation Experience Toolkit (EMET) 4.1 Update 1 with System Center Configuration Manager 2012 R2.

Last week EMET 4.1 Update 1 was released and included new functionality and updates, such as:

• Updated default protection profiles, Certificate Trust rules, and Group Policy Object configuration.
• Shared remote desktop environments are now supported on Windows servers where EMET is installed.
• Windows Event logging mechanism allows for more accurate reporting in multi-user scenarios.
• Addressed several application-compatibility enhancements and mitigation false positive reporting

There is also a Technical Preview 2 of EMET 5.0 released, but since in a preview it’s not recommended for production deployment at the moment.

I also encourage you to read the following articles before deploying in a production environment EMET mitigations guidelines & The Enhanced Mitigation Experience Toolkit, these articles covers application-compatibility risks and other things to think about before rolling out in wide-scale. I also encourage you to read the EMET User’s Guide that it’s part of the download to get familiar with the mitigation technologies, configuration options and application compatibility testing results.avatar

Supported Operating Systems and software requirements

In this walk-through I will deploy EMET 4.1 to Windows 8.1 Update systems, for a complete listing of supported operating systems see the EMET Users’s Guide.

EMET 4.1 requires the Microsoft .NET Framework 4. Also, in order for EMET to work properly on Windows 8 and Windows Server 2012, Microsoft KB 2790907 – Compatibility update is available for Windows 8 and Windows Server 2012 must be installed as well.

EMET Configuration

EMET comes with two default Protection Profiles for applications and one protection profile for Certificate Trust. Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and 3rd party applications. In the EMET installation directory, these files are in the Deployment\Protection Profiles folder. They can be enabled as-is, modified, or used to create new protection profiles.

The profiles that are included with EMET are1

  • Popular Software.xml: Enables mitigations for supported versions of Internet Explorer, Microsof Office, Windows Media Player, Adobe Acrobat Reader, Java, WinZip, VLC, RealPlayer, QuickTime, Opera, etc.
  • Recommended Software.xml: Enables mitigations for common applications, including Internet Explorer, Microsof Office, Adobe Acrobat Reader and Java.
  • CertTrust.xml: Enables certificate pinning rules for the login services of Microsoft Account, Microsoft Office 365, and Skype, and other popular online services such as Twitter, Facebook, and Yahoo!.

Both system and application mitigations can be also configured via the EMET Graphical User Interface or via the EMET Command Line Tool.

EMET also comes with group policy support. When EMET is installed, EMET.admx and EMET.adml files are also installed to the “Deployment\Group Policy Files” folder. These files must then be copied onto \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US folders respectively. Once this is done, EMET system and application mitigation settings can be configured via Group Policy.2
There are the sets of policies that EMET exposes. Below is a description of each. More information can be found at the policy editor for each policy.

  1. System Mitigations: Named System ASLR, System DEP and System SEHOP, these policies are used to configure system mitigations. Please note that modifying system mitigation settings may require a reboot to be effective.
  2. Default Protection: There are three: Internet Explorer, Recommended Software, and Popular Software. Protection Profiles are pre-configured EMET settings that cover common home and enterprise software. Apply these policies to enable them.
  3. Application Configuration: This leads to a freeform editor where additional applications not part of the default protection profiles can be configured. The syntax is application executable name followed by an optional list of mitigations that does not need to be enabled. If no mitigation is specified, all EMET application mitigations will be enabled.
  4. Default Action and Mitigation Settings: These settings are related to the advanced settings for the ROP mitigations, described in section 1.2.9, and for the default action when an exploit is detected (Audit only or Stop).
  5. EMET Agent Visibility: This setting allows to automatically hide the EMET Agent icon in the tray area of the taskbar.
  6. EMET Agent Custom Message: This entry allows to define a customized message that will be displayed in the alert that is shown when EMET detects an attack. The Tray Icon reporting setting must be turned on to display this message.
  7. Reporting: This entry allows to toggle the reporting configuration for the Windows Event Log, the Tray Icon, and the Early Warning Program.

I will be using Protection Profiles, so refer to the User’s Guide for more information on the other options available.

Deploying EMET

With EMET enterprises can take advantage of their existing management infrastructure to deploy and configure EMET at a large scale. Both System Center Configuration Manager and Group Policy can be used to deploy and manage EMET across enterprise networks. I will focus on System Center Configuration Manager in this posting.

  1. The first step in deploying EMET is to download the EMET 4.1 Update 1 MSI. Once the MSI package has been obtained and placed in your content location, the steps below can be followed.
  2. From Software Library | Application Management | Applications, choose to Create Application.3
  3. Keep the default type as Windows Installer (*.msi file) and browse to the source UNC path for the EMET Setup.MSI, which you downloaded in step 1.4
  4. The application details will be automatically derived from the MSI, along with MSI product code (on the Import Information page).5
  5. On the General Information page, you will be able to add any additional details for this application, and you’ll see a pre-populated command next to Installation program, that has details on the MSI-based install of EMET.  Edit the installation line to read:  msiexec /i “EMET Setup.msi” /qn /norestart and cange install behavior to Install for system.6
  6. Complete the wizard.
  7. From the application you just created, choose Deploy.7
  8. Browse to the collection you want to target. (I’ve created a device collection containing the machines I want to deploy EMET to)8
  9. On the content page, choose your distribution points or distribution point groups.9
  10. On the deployment settings page, choose the intended install settings (most likely this will be required, unless you are just testing the deployment).10
  11. Configure the deployment scheduled, user experience, and alerts, then complete the wizard.11 12 13
  12. You are now in the process of deploying the EMET client silently to all targeted clients. You can monitor the deployment progress of this application in Monitoring | Deployments.14
Create the Package and Program to Configure EMET

Now that you have EMET deployed (or the deployment in progress), you will need to configure EMET for enhanced mitigation of your specified applications.  Without configuring EMET, the EMET client does nothing to offer enhanced application protection.  Here we’ll create a collection of clients reporting they have the EMET client installed, and we’ll target those with the configuration package.

