Microsoft has released version 3.0 of EMET (Enhanced Mitigation Experience Toolkit), a must-have security tool for Windows. To summarize my previous post on EMET, it is a lightweight exploit mitigation tookit that forces programs to make use of modern security techniques – simply put it makes programs more secure. This guide will show you how to set EMET up to secure your Windows system without infringing on your program compatibility. I highly recommend you follow this guide and set EMET up accordingly. I’ve included screenshots to make this guide as clear as possible – setup for 3.0 is just a few minutes.
The major changes in EMET 3.0 are the new pre-made profiles, which make setup easier, and the notifier. EMET will now give a notification when it detects an exploit and you can read about the new pre-made profiles later down the page. You can disable the notifier through msconfig.exe or exit it by clicking the EMET icon in your system tray. I suggest you keep it on unless you’re running on a very old system.
EMET has two main interfaces: one to deal with system wide settings and one to deal with application specific settings.
When you open up EMET you’ll see:
Click “Configure System” and you’ll be brought here: (Your settings will look different)
My suggested configuration is:
DEP: Always On
SEHOP: Always On
ASLR: Opt In
What this means is that all programs will be forced to use DEP and SEHOP and programs have the ability to opt into using ASLR. If you are noticing instability you can change the DEP setting to “Opt-Out” or back to “Opt-In” but I strongly recommend you try Always On first. SEHOP can only be set to “Opt-Out” on Windows 7.
That’s all it takes to set EMET up system wide. (And a system reboot, which you can do after following the rest of this guide.)
Note: ATI Drivers 12.6+ are now ASLR compatible. You may want to give ASLR Always On a try!
Application Specific Settings:
EMET 3.0 makes securing individual programs incredibly easy. Click the “Configure Apps” button on the bottom right of the EMET GUI.
You’ll see this:
Go to File -> Import and navigate to /Program Files(86)/EMET/Deployment/Protection Profiles/all.xml and open it through EMET.
This will add a large list of programs, already configured, to your EMET list. You can change this up if you like but right away your system is much more secure. The default settings seem to cover the most important areas.
If you want to add another program just click “Add” and navigate to the .exe.
The highlight of the preconfigured .xml is that all Java executable files as well as your browser and browser plugins are configured to use EMET. These are the most commonly exploited programs and hardening them is a critical step in securing your system.
You may receive a notification from the EMET Notifier. A new feature to 3.0 that lets you know which security mitigation was just used to prevent an exploit.
That’s all there is to setting up EMET. This should take just a few minutes (including time to download) and it’s the first step to securing Windows. I hope this guide helped.
Tip: If you notice an EMET’d program acting out try disabling EAF. It can cause issues.
You can download EMET from:
It is worth stating that just because you use EMET does not mean you can forego patching. While EMET is an incredible tool for securing Windows it is not a silver bullet, you must keep your system up to date.