santiago silver - Fotolia


How Microsoft's EMET fits into the Windows security arsenal

Windows administrators can use Microsoft EMET to enhance security. The tool protects specific executable files or an entire network.

With the growing hype over ransomware, the time is right for IT to think about how their Windows endpoints are at risk to today's advanced malware threats.

Effective malware protection is the only way administrators can minimize technical and human vulnerabilities. They can tell users to not click links or open attachments until the end of time, but users will still click bad links. That's why admins have to take action to nip problems in the bud before they happen.

New endpoint security controls and threat intelligence products emerge every day. With all the complexity, confusion and high price tags surrounding the topic, it pays to be picky. Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free Windows-based security tool, is one of the best options not a lot of people know about.

How EMET works

Microsoft's EMET helps minimize software security risks for most versions of Windows going back to Windows Vista SP2 and Windows Server 2008 SP2. The tool adds a layer of security onto programs to prevent the exploitation of both known and unknown (zero-day) vulnerabilities.

EMET's threat mitigation techniques include advanced antimalware controls such as:

  • Attack surface reduction, which allows admins to implement policy-based controls to minimize the vulnerabilities associated with plug-ins such as Adobe Reader and Java;
  • Address space layout randomization, which loads modules into random memory locations to minimize attack predictability;
  • Heap spray allocation security mitigation, which preloads common memory locations to help prevent known shell code from loading;
  • Load library check, which prevents calls to libraries from Universal Naming Convention paths;
  • Memory protection check, which prevents the memory stack area from being an executable area attackers can exploit.

Here is a look at the EMET menu:

EMET menu
A look at the EMET menu

Admins can run Microsoft EMET in a stand-alone mode to protect specific executable files or deploy it across their entire network by manually installing it on each system using Windows Group Policy or System Center Configuration Manager. Because it requires such hands-on deployment, it can be hard to deploy throughout an entire large organization. Still, there are plenty of uses for EMET in small and medium-sized businesses as well as niche areas in larger enterprises.

Like all other security controls, Microsoft's EMET is not a one-stop, quick-fix to Windows risks. Microsoft makes no guarantees that EMET prevents vulnerabilities from exploitation, but it claims it makes attacks less likely. It's still on admins to fix the basic security flaws, such as weak passwords, that keep getting so many people into trouble. Furthermore, Microsoft EMET can cause problems, including app compatibility issues, so be sure to test it in a controlled environment like any other piece of software.

If Microsoft's EMET is not a good fit, there are plenty of other advanced malware and threat mitigation products to choose from. The important thing is for admins to be proactive, before security issues become an even greater challenge for their businesses tomorrow.

Next Steps

One EMET vulnerability can actually turn it off

How EMET improves security for legacy apps

Explore other security tools in Windows 10

Dig Deeper on Network intrusion detection and prevention and malware removal