Microsoft's Enhanced Mitigation Experience Toolkit: An overview

Number: TR13-001
Date: 27 February 2013

Audience

This Technical Report is intended for IT professionals and managers within federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries. The recipients of this product may further distribute it to technical stakeholders within their organization.

Purpose

The purpose of this Technical Report is to provide IT security personnel with an overview of Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  This document may be used by system administrators, IT security operations centres, and other related technology groups.

Background

The Enhanced Mitigation Experience Toolkit (EMET) is a utility developed by Microsoft to help protect the Windows Operating System platforms against exploitation of vulnerabilities through a series of security mitigation technologies.  EMET does not replace other information security solutions; rather, it is meant to supplement existing safeguards.  While it may not prevent all possible exploitation attempts, the security mitigation technologies implemented by EMET, when used appropriately, make exploitation significantly more difficult.

According to Microsoft, some of the key benefits of EMET are:

Capabilities

EMET supports client and server based operating systems.  The current version (3.0) allows security mitigation technologies to be configured for the system and applications.  Mitigations applied to the system will impact the entire system while mitigations applied to the applications will only impact the specified applications.

Please note:  Installing EMET does not automatically provide any additional protection.  By default, the system mitigation settings are unchanged (operating system default) and the application mitigation is not configured.  Certain security mitigation technologies could break some applications.  It is therefore highly recommended to thoroughly test the desired EMET configuration before deploying it into a production environment.

System mitigation technologies

The following system mitigation technologies are supported (if supported by OS).  The default system mitigation settings will depend on the operating system.

Data Execution Prevention
The DEP mitigation “is a memory protection mitigation that marks” the stack and heap for a process as non-executable.  “Any attempt to execute malicious code from these regions will be denied at the processor level.”

Structured Exception Handler Overwrite Protection
The SEHOP mitigation “protects against currently the most common technique for exploiting stack overflows in Windows.”

Address Space Layout Randomization
“ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data being loaded at predictable locations in memory.  Exploits relying on data at fixed addresses will fail.”

Application mitigation technologies

The following application mitigation technologies are supported (if supported by OS).  By default, application mitigation is not configured.

Data Execution Prevention
See definition in the above section.

Structured Exception Handler Overwrite Protection
See definition in the above section.

Null Page pre-allocation
The NullPage mitigation is “designed to prevent potential null dereference issues in user mode.  Currently there are no known ways to exploit them and thus this is a defense in depth mitigation technology.”

Common heap spray address pre-allocation
The HeapSpray mitigation “is designed to pre-allocate common memory addresses in an attempt to block heap spraying attacks.  Please note that it only aims to break current exploit that take advantage of common addresses.”

Export Address Table Access Filtering
The EAF mitigation “blocks the most common approach used by exploits to look up the location of a function” (exposed by Windows) “which involves scanning the export address table of loaded libraries. It is highly effective at blocking exploits currently being used.”

Mandatory Address Space Layout Randomization
“ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations.”  The MandatoryASLR mitigation “forces all modules to be loaded at randomized addresses regardless of what flags they were compiled with.  Exploits relying on data at fixed addresses will fail.”

Bottom-Up virtual memory randomization
The BottomUpASLR mitigation “randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations)."

Supported mitigation settings

The following tables illustrate the supported mitigation settings for each operating system:

System Settings

Operating system

DEP

SEHOP

ASLR

Windows XP

X

No

No

Windows Server 2003

X

No

No

Windows Vista

X

X

X

Windows Server 2008

X

X

X

Windows 7

X

X

X

Windows Server 2008 R2

X

X

X

Application Settings

Operating system

DEP

SEHOP

NULL Page

Heap Spray

Mand. ASLR

EAF

Bottom-Up

Windows XP

X

X

X

X

No

X

X

Windows Server 2003

X

X

X

X

No

X

X

Windows Vista

X

X

X

X

X

X

X

Windows Server 2008

X

X

X

X

X

X

X

Windows 7

X

X

X

X

X

X

X

Windows Server 2008 R2

X

X

X

X

X

X

X

32-bit processes

X

X

X

X

X

X

X

64-bit processes

X

No

X

X

X

X

X

Configuration checklist

The following configuration checklist is intended to help organizations quickly configure EMET for their environment.

