EMET v3 was released two days ago and it introduces a most-coveted feature: support for management via Group Policy.
EMET is Microsoft’s answer to legacy software problems. It introduces address space layout randomization and other wizardry to legacy applications that were not compiled to support such features. This in turn helps prevent your vendor’s programming mistakes from becoming your headache and forensics analysis post-mortem after a hacker attack by hopefully preventing an exploit from succeeding. For maximum benefit, software should be installed on Windows Vista/7/2008, though there is some benefit to running EMET even on XP/2003 systems.
Suha Can gave a great presentation on the product at S4 2012. I’m the guy at the end asking about Group Policy support…
Centralized management means that you can apply EMET policies to every system on your network centrally, requiring that pesky programs with foreverday vulnerabilities be run with EMET protection. The download comes with a User Guide, which has decent instructions on setting up features for common and uncommon applications using the Group Policy snap-in.
EMET is awesome for a lot of reasons. First, it is free. Second, it gives applications a lot of security — public exploits don’t work off-the-shelf. Detailed analysis of the ASLR used shows it to be pretty darned good when configured properly. This means that a bad guy trying to exploit a buffer overflow on your system is probably going to crash the service over and over again instead of getting a nice, shiny shell on your process control network.
Version 3 has also introduced logging and notifications, which means that you can learn you are under attack in a centralized manner and actually do something about it.
Give EMET a try on test systems first — if your vendor engages in some wonky coding practices it may prevent the software from working correctly. I would love to see some vendors of crusty old software run their unit tests on software running under EMET and sharing the results in a simple pass/fail manner — here’s hoping that we see that happen.
Image by Ultra-lab