Friday, 27 April 2012

Recx EMET Configuration Builder


Update May 16, 2012: Since originally posting this article Microsoft have released EMET v3.0 which further facilitates enterprise deployment. We encourage you to go and read the technet article.


It's Friday, so it means it's time for another higher-level defensive post. To follow up on our previous post Microsoft EMET in The Enterprise we wrote a small EMET automatic configuration builder. It's designed to allow you to quickly produce an EMET configuration XML for a specific machine. This XML file can then be imported into the EMET GUI. This is to facilitate mass EMET opt-in for binaries in a host default build.

What the configuration builder does is:
  • Checks a file is a PE file
  • Checks it's not a DLL
  • Checks if it's managed or not
  • Checks if the SEH properties warrant SEHOP opt-in
It then produces a configuration line for each file as appropriate in the EMET XML schema.

Step 1: Run EMET Config Builder
Run the Recx EMET Configuration Builder as so (or similar):

EMETConfigBuild "c:\Program Files (x86)" c:\data\EMETConfig.xml 

Click for larger version

Step 2: Load EMET / Select Config Apps

Click for larger version
Step 3: Import XML 

Click for larger version

Note: When importing a large number of files it may say the EMET GUI has become unresponsive. It will complete, just give it time. Also the list of program files will NOT update. You'll need to click 'OK' and then go back into 'Config Apps' to see the list.

Step 4: Test, test and test again
Now ensure you fully test the applications before rolling out on a wider basis.

Getting Recx EMET Config Builder
We make no warranties implied or otherwise. By downloading and using Recx EMET Configuration Builder you agree to take all responsibility for any instabilities its use may introduce into your environment.



No comments:

Post a Comment