Creating Exclusions from the Default Sets in EMET ADMX GPO’s


 

I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for EMET.  With that being said some customers are required to use them from a compliance perspective so this may help you with your role.

If you use the .admx settings for EMET and have ever realized that you need to add a mitigation exclusion for an application that is part of a default set such as the “Default Protections for Popular Software” that this is not an easy affair.  You must first un-configure the Default set that the application is part of and then you have to re-create all of those applications under Application Configuration as line items.  This means a lot of copy and pasting from the XML files you can find in the EMET install folder under .\Deployment\Protection Profiles.  I’ve seen a couple of customers have to do this now so figured I would try to post a few ways to help other customers out with this.

First off a quick note to be aware of.  In your .admx templates/GPO’s The three separate settings Default Protections for Internet Explorer,  Default Protections for Recommended Software, and Default Protections for Popular Software are all discrete items. 

image

I.e. the applications in those only appear in one of those Defaults.. iexplore.exe is ONLY in the defaults for IE, mirc32.exe Smile is only in the defaults for Popular Software.  The reason I point this out is that when you view the XML files in EMET\Deployment\Protection Profiles the 2 files there are not discrete.. Popular Software.xml is a superset of Recommended Software.xml i.e. it contains everything that Recommended does as well as the items from the Popular list.

image

The first thing I put together was a couple of PS scripts that parse the Popular Software.xml file.  I should join them together but I did it late at night and brain wasn’t alert enough so split them out as you have to deal with some xml nodes differently as some items are labeled as Suite>Apps and some are just Products.  I’m attaching a zip here that has the scripts in it to use for this in case the xml is updated in a future release.

http://1drv.ms/1zB4iQq 

Also within this same zip file I took the list of applications that was created and created a GPO with just those applications.. no other items configured and did a backup of that GPO.  You can in turn use that GPO backup to import into a GPO in your environment to save the hassle of typing/pasting all of those items yourself currently ~56 line items. 

image

Having this GPO in place will allow you to more easily add line item exclusions to applications that are part of the Default sets.  However from some compliance checking perspectives keep in mind that the reg keys this places on machines will be different so you may need to write up an exception/waiver to point out that you are using the Default sets however they are in a different location from a registry key / compliance scanning perspective.

I’ve also put a TechNet wiki page up with the current list (5.1) of what the app paths/exclusions are at http://social.technet.microsoft.com/wiki/contents/articles/28796.emet-all-applications-for-admx-gpo-s.aspx 

Happy EMETing Smile

Comments (5)

  1. Kurt Falde says:

    I’m pretty sure that hasn’t happened although I would love to see that/sccm integration at some point.

  2. Bill Sawyer says:

    Hey Kurt,

    Has anyone on the EMET talked with the intune team about leveraging that toolset to centrally manage EMET? With the amount of development focused on the EMS stack, I think it would be a pretty compelling solution to be able to utilize an Azure-backed central
    database of known good app configurations for EMET, along with exceptions that could be managed through intune.

  3. John Miller says:

    Hello Kurt, I just wanted to point out that the Popular Software.xml does not have all the software listed in the Recommended Software.xml. It’s missing Java 8.

    Popular Software.xml Oracle section:

    Recommended Software.xml Oracle section:

    Just wanted to let you know.

    Thanks,

    John Miller

  4. John Miller says:

    Well it would appear that pasting the XML code into the comment section does not work… Check out the XML files for yourself. 🙂

    John

  5. Kurt Falde says:

    Urgh good find on the Java one.. I’ll make sure to mention that to the PG Devs.

Skip to main content