This will be a list of recommendations/steps that an organization can use with regards to deploying an EMET Pilot.

Deployment

  • Determine sample size
  • Determine how client will be installed
    • Typically with whatever desktop management software is in place (SCCM/Landesk/Bigfix etc)
    • Smaller orgs without desktop management software could easily use GPO's as the installer is a standard .msi

Configuration

GPOs

emet_conf --import

  • Use SCCM to schedule job that imports configuration on a regular basis for groups of computers /li>
  • Use GPP to copy file from network share (could put it in the GPO folder in SYSVOL) and GPP task scheduler item to import
  • Use startup script to run emet_conf --import and import the file from a network location

Client profile

Determine what will be used from a client profile perspective

  • Most organizations tend to use the Recommended Profile and add individual items as desired.  See http://social.technet.microsoft.com/wiki/contents/articles/23602.emet-profiles.aspx for a comparison of the two built in profile lists
  • The Recommended Profile does not have any 3rd party browsers included, if utilizing the Recommended Profile and a 3rd party browser is widely used in the organization consider adding it to the list of protected applications.
  • Determine if any custom SSL Pin Rules will be added to the configuration
  • If using MITM SSL inspection in the organization all pin rules will need the internal CA used for MITM added.  This provides both protection while internal as well as when the client is roaming externally.
  • Determine if there are any extra applications that will be added to the list of protected applications. i.e. Firefox is not in the Recommended Profile however your organization uses it heavily so may be useful to add as a protected application
  • Will EMET be configuring system-wide mitigations (DEP/ASLR/SEHOP)?
  • Will ASR Attack Surface Reduction be used?
    •  If used what sites will need to be added to Trusted so that plugins will continue to work properly (In general using Trusted Sites is preferable over using Intranet to exclude sites from ASR)
    • Which plugins will be blocked/allowed in each security zone, may need to customize the list of blocked plugins possibly.

Testing

  • Audit and create a list of ALL applications used on desktops in the environment.
  • Create a test matrix for all applications utilized in the environment.  Test matrix needs to include actual operations and not just opening the application.
  • If an application causes a mitigation to trigger you have a 2 step process to resolve:  1. Remove the mitigation that is causing the application to crash, 2. Attempt to work with the developer of the application to see if they can investigate and possibly implement a fix.
  • Consider using Event Log Forwarding to collect client event logs of mitigation occurrences to a centralized collector for analysis.
  • Review known issues with applications for testing