Deploying and configuring the Enhanced Mitigation Experience Toolkit (EMET) 3.0 with System Center Configuration Manager
The Enhanced Mitigation Experience Toolkit (EMET) 3.0 is designed to help prevent hackers from gaining access to your system, by adding additional security to any application configured for enhanced mitigation. One of the primary benefits of EMET is in hardening legacy applications that either don’t have up-to-date security mitigations in-code, or that haven’t been patched to the latest versions. Without vendor-provided updates to these applications, or adding the additional security controls and recompiling the application, there would be no easy way to secure them from exploitation. That’s where EMET comes in.
EMET leverages a Windows shim infrastructure called the Application Compatibility Framework. Using this framework, EMET applies the specified mitigations to each application configured for enhanced mitigation in a way that adds no additional resource overhead to the monitored applications. Full details on the latest release of EMET can be found here. EMET 3.0 can be downloaded from here.
EMET 3.0 also provides out of box protection profiles that add mitigation for some common applications. These can be applied to clients with EMET installed, by running a simple configuration binary. Additionally, the XML schema used in the protection profiles is straightforward, and can be easily modified to add your applications to the list of mitigated apps, and updated configurations can of course be delivered by Configuration Manager. As with any application you plan on deploying, it’s important to test EMET against your desired applications thoroughly before deploying to production.
EMET also comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.
For Group Policy: EMET includes an ADMX file that contains the three protection profiles mentioned above as policies that can be enabled/disabled through group policy. There is also a policy that demonstrates how to add custom EMET settings.
For System Center Configuration Manager: The SCCM team blog post this morning provides a package and instructions for integration with various SCCM features. Read that blog post here: http://blogs.technet.com/b/configmgrteam/archive/2012/05/15/deploying-and-configuring-the-enhanced-mitigation-experience-toolkit.aspx
Microsoft System Center Configuration Manager 2007 Dashboard lets customers track application and operating system deployments, security updates, the health status, and IT compliance with key regulations—with an easy to use, customizable Web interface. Because the Dashboard is built on Windows® SharePoint® Services, IT staff can access information without using the Configuration Manager console.
IT administrators and IT support staff need easier access to key information about software and operating system deployments, client health, and compliance with regulations. They must ensure that their systems and software meet the configuration requirements established for the organization. And they need the ability to track this information without having access to a System Center Configuration Manager console.
Benefits of the dashboard include:
- Actionable information out of the box. The dashboard comes with a wide range of valuable, built-in reports that IT managers can access without using the Configuration Manager console.
- Centralized, near-real-time access to key information. The graphical dashboard lets customers view any Configuration Manager data set in near-real time—without leaving their desk.
- Easy to build and configure. The dashboard’s wizard-based tools let customers easily create new dashboards in minutes.
- Easy to customize. The dashboard can easily be customized to meet the needs of different departments and other groups. Any data set in the Configuration Manager database can be presented on the dashboard, in chart, gauge, and table formats.
- Flexible & interactive. Users can easily filter data and create ad hoc, custom views. Filters allow users to quickly drill down from high-level to more specific data.
Announcing the System Center Configuration Manager 2007 Service Pack 2 Technology Adoption Program
Microsoft is currently building the update to System Center Configuration Manager 2007 (ConfigMgr07) titled Service Pack 2. The ConfgMgr Technology Adoption Program (TAP) team is pleased to announce that we are now soliciting participation in the System Center Configuration Manager Service Pack 2 Product validation program.
ConfigMgr07 SP2 will include new OS support along with improving on the Intel AMT integration.
New Operating System Support
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008 SP2
- Windows Vista SP2
(Intel) Active Management Technology Integration – Version 2
Configuration Manager 2007 Service Pack 2 will improve on the Intel AMT (iAMT) integration provided in Service Pack 1. SP2 will add full feature support for computers that have the Intel vPro chip set and iAMT firmware versions 4 & 5. In addition to providing feature parity with SP1 and iAMT firmware versions 3.2.1, 4.0 and 5.0, support for the below new features are being added:
OOB Wireless Management: Wireless Profile Management (mobile ONLY)
- Provide configuration of up to eight (8) wireless profiles per site that are available to AMT clients assigned to that site
- Set the wireless information during AMT provisioning and configure all required profile settings (SSID, key management, encryption, etc.)
