Monday, December 31, 2012

Microsoft EMET

Over the holidays some of you may have seen some version of this story:
http://thenextweb.com/microsoft/2012/12/29/criminals-use-adobe-flash-and-new-ie-vulnerability-in-targeted-attacks-ie9-and-ie10-users-are-safe/

or if you are a security geek, this one:
https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012

Once again, a new 0-day Internet Explorer vulnerability was discovered that affects IE7 and IE8. On the 29th an exploit for it was introduced into Metasploit, and you know they say, crimeware advances at the pace of Metasploit. (Metasploit is open source, so any programmer can see exactly what they did to expolit the bug and copy that if they have not already figured it out for themselves.)

You may note that aside from upgrading to IE9/IE10 there is a suggestion that you could mitigate this vulnerability by running EMET. The only realistic action for many businesses to take would be EMET.

This is not the first time you might have seen this suggestion, but most people I have talked to who are not well read on IT security have never even heard of EMET.

The tl;dr executive summary is:
EMET stops malicious programs running in the context of legitimate programs by killing the whole process before the malicious code can do it’s damage. This allows us to protect against some unpatched vulnerability exploits. It is free and MS supports it.


What does EMET do?
EMET (Enhanced Mitigation Experience Toolkit, I think that’s a rather poor name, so I will always refer to it as EMET) is a free program from Microsoft (fully supported by MS) that allows you to specify various security mitigations that are built into Windows, but not often implemented in software.

DEP, ASLR, and SEHOP can be turned on at a system level (although they are not by default)
DEP, SEHOP, NULL Page, Heap Spray, Mandatory ASLR, EAF, and Bottom-up ASLR protections can be turned on for individual applications. (see manual for more info)

DEP is already mandatory on 64bit Windows for all 64 bit processes, but not for 32bit programs. All of the rest are optional, and often not implemented by software developers even if there is no reason they need to avoid them. EMET allows you to turn these abilities on even for programs that were not designed for them. (Caution, some of these may break things for some programs, but they are easy to switch on and off)


EMET has 3 lists of defaults that can be set for applications. These defaults have already been tested by engineers at Microsoft. They can be set by importing one of the 3 default lists that come with it, or via GPO (more details below)



The defaults lists are:
Internet Explorer only
 - Internet Explorer and it's ActiveX plugins

 Office Software:
 - Internet Explorer
 - MS Works
 - MS Office (Excel, Word, Power Point, Visio, Access, Outlook, Publisher, Infopath)
 - Power Point Viewer
 - Adobe Reader 8, 9, and 10
 - Adobe Acrobat 8, 9, and 10

Other popular Software (if using GPO)
(All if you are importing from XML, includes above plus this list)
 - Windows Media Player
 - Skype
 - Microsoft Lync
 - Windows Live Writer
 - Windows Live Mesh
 - Windows Live Sync
 - Google Chrome
 - Google Talk
 - Mozilla Firefox
 - Mozilla Thunderbird
 - Adobe Photoshop
 - Winamp
 - Opera
 - WinRAR
 - WinZip
 - VideoLAN VLC
 - RealPlayer
 - mIRC
 - 7zip
 - Safari
 - QuickTime Player
 - iTunes
 - Pidgin
 - Java Runtime Environment 6

These are the settings tested and supported by Microsoft. In normal use, MS has not seen any problems using these settings. They do caution testing any other applications thoroughly before rolling out GPO settings to everyone.

How do I install it?
EMET is easy to install. Download the MSI from Microsoft. If you are installing on just a few machines run the MSI by double clicking and installing like any program. If you are using Active Directory GPO, it can be set up as assigned software the same as you are probably used to doing already.

How do I configure it?
EMET does nothing if you don't configure it.

If you are running it locally you can run the EMET GUI found in C:\Program Files (x86)\EMET\EMET_GUI.exe or just by typing EMET in the search on Windows 7 or higher.
Click on the "Configure Apps" button near the bottom, then the "File" menu, and click "Import".
Import the desired XML file from "C:\Program Files (x86)\EMET\Deployment\Protection Profiles\"

If you are using GPO You will need to copy two files from "C:\Program Files (x86)\EMET\Deployment\Group Policy Files" to your domain's central share at "%logonserver%\SYSVOL\%userdnsdomain%\Policies\PolicyDefinitions\"
(if you don't already have this share, Google how to create a GPO Administrative Template central share)
EMET.admx goes in "%logonserver%\SYSVOL\%userdnsdomain%\Policies\PolicyDefinitions\"
EMET.adml goes in "%logonserver%\SYSVOL\%userdnsdomain%\Policies\PolicyDefinitions\en-US\"

Now you can make GPO settings in Group Policy Managment.
You will find the settings under Computer Configuration>Policies>Administrative Templates>Windows Components\EMET

If you set EMET via GPO you will not see the settings in the GUI under the "Configure Apps" button. This only shows locally configured apps.

If you run “C:\Program Files (x86)\EMET\EMET_Conf.exe” --list from an administrator command line you will get a listing of every setting of EMET, whether set locally or via GPO. GPO settings are prefixed with a >.


What will End Users notice if I install this on my Domain?
EMET notifier takes 15MB of RAM, this is the program that runs in the System Tray to give a pop-up notice if EMET takes action. It is visible in the Task Manager.

Users may notice the EMET GUI icon in their start menu the first time they log in after it is pushed from GPO as it will show as a newly installed program, highlighted in yellow



The only other place it is visible to the end user is the System Tray icon:



...and of course in C:\Program Files (x86)\EMET

[UPDATE:
Despite Microsoft not finding problems with their default settings when this version of EMET was introduced, I have found that the current version of Google Chrome does not like it's default EMET settings.
If you use Chrome don't use the GPO "Default settings for other popular software", you should manually set up your own settings for those programs so that you can override the Chrome settings. You can find what those defaults are by looking at All.xml.
So far I have found that Chrome seems to run OK with these options:
*\Google\Chrome\Application\chrome.exe -SEHOP

If you are importing the All.xml settings locally then you just need to uncheck the SEHOP option for Chrome in the "Configure Apps" screen.

Also make sure you read the manual that comes with it.
"C:\Program Files (x86)\EMET\EMET User's Guide.pdf"]



No comments: