none
Enterprise Deployment of EMET

    General discussion

  • There have been a number of requests to make enterprise deployment of EMET easier.  This is something we are actively working on.  We expect to be able to offer this along with the ability to configure and monitor EMET across an enterprise in the future.  Until this is ready, there are a few options for rolling out EMET across an enterprise.  Please note that these options are only relevant for the application specific mitigations and not the system policy for mitigations.

     

    Option 1: Deploy from a common share

    The first step for this is to place all the binaries on a common share (with the appropriate ACLS to prevent undesirable tampering).  Next, EMET_conf.exe should be run with the --add parameter from each of the machines that are to be protected.  This can be done with tools such as SCCM, startup scripts etc.  When EMET_conf.exe runs, it will copy the necessary files to c:\windows\apppatch and will also make the necessary registry key changes.

    To remove EMET from one of these machines, you can follow the same steps, but use either the --remove or --remove_all parameter with EMET_conf.exe.  This will leave the files on the system, but will deactivate the EMET functionality.

     

    Option 2: Deploy the EMET installation file and configure through script

    This option involves rolling out the “EMET Setup.msi” to all of the target machines utilizing any number of package deployment options (including Group Policy).  Later, a script can be run that uses EMET_conf.exe –add to configure the appropriate target applications.

     

    Option 3: Create a wrapper msi

    Another approach you can take is to create a new msi that includes the “EMET Setup.msi” file.  When the wrapper msi is installed, it can be set up to install the “EMET Setup.msi” file and then run EMET_conf.exe --add to configure the desired settings.  It can also be configured to uninstall “EMET Setup.msi” if it is later uninstalled.

    Saturday, February 12, 2011 2:23 AM
    Owner

All replies

  • The EMET_conf.exe --import is crap because environment variables like %ProgramFiles(x86)% in the xml configuration aren't processed.
    Thursday, May 19, 2011 2:06 PM
  • The EMET_conf.exe --add parameter changed in version 2.1 to --set.

    Thank you. Please update your post. The v2.1 "Users Guide.pdf" also still mentiones the --add parameter.

    • Edited by ManServ Thursday, May 19, 2011 2:23 PM added Users Guide doc flaw
    Thursday, May 19, 2011 2:13 PM
  • Thanks for the information.  I am currently testing deployment using option 2.  We are using SCCM packages to install the software and run a configuration batch file.  I came up with this script so we could run it on both 32-bit and 64-bit machines.  It will add the programs it finds based on the paths.  I would like to see the community develop a more complete list if this approach is efficient.  Thanks.

     

    @echo OFF
    REM Program List v1.0

    if exist "C:\Program Files (x86)\EMET" cd "C:\Program Files (x86)\EMET"
    if exist "C:\Program Files\EMET" cd "C:\Program Files\EMET"
    REM 32/64-Bit Applications

    emet_conf.exe --set "C:\Program Files\Windows Media Player\wmplayer.exe"
    emet_conf.exe --set "C:\Program Files\Internet Explorer\iexplore.exe"
    emet_conf.exe --set "C:\Program Files\Java\jre6\bin\java.exe"
    emet_conf.exe --set "C:\WINDOWS\system32\java.exe"

    REM Windows 32-Bit Operating System program Paths

    REM 3rd Party Programs

    emet_conf.exe --set "C:\Program Files\IBM\Lotus\Notes\nlnotes.exe"
    emet_conf.exe --set "C:\Program Files\Mozilla Firefox\firefox.exe"
    emet_conf.exe --set "C:\Program Files\Mozilla Firefox\plugin-container.exe"
    emet_conf.exe --set "C:\Program Files\Opera\opera.exe
    emet_conf.exe --set "C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe"
    emet_conf.exe --set "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe"  
    emet_conf.exe --set "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe"
    emet_conf.exe --set "C:\Program Files\QuickTime\QuickTimePlayer.exe"
    emet_conf.exe --set "C:\Program Files\iTunes\iTunes.exe"
    emet_conf.exe --set "C:\Program Files\Winamp\winamp.exe"
    emet_conf.exe --set "C:\Program Files\WinZip\WINZIP32.exe"


    REM Office 2003 Applications

    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE11\INFOPATH.EXE"

    REM Office 2007 Applications

    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE12\INFOPATH.EXE"

    REM Office 2010 32-Bit version Applications

    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\GROOVE.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\ONENOTE.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\VPREVIEW.EXE"
    emet_conf.exe --set "C:\Program Files\Microsoft Office\OFFICE14\INFOPATH.EXE"