- Send wireless profile operations to the Intel translator on AMT systems with revisions earlier than 3.2.1
End Point Access Control: 802.1x support
- Provision 802.1x settings on AMT wireless clients during AMT provisioning
- Send 802.1x settings operations to the Intel translator on AMT systems with revisions earlier than 3.2.1
Persistent Data Storage: Non Volatile Memory or Third Party Data Store (3PDS)
- Write string data into 3PDS on AMT through OOB management console
Access Monitor: Audit Log
- Enable or Disable Audit Log (no critical event settings)
- View Audit Log through OOB Console
Remote Power Management: Power State Configuration
- Enable configuration of the power policy settings and include in provisioning settings when provisioning an AMT system
This program is designed to provide collaboration with your company and Microsoft. The purpose is to validate through lab testing and the deployment of pre-release builds. Your company will have the opportunity to provide design and performance feedback for the product. You can do this through the reporting of bugs and submission of Design Change Requests (DCRs), as well as provide general feedback for product group consideration. This program will provide customers with support from the Microsoft System Center Configuration Manager product group, as well as 24×7 support for production deployment issues. The program starts soon and finishes by the end of the calendar year 2009.
All participants must:
- Prior to program participation, have a signed TAP Agreement and System Center Configuration Manager SP2 Program Description on file with Microsoft. If you do not have a Master TAP Agreement with Microsoft currently, please work with your Technical Account Manager, Account TS, or other Microsoft representative to get one completed.
- Commit to providing resources for the duration of the program
- Commit to timely response of survey and feedback requests from Microsoft
- Agree to participate in some form of public relations activities as identified in the TAP agreement and the System Center Configuration Manager SP2 Program description
- Have a Microsoft Premier Support contract which includes a Microsoft Technical Account Manager resource
- Provide a project plan for deployment
- Deploy each milestone build of pre-release System Center Configuration Manager Sp2 into your production environment within 14 days of availability
- Meet the following deployment goals:
- Beta – 500 or more clients installed and actively managed by the product
- RC – 2,000 or more clients installed and actively managed by the product.
All participants receive:
- The opportunity to shape this update to Configuration Manager 2007 through direct feedback to Microsoft
- Regularly scheduled conference calls with a member of the System Center Configuration Manager Team. Discussions will include deployment planning, feedback, feature review presentations from members of the System Center Configuration Manager Product Group, and other customer driven topics
- Production certified pre-release builds as well as exclusive access to interim lab-only builds of the product
- Web-based bug reporting and priority bug resolution
- Support and deployment guidance from the System Center Configuration Manager Product Group, as well as 24×7 support from Microsoft Beta Customer Support Services for production deployment issues
- A dedicated Program Manager contact in the System Center Configuration Manager Product Group
- A head start in the next deployment cycle, taking advantage of new and enhanced features available in System Center Configuration Manager SP2
- Potential onsite visits by members of the Product Group in order to help with production deployment and feedback.
A short nomination survey is located here:
Full link: https://www.surveymonkey.com/s.aspx?sm=EFslbxTQdA6OCgbp_2fg8iNQ_3d_3d
The number of available slots in the program is limited. The selection is based on a broad set of criteria and not solely on a customer’s commitment to fulfill program requirements.
Prioritization will be given to organizations that meet one or more of the following profiles:
- Are currently in the Windows 7 or Windows Server 2008 TAP, *and* have Configuration Manager 2007 deployed
- Have participated in the Configuration Manager 2007 TAP and are significantly deployed with Configuration Manager in production
- Have participated in previous SMS or Configuration Manager 2007 TAP and are significantly deployed with Configuration Manager in production
- Have Intel AMT hardware deployed in production *and* have Configuration Manager 2007 deployed.
- Are using Configuration Manager Operating System Deployment (OSD) and have a business need to deploy Windows 7 using OSD.
Program Timetable (all dates are estimates and subject to change)
Initial Nomination period
Submission of System Center Configuration Manager SP2 Nomination Surveys by or on behalf of interested customers.
Customers selected for the program are notified and given information regarding initial participation.
April / May 2009
Online information sessions and conference calls to get familiar with feature set and initiate planning
Deployment in production environment. Product validation and feedback submitted.
More extensive deployment in production environment. Product validation and feedback submitted.
Win7 plus 90 days
Release to Manufacturing
Upgrade to released build and enterprise-wide deployment.
Please contact email@example.com with any questions you may have regarding this communication or the nomination process.
The System Center Configuration Manager Technology Adoption Program team