Quick Links

Only one cash prize went unclaimed at Pwn2Own 2014. All major browsers were hacked, but hackers were unable to claim the $150,000 grand prize for hacking IE 11 secured with EMET. Secure your own PC with EMET today.

Microsoft is targeting EMET more at system administrators, but any Windows user can use EMET to quickly enable some additional security features without any special knowledge. This tool can even help secure outdated Windows XP systems.

Update: EMET has been discontinued, but Exploit Protection is built into Windows 10.

Download the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft and install it. Select the Use Recommended Settings option to enable recommended settings to protect commonly exploited programs like Internet Explorer, Microsoft Office, Adobe Reader, and the insecure Java plug-in.

Next, launch the EMET GUI application from your Start menu or Start screen. Click the Import button at the top-left corner of the screen.

how-to-use-emet-gui[4]

Select the Popular Software.xml file provided with EMET and import it. This file adds additional rules to help protect popular third-party programs like Firefox, Chrome, Skype, iTunes, Photoshop, Thunderbird, Opera, Google Talk, Pidgin, VLC, WinRAR, and 7-Zip.

import-popular-software-rules-in-emet

You can view the rules installed on your system by clicking the Apps button under Configuration in the ribbon at the top of the window.

Your computer should now be more secure. Read on if you'd like to know what exactly EMET is doing and how to make your own rules.

emet-rules

How Does EMET Work?

Related: Why the 64-bit Version of Windows is More Secure

When Microsoft started getting serious about security with Windows XP SP2, they began adding security features applications could take advantage of. For example, Data Execution Prevention (DEP) allows the operating system to mark certain sections of memory as non-executable data. If an attacker takes advantage of a buffer overflow vulnerability in an application and attempts to run code from a sector marked as data, the operating system won't run it. Address space layout randomization (ASLR) randomizes the locations of applications and system libraries in memory -- an attacker can't create reliable exploits that depend on knowing exactly where certain code is in memory. These are just a few of the features modern versions of Windows allow programs to use. They help protect a system from being exploited, even if attackers find a security hole in an application.

Windows enables these features by default for its own system programs. Third-party application developers can also choose to enable them for their own applications. However, these features aren't enabled by default for every program -- they may cause problems, especially with old and out-of-date programs. For maximum compatibility, Windows runs applications without these security features unless they superficially request them.

EMET provides a way to turn on DEP, ASLR, as well as other security features for applications that don't specifically request them. It's not an included Windows feature because it could potentially break some programs and most Windows users wouldn't know how to fix such problems.

windows-7-data-execution-prevention

Lock Down Other Applications

EMET allows you to activate more security features on your own. For example, you can click the Quick Profile Name box and select Maximum security settings. This will enable DEP for all applications and enable Structured Exception Handler Overwrite Protection (SEHOP) for applications that don't specifically opt out of it.

You're free to tweak the system-wide settings by modifying settings under System Status on your own, too.

emet-maximum-security-settings

To help protect a specific application, right-click it in the list of running processes and select Configure Process. You'll be able to set various rules to help lock it down. For technical information on exactly what each security feature does, click Help > User Guide in EMET.

These protections aren't enabled by default because they may cause some applications to not work properly. If an application breaks, go back into EMET, disable certain security features for it, and see if the application works. If you changed a system-wide setting and an application no longer works properly, change the system setting back or add a special exception for that application.

create-rules-for-application-in-emet

Network administrators could use EMET to test if an application works, export the rule, and then import it on other PCs running EMET to roll out their tested rules. Use the Export or Export Selected options to export rules you've created.


If we're lucky, EMET is the sort of feature we'll see built into future versions of Windows by default to increase security. Microsoft could provide default rules that work well and update them automatically, just as they provide rules for popular third-party applications along with EMET today.