Problem/Scenario
We need to push the EMET configuration/settings for applications to all users in the network and prevent users from changing these settings (For Example: Removing ASR mitigation from the Internet Explorer). This issue gets worse with users who are admin on their machines and can open the EMET GUI and change any application setting.
Solution:
Users may change the EMET application GUI settings to disable a mitigation or remove specific application from the list. This change will result in an Event ID 11 written in the local application event log. We will use this Event as a trigger when its recorded to re-import/push back our EMET application settings on the client using Group policy.
- I am assuming EMET is already installed on all users (Can be done via SCCM or any other tool) which is another discussion.
- We need to install EMET (Latest current version is 5.1) on a machine, add all popular applications (Located under EMET Installation folder - \EMET 5.1\Deployment\Protection Profiles) and company business applications if needed and apply/test different mitigation.
- After configuring and changing all wide system and application configuration and you are fully satisfied of deploying it on all clients, Export the settings (XML file) from the main EMET interface as shown below.
- We need to create a GPO to import this XML file (exported in the previous step) on all computers in the domain. A very good article on TechNet that explains this step in details can be found at http://blogs.technet.com/b/kfalde/archive/2014/04/30/configuring-emet-via-gpo-gpp-w-o-using-the-admx-files.aspx
- Basically what we need to do as per the TechNet article is to create a new GPO, link it to your domain or computers OU and copy the XML file in the GPO folder.
- Create a Task scheduler using the group policy Preferences, for more details check this TechNet article http://blogs.technet.com/b/kfalde/archive/2014/03/13/automatically-refreshing-emet-gpo-s.aspx
- This scheduled task main action is to import the XML file to the machines as per the below screen shot. The program will be the EMET_Conf.exe and the path should reflect the current version of EMET used in your environment. The Arguments will be the Import of the XML command and it should be something like this: --import \\domain.com\sysvol\domain.com\Policies\{2368E536-C9BA-41E6-A1D8-8AA1C7854275}\emetconfig.xml (You need to replace the domain.com with your actual domain name, Unique ID of your policy and the XML name)
- The tricky part will be the trigger as when this import will occur (XML imported to the users). If any user changed, removed any application settings in the EMET GUI an EVENT ID 11 will be triggered in the application log of the user computer as shown below: So in this GPO we will use this Event ID as the trigger to re-import and push the settings back to the user.
This should do the trick and enforce the company EMET settings on all computers and ensure your users won't change them or actually if changed will be reverted back in the same second to ensure full protection.
Hopefully this article is helpful to anyone facing the same issue.