    REM Windows 64-Bit Operating System program Paths

    REM System Services and Applications

    emet_conf.exe --set "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

    REM 3rd Party Programs

    emet_conf.exe --set "C:\Program Files (x86)\IBM\Lotus\Notes\nlnotes.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Opera\opera.exe
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe"  
    emet_conf.exe --set "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe"
    emet_conf.exe --set "C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe"
    emet_conf.exe --set "C:\Program Files (x86)\iTunes\iTunes.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Java\jre6\bin\java.exe"
    emet_conf.exe --set "C:\Program Files (x86)\Winamp\winamp.exe"
    emet_conf.exe --set "C:\Program Files (x86)\WinZip\WINZIP32.exe"


    REM Office 2003 Applications

    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE11\INFOPATH.EXE"

    REM Office 2007 Applications

    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE12\INFOPATH.EXE"

    REM Office 2010 32-Bit version Applications

    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\MSACCESS.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\EXCEL.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\OUTLOOK.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\POWERPNT.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\PPTVIEW.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\WINWORD.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\GROOVE.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\MSPUB.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\ONENOTE.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\VPREVIEW.EXE"
    emet_conf.exe --set "C:\Program Files (x86)\Microsoft Office\OFFICE14\INFOPATH.EXE"

    Friday, June 17, 2011 5:22 PM
  • This is a nice list, however, I would recommend using a script to search the machine for each of the file names that you would like to have protected.  Patches tend to leave behind older versions of applications and these should also be protected.

    With that being said, anyone have any other items to add to this great list that p2zilla started?

    Monday, June 20, 2011 1:56 PM
  • Thanks. Right now, the list just tries to add the program at that path.  If it isn't there it just moves on.  I would like to add more inteligence to it especially in the case of programs like Google Chrome which install in the user's profile or a program is not installed to the default directory.  I'm considering using PowerShell to create a more robust process of identifying if certain programs are on the computer.  Any insights or examples into managing the configuration of this program using tools like PowerShell would be appreciated.  Thanks.
    Tuesday, June 28, 2011 3:37 PM
  • Option 4: Create ADM Template and use VBScript to configure EMET

    Deploy EMET using the MSI package to the clients.  Create an ADM template that puts the settings you want in the registry.  Utilize a VBScript to read those settings and then use the registry location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\(FileYouAreProtecting).exe to determine the path of the EXE you want to protect and execute EMET_conf.exe --set for the application.  Schedule the script to run at varying times, or on logon, etc...

    Tuesday, July 12, 2011 4:40 PM
  • Is there a silent install option for EMET so I can deploy it on users machines without them having to interact with the dialog stuff?

    Regards,

    Rodimus

    Monday, December 05, 2011 8:46 PM
  • Standard msiexec command to install it.

    msiexec.exe /i "EMETSetup.msi" /qn /norestart

     

    You will still need to configure the actual protections via the methods above, of course.


    My idea of a party is a virtualization server and a room of TechNet DVDs
    • Edited by Daniel Wolf Tuesday, December 13, 2011 12:45 AM
    Tuesday, December 13, 2011 12:45 AM
  • I read on another thread in the EMET support forum:

    "I would not recommend mass-deployment of EMET to non-technical users. Some of the mitigations are very non-compatible and could potentially break applications for hundreds of thousands of users. The real value of EMET is with protecting legacy applications running on legacy operating systems."

    Have any of you had this problem?

    Monday, May 07, 2012 6:06 AM
  • Thank you everyone for the feedback. The feedback here certainly helped prioritize our feature set for EMET 3.0. You will find many enterprise features we added in the users guide as well as in our blog post at http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx .
    Thursday, May 17, 2012 10:21 PM
    Owner
  • the User Guide and all blog posts here do *NOT* work with SCCM and EMET 4.1

    Anyone awake at Microsoft who *could* or *would* write a proper guide on deploying version 4.1 using SCCM, which is tested and works?

    Wednesday, February 05, 2014 9:05 AM
  • What kind of errors are you getting? (I'm not an SCCM expert but I can try to assist from the EMET perspective) I did have a case with EMET/SCCM where we needed to add the sdbhelper.dll into the SCCM configuration package if this has to do with creating/running a package that runs the emet_conf --import command?  Also it's usually better to start a new thread with an issue vs replying to a 2 year old dead thread as you probably won't get as much attention this way.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

    Thursday, February 06, 2014 6:34 PM