Creating Exclusions from the Default Sets in EMET ADMX GPO’s

  • Article

 

I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for EMET.  With that being said some customers are required to use them from a compliance perspective so this may help you with your role.

If you use the .admx settings for EMET and have ever realized that you need to add a mitigation exclusion for an application that is part of a default set such as the “Default Protections for Popular Software” that this is not an easy affair.  You must first un-configure the Default set that the application is part of and then you have to re-create all of those applications under Application Configuration as line items.  This means a lot of copy and pasting from the XML files you can find in the EMET install folder under .\Deployment\Protection Profiles.  I’ve seen a couple of customers have to do this now so figured I would try to post a few ways to help other customers out with this.

First off a quick note to be aware of.  In your .admx templates/GPO’s The three separate settings Default Protections for Internet Explorer,  Default Protections for Recommended Software, and Default Protections for Popular Software are all discrete items. 

image

I.e. the applications in those only appear in one of those Defaults.. iexplore.exe is ONLY in the defaults for IE, mirc32.exe Smile is only in the defaults for Popular Software.  The reason I point this out is that when you view the XML files in EMET\Deployment\Protection Profiles the 2 files there are not discrete.. Popular Software.xml is a superset of Recommended Software.xml i.e. it contains everything that Recommended does as well as the items from the Popular list.

image

The first thing I put together was a couple of PS scripts that parse the Popular Software.xml file.  I should join them together but I did it late at night and brain wasn’t alert enough so split them out as you have to deal with some xml nodes differently as some items are labeled as Suite>Apps and some are just Products.  I’m attaching a zip here that has the scripts in it to use for this in case the xml is updated in a future release.

https://1drv.ms/1zB4iQq 

Also within this same zip file I took the list of applications that was created and created a GPO with just those applications.. no other items configured and did a backup of that GPO.  You can in turn use that GPO backup to import into a GPO in your environment to save the hassle of typing/pasting all of those items yourself currently ~56 line items. 

image

Having this GPO in place will allow you to more easily add line item exclusions to applications that are part of the Default sets.  However from some compliance checking perspectives keep in mind that the reg keys this places on machines will be different so you may need to write up an exception/waiver to point out that you are using the Default sets however they are in a different location from a registry key / compliance scanning perspective.

I’ve also put a TechNet wiki page up with the current list (5.1) of what the app paths/exclusions are at https://social.technet.microsoft.com/wiki/contents/articles/28796.emet-all-applications-for-admx-gpo-s.aspx 

Happy EMETing Smile