The Enhanced Mitigation Experience Toolkit is Microsoft’s best-kept security secret. It’s easy to install EMET and quickly secure many popular applications, but there’s a lot more you can do with EMET.
EMET won’t pop up and ask you questions, so it’s a set-it-and-forget-it solution once you set it up. Here’s how to secure more applications with EMET and fix them if they break.
Know If EMET is Breaking an Application
If an application does something your EMET rules disallow, EMET will shut down the application — that’s the default setting, anyway. EMET closes applications that behave in a potentially unsafe way so no exploits can occur. Windows doesn’t do this for all applications by default because it would break compatibility with many of the old Windows applications in use today.
If an application breaks, the application will immediately shut down and you’ll see a pop-up from the EMET icon in your system tray. It will also be written to the Windows event log — these options can be customized from the Reporting box on the ribbon at the top of the EMET window.
Use a 64-bit Version of Windows
64-bit versions of Windows are more secure because they have access to features like address space layout randomization (ASLR). Not all of these features will be available if you’re using a 32-bit version of Windows. Like Windows itself, EMET’s security features are more comprehensive and useful on 64-bit PCs.
Lock Down Specific Processes
You’ll probably want to lock down specific applications instead of your entire system. Focus on the applications most likely to be compromised. This means web browsers, browser plug-ins, chat programs, and any other software that communicates with the Internet or opens downloaded files. Low-level system services and applications that run offline without opening any downloaded files are less at risk. If you have some important business application — perhaps one that access the Internet — it may be the application you want to secure the most.
To secure a running application, locate it in the EMET list, right-click it, and select Configure Process.
(If you want to secure a process that isn’t running, open the Apps window and use the Add Application or Add Wildcard buttons.)
The Application Configuration window will appear with your application highlighted. By default, all the rules will automatically be enabled. Just click the OK button here to apply all the rules.
If your application isn’t working properly, you’ll want to come back into here and try disabling some of the restrictions for that application. Disable them one by one until the application works and you can isolate the problem.
If you don’t want to restrict an application at all, select it in the list and click the Remove Selected button to erase your rules and put the application back to its default state.
Change System-Wide Rules
The System Status section allows you to choose system-wide rules. You’ll probably want to stick with the defaults, which allow applications to opt into these security protections.
You could select “Always On” or “Application Opt Out” for these settings for maximum security. This may break many applications, especially older ones. If applications start misbehaving, you can revert to the default settings or create “opt out” rules for applications.
To create an opt-out rule, right-click a process and select Configure Process. Uncheck the type of protection you want to opt out from — so, if you wanted to opt out of system-wide ASLR, you’d uncheck the MandatoryASLR and BottomUpASLR check boxes for that process. Click OK to save your rule.
Note that we’ve enabled “Always On” for DEP above, so we can’t disable DEP for any processes in the Application Configuration window below.
Test Rules in “Audit Only” Mode
If you’d like to test EMET rules but don’t want to deal with any problems, you can enable “Audit only” mode. Click the Apps icon in EMET to access the Application Configuration window. You’ll find a Default Action section on the ribbon at the top of the screen. By default, it’s set to Stop on exploit — EMET will shut down an application if it breaks a rule. You can also set it to Audit only. If an application breaks one of your EMET rules, EMET will report the problem and allow the application to keep running.
This obviously eliminates the security advantages of running EMET, but it’s a good way to test rules before putting EMET back into “Stop on exploit” mode.
Export and Import Rules
Once you’ve created and tested your rules, be sure to use the Export or Export Selected button to export your rules to a file. You can then import them on any other PCs you use and gain the same security protections without more fiddling.
On corporate networks, EMET rules and EMET itself can be deployed through Group Policy.
None of this is mandatory. If you’re a home user who doesn’t want to deal with this, feel free to just install EMET and stick with the recommended default settings.