Updated EMET.admx file to enable disabled settings for Default sets

  An EMET customer pointed out that for the Default Sets in the .admx GPO’s the “Disabled” setting wasn’t actually doing anything.  After some review of it appeared that these 3 settings have an <enabledList> however no <disabledList> in the GPO to control them which in turn meant the Disabled button didn’t perform a removal…

0

Creating Exclusions from the Default Sets in EMET ADMX GPO’s

  I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for EMET.  With that being said some customers are required to use them from a compliance perspective so this may help you with your role. If you use the .admx settings for EMET and have ever realized that…

5

KB2871997 and Wdigest – Part 2

  If you got here inadvertently glance at Part 1 as well.  http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx has a great section on this already and discusses how to identify Wdigest use by looking at DC Security Event logs to see if you have any events that show Wdigest usage.  If you are fortunate enough to have a SIEM solution…

1

KB2871997 and Wdigest – Part 1

  In May of this past year we released a “Security” updated labeled kb2871997 which basically back ports a number of security features that were introduced in Windows 8.1/2012 R2 to Win 7/2008/8/2012.  If you want to read the details you can start here http://support.microsoft.com/kb/2871997 however the point of this post is to focus specifically…

1

Managing Trusted Sites via Policy for EMET ASR

  Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone that a web site is located in.  The default example is the java plugin is blocked on the “Internet” zone but allowed on the “Intranet” and “Trusted” sites zones.  Currently the recommendation is to…

2

Testing the ASR feature for Office documents in EMET 5.0

  Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well.  Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically Word, Excel…

7

Managing IE Sites for EMET with ASR (Attack Surface Reduction)

  If you haven’t started testing EMET 5.0 please consider doing so especially if you are charged with piloting the product for your organization as this version is the latest and has more fixes and protections than are available in the 4.x platform.  One of the great new features we introduced with 5.0 is ASR…

0

Setting EMET Local Configuration via GPP

Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as actually blocking on pin rules and the new ASR feature which I feel is very cool too. A big fix was the fact that there is a service now and that service will properly refresh GPO…

10

Troubleshooting an EMET Mitigation Application Crash

  In the process of deploying and piloting EMET there is a definite possibility that a legitimate application will not function properly with EMET. Lets try to set some expectations here there are basically 2 things you can do when this occurs: Work with the developer of the application and see if they can make…

6

Configuring EMET via GPO/GPP w/o using the ADMX files

[UPDATE 7/23/2014] I've create a wiki page at http://social.technet.microsoft.com/wiki/contents/articles/25585.emet-gpo-gpp-using-task-scheduler-to-import-emet-settings.aspx that condenses these steps and adds a few new items and is open to collaborative editing as well so you may want to view that as well [/UPDATE??] If you have deployed EMET in an enterprise setting you have probably realized there are basically 2 different…

7