Sat, Sep 22 2012 20:42
EMET part two - setting up the group policy files
So we've installed EMET on one computer. We then take the EMET files from the following subdirectory
And we place them in the following directory up on our server
The EMET.admx file goes in c:\Windows\PolicyDefinitions folder
The EMET.adml goes in the c:\windows\policydefinitions\en-us
Now we go into Group policy console and find our EMET settings.
Launch group policy management. Now go to the top of the group policy structure, right mouse click on the domain name and click on "Create a GPO in this domain, and link it here". Call the GPO EMET so you know what it is. Click OK. Right mouse click on EMET that built itself in your group policy listing and click edit.
Drill down under Computer configuration
On mine set up at home I specifically added iexplore.exe application to the EMET protection.
System wide I opted into DEP, SEHOP and ASLR
So lets see if we can do likewise via group policy.
The first group policy setting is ASLR
Let's set it to enabled and application opt in
Let's skip over application settings for a moment and hop over to DEP
Let's set that for DEP always on
Let's hop over the SEHOP
Let's set that to application opt out.
Now let's choose the default protection for Internet explorer
Now the next step is you have to deploy the EMET package to all the workstations you want covered by this.
Because it's a MSI download - you can follow this - http://www.advancedinstaller.com/user-guide/tutorial-gpo.html
The final step to enable the settings I just set up is that you have to run the EMET command line tool and type in EMET_Conf --refresh
You can run this command at startup or logon time.
hmmmm okay is there a better way to do that other than to do a logon script - which I really don't want to do in the Vista and later era?
Hang on for part three of EMET via group policy.
Filed under: Security