Advanced Windows security using EMET

Solid Defense

Address Space Layout Randomization

ASLR is a technique from Vista onward that assigns programs memory address ranges on a random basis. The storage areas are thus no longer predictable, and attacks by buffer overflows can be prevented. The primary function of ASLR is to protect DLLs (Dynamic Link Libraries) and plugins.

Core functions and static dependencies, however, are not protected by ASLR. EMET is also unable to detect the state if you use new operating systems such as Windows 8 or applications such as Internet Explorer 11 or Microsoft Office 2013, where ASLR is enabled by definition. The operating system also writes a corresponding entry in the Windows Event Viewer.

Depending on the operating system you use, it is possible that not all security functions supported by EMET will be available. This is especially true for older versions of Windows, such as Server 2003. Administrators should therefore get to know the operating system-specific functions and limitations before using EMET.

Recommended Settings

The configuration wizard starts after installing EMET. It makes a number of choices when you select the recommended settings and also sets standard applications such as Microsoft Office, Internet Explorer, and certificate settings for well-known sites such as Facebook. You can make changes at any time. After starting EMET you will receive an overview of the system status. This provides information about the DEP, SEHOP, ASLR, and Certificate Trust functions.

The main menu also provides an overview of the local machine's processes running on the system. First, set the level of security that EMET should apply to the system in the ribbon bar in the EMET management console. Click in the drop-down box below Quick Profile Name and select the desired level of safety:

  • Recommended security settings
  • Maximum security settings
  • Custom security settings

The pre-selection Recommended security settings is recommended to start, in order to gain initial experience using EMET; this can be adjusted later if necessary changes arise during operation.

Also set where EMET should log its events in the ribbon bar. You should definitely leave the option for logging in the Windows Event Viewer enabled. You can use this option to collect and evaluate all events relevant to EMET centrally when using the corresponding add-on software, such as the Windows Event Collector service or the Audit Collection Services (ACS). Whether you want the option for displaying EMET events in the Windows computer's tray icon to remain active is a matter of taste and depends on whether you want to bother normal users with the task of viewing EMET events.

Next, click the Apps icon in the ribbon bar. This will open a new window for application configuration and lists all protection functions for individual processes. This way you will receive more interesting information about the protection possibilities for individual applications. At this point you can add additional applications, either by specifying the absolute name and the installation path of the application or by using a wildcard function and the corresponding application wildcards.

Next, set the default action in the ribbon bar – this is the action EMET responds with if an exploit is detected. The default is Stop on exploit and should be set to Audit only during the test phase to determine whether or not the EMET settings cause any impairments to the system and the installed applications. Once the test phase is over, change the default action back to Stop on exploit .

Protection Against Counterfeit Certificates

Another interesting function is the configuration of trusted certificates in the EMET management console. The tool checks the certification authorities used when accessing websites that are set as protected. Attackers often obtain valid certificates from another certification authority under false pretenses. These are recognized as valid by the browsers even though they do not belong to the actual site operators. An allegedly valid certificate appears if they perform a man-in-the-middle attack and redirect users to their fake site. EMET can therefore warn users if a certification body other than the one that is usually or previously defined is suddenly used.

Apart from a number of preinstalled websites such as Facebook, Yahoo, and Twitter, you can store websites by clicking the Trust icon in the Certificate Trust configuration ribbon bar in the EMET management console and entering additional websites in the Protected Websites tab.

Then, specify the Trusted Certification Authorities in the Pinning Rules tab. Click Add rule , enter a name for the new rule, and import the trusted certification authority. Generally, you should enable the PublicKey Match checkbox after the import. Certificates issued by the internal certification authority are now classified as trustworthy based on the list of Protected Websites and are thus protected against man-in-the-middle attacks.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=