Secure Legacy Applications on Windows Server 2012 R2 and Windows 8.1 with EMET 4.1

If you are still running legacy applications that haven’t been or can’t be updated to support Data Execution Prevention (DEP), the Enhanced Mitigation Experience Toolkit (EMET) can be used to force those apps to be run with DEP protection and a series of other exploit mitigations. In today’s Ask an Admin, I’ll go over how to use EMET 4.1 to secure legacy applications in Windows 8.1 and WS 2012 R2.

EMET 4.1 Released

EMET 4.0 was released in June 2013, having received a major makeover, including the ability to detect attacks that use suspect SSL certificates (configurable certificate pinning), and an audit mode so that mitigations could be tested before being deployed in production.

Adding compatibility for Windows 8.1 and Windows Server 2012 R2, EMET 4.1 has improved Group Policy configuration, support for shared remote desktops environments, and several other improvements.

DEP, ASLR, and Other Advanced Exploit Mitigations

One of the most important features of EMET is the ability to force legacy applications to use DEP, Address Space Layout Randomization (ASLR), and other mitigation techniques, even if they don’t have compatibility flags. If you use EMET to force a legacy application to be protected by any of the mitigations on offer, you must test the app thoroughly before deploying the new configuration in a production environment. For a full list and explanation of the mitigations on offer, and their compatibility with different versions of Windows, refer to the EMET user guide.

Download and Configure EMET 4.1

Download EMET 4.1. You can download the EMET .msi and/or the EMET user manual. Run the downloaded .msi and follow through the simple install instructions. You can choose to use the recommended settings, where mitigations for some common applications are automatically added, or configure EMET manually.

Add a Legacy Application and Mitigations

In this example, we will add a mitigation for a legacy application on the local machine.

  • To launch the EMET GUI, switch to the Start menu and type EMET. Select EMET GUI in the search results.
  • In the EMET GUI, click Apps in the ribbon at the top of the window.
  • In the Application Configuration dialog, click Add Application.
  • In the Add Application dialog, open the application you want to add to EMET.
  • Back in the Application Configuration dialog, you’ll see the application you selected under Mitigations. Here you can select or deselect the mitigations that you want to apply. All mitigations are selected by default.
  • Once you’re done selecting the required mitigations, click OK.
Secure a legacy application with EMET 4.1
Secure a legacy application with EMET 4.1.

Now close the EMET GUI and test the application you added. For a complete guide to EMET’s capabilities and mitigations, make sure you take a look at the user guide.