Create the EMET Configuration Target Collection
  1. From Assets and Compliance | Device Collections choose to Create Device Collection.15
  2. Name the Device Collection (EMET 4.1 Update 1 – Clients with EMET Installed), and choose the limiting collection.16
  3. On the membership rules page, click Add Rule, and choose a Query Rule.17
  4. Name the Query (EMET 4.1 Update 1 – Clients with EMET Installed), and choose Edit Query Statement.18
  5. In the criteria tab, click the yellow star.
  6. In Criterion Properties, keep the type as Simple value, and choose select.
  7. Choose Installed Applications as the attribute class.
  8. Choose Display Name as the Attribute.19
  9. After clicking OK, click the Value button.
  10. Choose EMET 4.1 Update 1 from the list of values. (At least one system must have reported its hardware inventory after it installed the EMET client for this value to be populated.  If it’s not in the list, simply type the value in.)20
  11. After completing the query rule, choose how often you want to evaluate this collection.  We will be targeting the EMET configuration to this collection, so evaluate it as often as you want clients that have recently installed the EMET to be added to the collection. Also, keep in mind that this collection will only be populated with new clients that have installed EMET and then submitted their inventory information to the server.  By default, inventory is sent every 7 days.21
  12. Here you can se that the collection is evaluated and 1 client that has EMET 4.1 Update 1 installed has been found and added to the Collection.22
Create the EMET Configuration Package and Program
  1. Place the following 6 files in a source directory that you will use as the source for the EMET configuration package.  You can get these files from the source directory of the EMET client after you’ve installed the MSI on a client.  (If you don’t include all of these files, EMET configuration will not work.)
    a.Popular Software.XML (from the source \program files (x86)\EMET 4.1\Deployment\Protection Profiles)
    b.EMET_Conf.exe (from the source \program files (x86)\EMET 4.1)
    c.HelperLib.dll (from the source \program files (x86)\EMET 4.1)
    d.MitigationInterface.dll (from the source \program files (x86)\EMET 4.1)
    e.PKIPinningSubsystem.dll (from the source \program files (x86)\EMET 4.1)
    f. SdbHelper.dll (from the source \program files (x86)\EMET 4.1)23
  2. From Software Library | Packages choose to Create Package.24
  3. Name the package, and choose this package contains source files.  Provide the path where you are sourcing the four files referenced in step 1.25
  4. Choose standard program.26
  5. Name the program, and set the command line to be EMET_Conf.exe –import “Popular Software.xml”. (This is just an example, using the “Popular Software” protection profile provided by the EMET team. It is possible to modify this profile or use one of the other protection profiles provided by EMET. The file to be imported needs just to be referenced and included in the EMET configuration package.)27
  6. Set the program to run hidden, and whether or not a user is logged on.
  7. Complete the wizard.
  8. After the package and program are complete, choose to deploy it.28
  9. Pick the collection we created earlier as the target collection.29
  10. On the content page, choose your distribution points or distribution point groups.30
  11. On the deployment settings page, choose the intended install settings (most likely this will be required, unless you are just testing the deployment).31
  12. Configure the deployment scheduled, user experience, and alerts, then complete the wizard.32 33 34
  13. You are now in the process of deploying the EMET Configuration Package silently to all targeted clients. You can monitor the deployment progress of this package in Monitoring | Deployments.35
Using EMET

It is possible to configure what actions EMET will perform when detecting an attack directly from the EMET GUI main window. (Requires Administrative privileges) The “Reporting” ribbon group contains three entries: Windows Event Log, Tray Icon, and Early Warning. (This can be configured with Configuration Profiles or with GPO).

  1. If “Windows Event Log” is selected, EMET will write to the Windows Events Log.
  2. If “Tray Icon” is selected, the EMET Agent will display a pop-up that will warn the user, and will contain the details of the attack. (It is possible to configure a custom message for the reporting pop-up when an attack is detected.)
  3. If “Early Warning” is selected, EMET will generate a set of information related to the attack, including a memory dump and the type of mitigation that has been used to detect and stop the attack, and will send this information to Microsoft through the standard Microsoft Error Reporting channel. When Early Warning is enabled, users will have the opportunity to review the information sent to Microsoft in advance before transmitting it.

In my Configuration I’ve enabled 1 and 2, so the end-user will get a notification in the taskbar notification area:33

And also an event will be written to the Windows Event Log. At this time, there is no way to surface EMET events (which are written to the event log on clients) into Configuration Manager. One option for surfacing events would be using event forwarding and parsing the results into SQL.

More Information

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit (EMET) Support (Technet Forums)
Application Compatibility Issues (Technet Forums)
EMET 4.0’s Certificate Trust Feature
Security Demo – How EMET 4.1 can secure your Windows OS
EMET 4.1 Uncovered
EMET 5.0 Review

  1. W. Spu says:

    This is a nice and useful manual and also very recent with Update 1 for EMET 4.1.

    I have two questions:
    a) did you test EMET 4.1 Update 1 on a Windows XP, Windows Vista or Windows Server 2003 R2. There seems the be a problem with the certificates used for signing the executables and dll files. The certificate can’t be verified and therefore you get a UAC warning about a program with an unknown publisher is trying to modify your system.

    b) Can someone download emet_test.exe with the different mitigations for testing?

  2. Works perfectly! Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s