The official blog of the Microsoft System Center Configuration Manager Product Group
You can use Configuration Manager to install the Enhanced Mitigation Experience Toolkit (EMET) 3.0 and subsequent configurations for applications to increase the security of applications on your managed systems. This blog walks you through the process of deploying and configuring EMET 3.0 using Configuration Manager.
The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation. One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions. Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation. That’s where EMET comes in.
EMET leverages a Windows shim infrastructure called the Application Compatibility Framework. Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications. Full details on the latest release of EMET can be found here. EMET 3.0 can be downloaded from here.
EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications. These can be applied to clients with EMET installed, by running a simple configuration binary. Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager. As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.
The first step in deploying EMET is to download the EMET 3.0 MSI. After you have the MSI, then do the following steps. In this example, I’m going to reference building an application in Configuration Manager 2012, but the same thing could be accomplished with packages, programs, and advertisements using Configuration Manager 2007.
Now that you have EMET deployed (or the deployment in progress), you will need to configure EMET for enhanced mitigation of your specified applications. Without configuring EMET, the EMET client does nothing to offer enhanced application protection. Here we’ll create a collection of clients reporting they have the EMET client installed, and we’ll target those with the configuration package.
So the goal of this blog is twofold: one, I wanted to raise everyone’s awareness of the EMET tool itself, and two, I wanted to provide a simple way you can use Configuration Manager to deploy the EMET client and to configure it. At this time, we don’t have a way to surface EMET events (which are written to the event log on clients) into Configuration Manager, but we’re always investigating ways to make our solutions better together so it’s functionality we know that you need in the future. One option for surfacing events would be using event forwarding and parsing the results into SQL, but that’s outside of the scope of this particular blog. The main point is that EMET is an awesome tool for application hardening, and Configuration Manager is an excellent way to deploy and configure EMET.
This posting is provided "AS IS" with no warranties, and confers no rights.
The upgrade does not seem to work 100%. When you manually run the upgrade and reboot the system when it is finished - EMET_Notifier.exe fails upon boot. If you run the shortcut it self heals the application and lays down more files that were not originally done during the upgrade. Am I the only one experiecing this? I guess one solution for pushing this zero touch to exisitng environment is to run the repair after the upgrade is finished. I am not sure if this will work before the reboot though. THe voicewarmupx logging does show errors. But the install says successful. Strange behavior from an msi routine.
Too much work to get something that should be single click simple done. EMET is a great idea, poory implemented. For EMET to really be considered seriously, it should know how to install and protect out of the box rather than requiring this much setup.
Es bastante complicado poner esta actualizacion de seguridad ¿no podrían hacer algo menos dificil para el usuario, o tendremos que cambiar de buscador y listo?