Deploying and configuring the Enhanced Mitigation Experience Toolkit (EMET) 3.0 with System Center Configuration Manager

You can use Configuration Manager to install the Enhanced Mitigation Experience Toolkit (EMET) 3.0 and subsequent configurations for applications to increase the security of applications on your managed systems.   This blog walks you through the process of deploying and configuring EMET 3.0 using Configuration Manager.

The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation.  One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions.  Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation.  That’s where EMET comes in.

EMET leverages a Windows shim infrastructure called the Application Compatibility Framework.  Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications.  Full details on the latest release of EMET can be found here.  EMET 3.0 can be downloaded from here.

EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications.  These can be applied to clients with EMET installed, by running a simple configuration binary.  Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager.  As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.

Create the Application to Deploy the EMET Client

The first step in deploying EMET is to download the EMET 3.0 MSI.  After you have the MSI, then do the following steps.  In this example, I’m going to reference building an application in Configuration Manager 2012, but the same thing could be accomplished with packages, programs, and advertisements using Configuration Manager 2007.

1. From Software Library | Application Management | Applications, choose to Create Application.
2. Keep the default type as Windows Installer (Native) and browse to the source UNC path for the EMET Setup.MSI, which you downloaded previously.
3. The application details will be automatically derived from the MSI, along with MSI product code (on the Import Information page).
4. On the General Information page, you will be able to add any additional details for this application, and you’ll see a pre-populated command next to Installation program, that has details on the MSI-based install of EMET.  Edit the installation line to read:  msiexec /i "EMET Setup.msi" /qn /norestart
5. Change install behavior to Install for system.
6. Complete the wizard.
7. From the application you just created, choose Deploy.
8. Browse to the collection you want to target.
9. On the content page, choose your distribution points.
10. On the deployment settings page, choose the intended install settings (most likely this will be required, unless you are just testing the deployment).
11. Configure the deployment scheduled, user experience, and alerts, then complete the wizard.
12. You are now in the process of deploying the EMET client silently to all targeted clients.  You can monitor the deployment progress of this application in Monitoring | Deployments. 

Create the Package and Program to Configure EMET

Now that you have EMET deployed (or the deployment in progress), you will need to configure EMET for enhanced mitigation of your specified applications.  Without configuring EMET, the EMET client does nothing to offer enhanced application protection.  Here we’ll create a collection of clients reporting they have the EMET client installed, and we’ll target those with the configuration package. 

Create the EMET Configuration Target Collection

1. From Assets and Compliance | Device Collections choose to Create Device Collection.
2. Name the Device Collection (Clients with EMET Installed), and choose the limiting collection.
3. On the membership rules page, click Add Rule, and choose a Query Rule.
4. Name the query, and choose Edit Query Statement.
5. In the criteria tab, click the yellow star.
6. In Criterion Properties, keep the type as Simple value, and choose select.
7. Choose Installed Applications as the attribute class.
8. Choose Display Name as the Attribute.
9. After clicking OK, click the Value button.
10. Choose EMET from the list of values.  NOTE:  At least one system must have reported its hardware inventory after it installed the EMET client for this value to be populated.  If it’s not in the list, simply type the value in.
11. After completing the query rule, choose how often you want to evaluate this collection.  We will be targeting the EMET configuration to this collection, so evaluate it as often as you want clients that have recently installed the EMET to be added to the collection. Also, keep in mind that this collection will only be populated with new clients that have installed EMET and then submitted their inventory information to the server.  By default, inventory is sent every 7 days.

Create the EMET Configuration Package and Program

1. Place the following 4 files in a source directory that you will use as the source for the EMET configuration package.  You can get these files from the source directory of the EMET client after you’ve installed the MSI on a client.  NOTE:  If you don’t include all of these files, EMET configuration will not work.
   1. All.XML (from the source \program files (x86)\EMET\Deployment\Protection Profiles)
   2. EMET_Conf.exe (from the source \program files (x86)\EMET)
   3. EMET_notifier.exe (from the source \program files (x86)\EMET)
   4. MitigationInterface.dll (from the source \program files (x86)\EMET)
2. From Software Library | Packages choose to Create Package.
3. Name the package, and choose this package contains source files.  Provide the path where you are sourcing the four files referenced in step 1.
4. Choose standard program.
5. Name the program, and set the command line to be EMET_Conf.exe --import All.xml.  NOTE:  This is just an example, using the protection profile of all provided by the EMET team.  You can modify this config file to your own preferences, or use on of the other protection profiles provided by EMET.  You simply need to reference the file to be imported, and include it in your EMET configuration package.
6. Set the program to run hidden, and whether or not a user is logged on.
7. Complete the wizard.
8. After the package and program are complete, choose to deploy it.
9. Pick the collection we created earlier as the target collection, and complete the wizard with your desired settings.

Wrap Up

So the goal of this blog is twofold:  one, I wanted to raise everyone’s awareness of the EMET tool itself, and two, I wanted to provide a simple way you can use Configuration Manager to deploy the EMET client and to configure it.  At this time, we don’t have a way to surface EMET events (which are written to the event log on clients) into Configuration Manager, but we’re always investigating ways to make our solutions better together so it’s functionality we know that you need in the future.  One option for surfacing events would be using event forwarding and parsing the results into SQL, but that’s outside of the scope of this particular blog.  The main point is that EMET is an awesome tool for application hardening, and Configuration Manager is an excellent way to deploy and configure EMET.

--Jason Githens

This posting is provided "AS IS" with no warranties, and confers no rights.