The one security tool every Windows user should know about

The one security tool every Windows user should know about

Summary: Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a simple but powerful configuration utility that allows you to harden applications that weren't originally designed to take advantage of Windows security features. Here's how it works.


A new zero-day security hole in all versions of Windows is the subject of "targeted attacks," Microsoft says. The flaw, according to Microsoft Security Advisory 2488013, occurs when an attacker exploits "the creation of uninitialized memory during a CSS function within Internet Explorer." The result? "It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution."

Similar holes have been spotted in the past in applications such as Adobe Reader, Adobe Flash, and Apple's QuickTime.

The definitive fix for a vulnerability like this is a vendor-supplied patch. But what do you do while you're waiting for the patch? And how do you deal with vulnerabilities in legacy applications that can't be easily repaired?

That's the goal of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a simple but powerful configuration utility that allows you to harden applications that weren't originally designed to take advantage of Windows security features. EMET version 2 was released a few months ago and runs on all currently supported Windows client and server editions, including Windows 7, Windows Vista (Service Pack 1 or later), Windows XP (Service Pack 3), Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 (Service Pack 1 or later).

Although it's possible to configure some of these settings in other ways, EMET offers a straightforward, clean interface that works identically across multiple Windows versions. It's not a magic bullet, but it is an extremely potent addition to a thorough, in-depth approach to Windows security.

EMET gives you more granular control over Data Execution Prevention (DEP), a security feature that has been a part of Windows since XP Service Pack 2. Hardware-enforced DEP blocks the execution of code in memory locations that should contain only data, such as the stack or the heap, preventing a common form of exploit. Using EMET, you can turn on DEP for applications that were not originally compiled to be compatible with the feature. (For more on how DEP works, see the two-part "Understanding DEP as a mitigation technology series on the Microsoft Security Research & Defense blog: Part 1, Part 2).

You can also use EMET to overcome a limitation of Address Space Layout Randomization (ASLR). This feature is designed to prevent attackers from jumping to predictable memory addresses to exploit vulnerabilities in code. The problem with ASLR is that it works on a per-process basis; dynamic-link libraries (DLLs) associated with that process can still be located at predictable addresses, where vulnerabilities can be exploited. That's the attack vector used in the unpatched zero-day vulnerability I mention at the beginning of this post. EMET supports mandatory ASLR, which forces the relocation of DLLs associated with a process and thus blocks this entire class of exploits.

Other features in EMET mitigate against common tricks that hackers use to exploit flaws in code, by blocking common "heap spraying" techniques and validating exceptions before calling an exception handler.

The EMET documentation acknowledges that these are stopgap fixes:

Please note this is a pseudo mitigation designed to break current exploit techniques.  It is not designed to break future exploits as well.  As exploit techniques continue to evolve, so will EMET.

In fact, that's one of the promises of EMET. It exists outside the Windows code base, so it can be updated more aggressively. As the official user's guide explains:

EMET is a living tool designed to be updated as new mitigation technologies become available.  This provides a chance for users to try out and benefit from cutting edge mitigations.  The release cycle for EMET is also not tied to any product.  EMET updates can be made dynamically as soon as new mitigations are ready.

EMET is distributed as a very small (4.7MB) installer and can be downloaded here. On the next page, I walk you through some of the basics of installation and setup.

Page 2: Hardening Windows with EMET -->

<—Previous page

Installing Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is straightforward for individual Windows PCs, although Microsoft acknowledges that the current version is "not convenient" to deploy in an enterprise setting. On Windows XP and Windows Server 2003, you must first ensure that the Microsoft .NET Framework 2.0 is installed. There are no prerequisites for other supported Windows versions.

For a step-by-step illustrated walkthrough, see the accompanying image gallery.

After downloading the installer package, log on using an administrator account and run EMET Setup.msi. A restart is not required. Then open the EMET application using its Start menu shortcut.

The EMET interface is divided into two parts. The top shows the system status; the bottom shows a list of running processes and whether they are currently running with EMET enabled.

You can use EMET to adjust systemwide security settings. Click Configure System to display the dialog box shown here. You can configure any of the three settings individually or use the drop-down menu at the top to apply preconfigured groups of settings.

Although it sounds tempting, I don't recommend the Maximum Security Settings option for Windows 7. That's especially true in a business setting, where compatibility issues can have financial consequences. For Windows XP, however, this option does make sense. Your XP options are more limited, because XP doesn't support SEHOP or ASLR. Enabling DEP universally on XP is a smart idea.

Most zero-day threats attack commonly used Internet-facing applications, such as Internet Explorer add-ons, Adobe Acrobat and Reader, Apple QuickTime, and so on. To tighten security on one of these individual programs, click Configure Apps.

Click Add and then browse to the location of the executable file associated with that program. For the default 32-bit versions of Internet Explorer, this is C:\Program Files\Internet Explorer\Iexplore.exe [on 64-bit Windows installations, this file is in the Program Files (x86) folder]. For Adobe Reader, start in Program Files [or Program Files (x86) on a 64-bit Windows system]; the executable file, AcroRd32.exe, is typically in the Adobe\Reader subfolder (this folder name might include a version number as well).

After you add an executable file, it appears in the Application Configuration dialog box, shown here, where you can enable or disable specific mitigations. By default, all options for a given process are selected.

To view the security status of programs, open the main EMET UI and look in the Running Processes list. If you've just added a program, you might have to close and restart it, then click the Refresh button to the right of the Running Processes heading. Click the Running EMET heading to sort the list so that all EMET-enabled apps are grouped together.

I'm interested in hearing feedback from readers who use EMET? Have you noticed specific compatibility issues? Have you checked specific exploits with and without EMET enabled? Leave your comments in the Talkback section or send me an e-mail using the Contact link in my bio, at the bottom of this post.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It doesn't work on all applications

    I used it a couple of weeks ago. One of the applications I used it on (VideoRedo Plus 3) stopped working -- it would not start up. The event log gave no information that was useful. I used the tool to eliminate the application from the list, and all is now well.

    Well, sort of. The Windows Explorer icon is Windows 7 task bar no longer has any locations pinned to it, and you can't add any. Is this a known bug in the tool?
    • So installing this causes your programs not to work


      lol.. :D
    • RE: The one security tool every Windows user should know about


      So don't put that app in EMET. Big deal, I've been using it since version 2.0 came out last October and I have all my browsers guarded by it. The reality is, the manner by which most malware gets onto people's systems is their browser. Your experience shouldn't mean you shouldn't use it for the apps it DOES work on.

    • RE: The one security tool every Windows user should know about

  • EMET: A good start. LSM AppArmor: The safest solution.

    Windows Folks keep getting bitten.
    I am not going to say Ubuntu's AppArmor is 'user friendly' but system Admins should have NO difficulty (or they shouldn't be Admins) configuring Ubuntu with it.

    The default configuration of AA on Ubuntu 10.10 has AA enabled, but not for Firefox.

    There is a default profile present that requires opening a terminal window and typing in a short (one-time) command to have your Firefox session sandboxed:

    [b]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/b]

    Having at least your browser session sandboxed alleviates the worry of addressing 0day attacks.

    Canonical usually turns around a bug report marked critical in a matter of hours and your pc will automatically receive needed security updates from the Ubuntu GPG keyring-protected repository in due course.

    In the meantime, you can relax and enjoy using Ubuntu Linux and Firefox sandboxed with AA. No exploit gets by AA.

    Ubuntu Desktop Linux. The safest operating system on the planet.

    Ubuntu Security Feature Matrix:

    I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: The one security tool every Windows user should know about

      @Dietrich T. Schmitz, Your Linux Advocate I use both Ubuntu and Windows, but this is relevant how?
      • Ubuntu picked up where Novell left off and...

        @statuskwo5 ...
        based directly on Canonical's programming contributions, AppArmor is now part of the Linux Main Line kernel, effective with version 2.6.36:


        You can get stung using EMET. Not so with AA.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: The one security tool every Windows user should know about

        @statuskwo5 It's not, but that is typical.
      • RE: The one security tool every Windows user should know about

        @statuskwo5 - I think DTS is pointing out that EMET provides a limited version of a subset of the kinds of security possible with Mandatory Access Control tools, like AppArmor or SELinux. EMET is more of a way to enable a potpourri of specific protection techniques, built in reaction to specific exploits ... AppArmor or SELinux are more comprehensive, integrated security measures, offering fine grained security control of every aspect of the system, for every system service and application.

        And he's right about it being a better approach. There'll be whining and complaining from Windows (and Mac) fans that it's overkill, etc. -- until eventually, inevitably, Windows and Mac OSes include comparable capability (at which point it'll turn into "see what an incredibly great feature that makes our OS more architecturally secure!" and the same fans will manage to forget that they argued that Linux wasn't more architecturally secure, whenever it was brought up <i>before</i> their pet OS had it).

        I know for a fact (from interactions with the MS research group) that mandatory access control approaches are very much on the table for the Windows OS ... it's a matter of priorities, balanced against the difficulties of reverse-engineering it in compatibly.

        So it's relevant because he's pointing out that there IS a better way, and it's available today.

        All that said ... that doesn't mean that EMET doesn't have value. We're exploring baselining it for a large gov't agency.
      • Windows already has a form of MAC: Mandatory Integrity Levels.

        @daboochmeister: While not as fine grained as MAC it offers a form of MAC for Windows. IE takes advantage of MIL in the form of Proected Mode. MIL seems a reasonable compromise between the complications of MAC and enhanced security.

        OS X also has MAC built in (since Leopard). While there's no GUI interface it exits (for example it protects Time Machine backups from being erased...even by the root user).
      • RE: The one security tool every Windows user should know about

        @ye - thanks, didn't know that OS/X had adopted the FreeBSD MAC approach.

        I can respect that opinion, that protection/integrity levels are enough - but I really don't agree. MIC/MIL <i>definitely</i> is an improvement over XP. But without going into a dissertation - I think it was a mistake for MS to make the concept of integrity levels part of the DNA of the controls, instead of just an admin/presentation layer over fine-grained controls. Iow, you can build an admin approach/view over a fine-grained MAC implementation that uses the advantages of the integrity levels abstraction to make administering the system easier -- but you CAN'T go the opposite direction, achieving fine-grained control (when appropriate and needed - and I'd argue there <i>are</i> cases where the flexibility is needed, in the real world) if integrity levels are burned into how the protections work, at the "kernel" level.

        Lot more to discussion possible here, but not the right context -- thx for an informed reply!
      • RE: The one security tool every Windows user should know about

        @statuskwo5 It's relevant because it's similar product.
    • RE: The one security tool every Windows user should know about

      @Dietrich T. Schmitz, Your Linux Advocate
      I have to take extra steps just to have a secure linux? No thanks, I prefer my OS secure out of the box.
      Loverock Davidson
      • I believe 'extra steps' is today's topic LD.

        @Loverock Davidson
        EMET is not installed, much less enabled by default.
        To avail yourself to EMET, I am afraid you have no choice but take extra steps.

        AppArmor is part of the Linux kernel and running by default on Ubuntu 10.10.

        Care for some more DayQuil?
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • just wow

        @Loverock Davidson so you use OS/2? Why didn't you say so? One would think you use windows, from some of your posts.

        Now everything you've said makes sense. You were talking about OS/2 all along.
      • You keep saying this as if it means something.

        @Dietrich T. Schmitz, Your Linux Advocate: [i]AppArmor is part of the Linux kernel and [b]running by default[/b] on Ubuntu 10.10.[/i]

        It may be running but it's not enforcing so the benefit is???
        • AA is running in enforce mode. Only not by default for FF.

          Canonical chose to make the AA profile for FF user optional.
          See the link I provided to their security matrix to see which processes are running in a sandbox ootb.

          Feel free to obfuscate and be your old argumentative self ye bing.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • Again I ask: If it's not enforcing by default the benefit of pointing...

        @Dietrich T. Schmitz, Your Linux Advocate: [i]Canonical chose to make the AA profile for FF user optional.[/i]

        ...out that it's enabled by default is???

        [i]Feel free to obfuscate and be your old argumentative self ye bing.[/i]

        Feel free to begin addressing what is asked instead of completely tangential arguments.
        • Let's see EMET enabled by default?

          Save it ye for the uninitiated. You have no point. Just inane pointless argumentative blather.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: The one security tool every Windows user should know about

        @Loverock Davidson
        What OS are you talking about?