Deploying and configuring the Enhanced Mitigation Experience Toolkit (EMET) 3.0 with System Center Configuration Manager
The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation. One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions. Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation. That’s where EMET comes in.
EMET leverages a Windows shim infrastructure called the Application Compatibility Framework. Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications. Full details on the latest release of EMET can be found here. EMET 3.0 can be downloaded from here.
EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications. These can be applied to clients with EMET installed, by running a simple configuration binary. Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager. As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.
EMET also comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.
For Group Policy: EMET includes an ADMX file that contains the three protection profiles mentioned above as policies that can be enabled/disabled through group policy. There is also a policy that demonstrates how to add custom EMET settings.
For System Center Configuration Manager: The SCCM team blog post this morning provides a package and instructions for integration with various SCCM features. Read that blog post here: http://blogs.technet.com/b/configmgrteam/archive/2012/05/15/deploying-and-configuring-the-enhanced-mitigation-experience-toolkit.aspx