Complete Guide to Microsoft Enhanced Mitigation Experience Toolkit (EMET)

Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a piece of software installed on the operating system and it makes it very difficult to exploit a vulnerability on a system or software. It provides the capability of preventing different exploitation techniques on the operating system or software level when security patch for the faulty software is not released. The benefits of using EMET are as follows:

  • It is very easy to use and does not include any complicated processes.
  • In order to prevent an operating system or software from exploitation, there is no need for the source code of the software and all it takes is to install and configure EMET before or after the faulty software is installed.
  • EMET can be configured for all the operating system components, processes and drivers and also individual applications and softwares installed on the operating system.
  • It can also work with legacy software and applications that exist in an organization’s infrastructure and cannot be easily phased out.

Protection Levels

There are two types of settings on EMET which can be configured to provide mitigation:

  • System Settings: These settings will apply to the whole operating system and its components and drivers.
  • Application Settings: These settings will apply to specific applications installed on the operating system.

Continue reading

Possible Attacks on Windows and Countermeasures – Part 2

In the previous post I talked about password cracking and how you could actually protect against these attacks. In this article I want to explore another type of attacks:

Buffer Overflow Attacks:

This is a very common type of attack that is triggered against an operating system (Not necessarily Windows) due to a security vulnerability existing whether inside the operating system or the applications installed on top of that. Probably the reason why this is a very common type of attack is because the security bugs inside the softwares and applications on the OS could also result in a security hole in the OS…

What is buffer overflow vulnerability?

This happens when data copied into the memory buffer is larger than the buffer size making it overflow. This problem could be mostly seen in applications written with C and C++ programming languages which offer no built-in protection against accessing or overwriting data in any part of memory.

This problem could result in execution of some malicious codes by a hacker making it pretty easy for a hacker to even remotely execute malicious codes on an OS so that they could access the OS.

When a buffer overflow security hole is found, there will be usually security advisory released on the OS or software website. This security advisory to my way of thinking has advantages and disadvantages.

The advantage is that users become more aware of the security vulnerabilities on their OS or software and can better plan for protection using their firewalls by closing specific ports or even disconnecting a specific computer from the internet. I have written a specific article about this that you can read here.

The disadvantage is that hackers become aware of such vulnerabilities and will begin writing malicious exploits for that security bug so that they could take advantage of it to access affected systems. But what are exploits?

Exploits are programs maliciously written to take advantage of a security vulnerability. We have two general types of exploits. One is Remote Exploits that could be run remotely against a server with that problem and the other one is Local Exploits that could be run locally when the hacker has some limited local access on a machine so he could use the exploit to escalate his permission and get full access to the system.

If the vulnerability is pretty critical and is found on a popular OS like Windows or any other common software, there would be possible worms written for it. Worms are exploits with additional capabilities to scan the network and search for any machine with the same security problem and then try to penetrate into that machine and keep spreading.

Solution:

It’s really difficult to say how to protect against these attacks as there are so many applications installed on the OS and any of them could cause such a problem but the best practice is to keep your computer up to date by enabling automatic update on your Windows.

There is also a very good feature on Windows called DEP (Data Execution Prevention) that should be turned on. It can protect your computer against this type of attack by monitoring programs to make sure they use computer memory safely. If DEP realizes that a program is trying to run instruction from the portion of memory used for data, DEP will close the program and notifies you.

You can turn it on from System Properties -> Advanced System Settings -> Performance Settings -> Data Execution Prevention and enable Turn on DEP for essential Windows programs and services only

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Hope you enjoyed it

Cheers