Checklist
# Item Completed
1. Download and install Microsoft EMET on a single test workstation
http://www.microsoft.com/en-us/download/details.aspx?id=29851
 
2.

Configure system mitigation settings.  

DEP, SEHOP, and ASLR can be configured for the system.  Its availability depends on the operating system (see supported mitigation settings).  The available settings are:

Disabled - Disables the mitigation technology for the system and all applications

Application Opt In - Allows all applications that are compiled to support the mitigation technology to use it

Application Opt Out - Forces all applications to use the mitigation technology unless they are compiled to opt out of it

Always On - Forces the mitigation technology for the system and all applications

The operating system defaults are recommended.  For Windows 7 SP1, the default settings are “Application Opt In” for DEP, SEHOP and ASLR.   Security can be increased by changing DEP and SEHOP to “Application Opt Out”.  Maximum security can be achieved by changing DEP to “Always On” and SEHOP to “Application Opt Out”.

 
3.

Configure application mitigation settings. 

DEP, SEHOP, NullPage, HeapSpray, EAF, MandatoryASLR, and BottomUpASLR can be configured for each application.  Applying a mitigation technology to an application will force it upon the associated process without recompilation.
 
i)

Import an EMET Protection Profile.  There are three (3) profiles that ship with EMET:

Internet Explorer.xml - Enables mitigations for Microsoft Internet Explorer (supported versions)

Office Software.xml - Enables mitigations for Microsoft Internet Explorer (supported versions), Microsoft Office 10-14, Adobe Acrobat 8-10, and Adobe Acrobat Reader 8-10

All.xml - Enables mitigation for common applications, in addition to the applications covered by “Internet Explorer.xml” and “Office Software.xml”.

 
ii)

Alternatively, a custom protection profile can be defined.

When adding an application, all seven (7) mitigation technologies are enabled by default.  This can be changed by unchecking the box under the desired mitigation technology.
 
4.

Deploy your EMET configuration in your testing environment

If system mitigation settings have been changed from operating system default, all applications should be thoroughly tested.  Otherwise, testing can be limited to the applications listed in the configured protection profile.
 
5.

Deploy your tested configuration in your production environment

EMET can be deployed using System Center Configuration Manager.  A package that contains the program and configuration can be created and installed.  System-level and application-level mitigation settings can be configured via Group Policy.  Policy files are installed in the “Deployment\Group Policy Files” folder.

 
6.

Monitor event logs

EMET events are logged in the Windows Event Log.  The logs can be found under the Application logs, with the “EMET” event source.  These events can be viewed locally using the Event Viewer or remotely using Windows Management Instrumentation (WMI).

When an application crashes due to a mitigation technology, a message with the event information will be displayed via a tooltip in the taskbar notification area.
 

Recommendation

EMET has been demonstrated to be highly successful at protecting applications against memory overflow or memory corruption vulnerabilities.  Organizations should consider using the Microsoft EMET utility on enterprise hosts, especially in users' workstations, to help prevent vulnerabilities in software from being exploited.  Deployment on enterprise servers , especially high load ones, require additional testing of each of EMET's mitigation technologies to avoid affecting mission critical services.

Using EMET, paired with other defenses-in-depth technical security solutions, including application whitelisting technology, can improve significantly an organization resilience to various cyber threats.

Organizations should also consider leveraging Windows Event Forwarding to collect EMET events logged. The EMET generated logs provide information messages associated with EMET configuration and status changes and applications interrupted amongst others. By forwarding these events to a Windows Collector service, security teams may be able to rapidly identify Windows hosts under potential attack.

http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx

Reporting

Critical infrastructure operators and provincial/territorial/municipal governments potentially affected by cyber incidents are encouraged to contact CCIRC at: cyber-incidents@ps-sp.gc.ca.

References

  1. Microsoft Corporation, Enhanced Mitigation Experience toolkit v3.0 User Guide
    http://www.microsoft.com/en-us/download/details.aspx?id=29851
  2. Microsoft Corporation, What's EMET and how can you benefit? (Enhanced Mitigation Experience Toolkit)
    http://blogs.windows.com/windows/b/springboard/archive/2011/03/04/what-s-emet-and-how-can-you-benefit-enhanced-mitigation-experience-toolkit.aspx

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: