E-mail Header
What is a Email Header?
Every email comes with a Header which is one part of an e-mail structure. It has basic information such as from whom the email comes, to whom it is addressed, date/time it was sent and the subject of the email. It is similar to an electronic postmark. This basic information comes in all brief/basic headers that most email programs will automatically show. However, there are other detail technical information that an email has. This detail technical information can be viewed in a full header. All email programs can be set to show only brief header or full header and it is up to the users to set the program whether to view only brief header or full header.
Full header will have information such as the mail servers name that the email passed through on its way to the recipeint, recipient and sender's IP address and even the name of the email program and its version used. This information is essential for analysis and investigation purposes on cases involving email abuse, spamming, mailbombing. This information could not be found in a brief header. Thus, it is important anyone reporting to their ISP or to their CERT Team, to include a full header for cases involving email abuse, worm infected email, harassment and forgeries.
Examples of Headers
A brief header will look like this with the following information:
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
To: [email protected]
Subject: happy holiday
And a full header will look like this with the following detail information:
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
What is in a Header?
Now lets look what is in a header. The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.
How to read Header?
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
Now let see what they mean,
- Return-Path: [email protected]
The Return-Path line mean the address in which the reply for this mail will be sent to
-
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from hole.com and mailed to relay13.jaring.my. Further, it went to ace.cdc.abu.com which was the recipient's Internet host. So, if your mail bounced, this part in the header showed how far the mail went and which machine rejected it.
-
Message-Id: <[email protected]>
The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail.
-
From: [email protected]
The 'From' line showed who sent the mail and his/her email.
This 'From' information can be easily be faked/forged. -
The 'To' line listed the email address/es of the recipients of the mail. There mightbe also a Cc line which listed all the people who received copies of this mail.
This address could also be a hidden list of emails; thus your email may not appear in here eventhough you received the mail. -
Subject: happy holiday
The subject line gave some idea of what the mail is about.
-
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.
Note: the exact order of an email's header may vary from system to system, but it will always include these fundamental header that are vital for the delivery.
How to retrieve a full header?
Without full header of the original e-mail, it would be impossible to determine the originating IP of the email, to further trace the sender of the email. Do take note that the information in header can be forged especially the 'From' and 'To'. However, in a full header, information such as the routing information, originating IP address could not be forged. Thus it is essential to analyse on the routing information and the source/originating IP address to assist in cases involving email abuse, harrassment, forgeries etc.
By default, header is not set to full in your email program. You must reset your email program proprieties in order to retrieve the full header.
|
How To's: Windows Update
How To's: Windows Update
Introduction
This document outlines how to perform a Windows Update on your Microsoft Windows PC. Microsoft's Windows Update is a relatively easy way for securing you computer. Without updates, simply attaching the computer to the network or visiting a malicious web site could allow third parties to take control of your computer, your accounts, and your files. Two steps of updating Windows are by either using Automatic Updates or update Windows from the website.
The method to perform updates are as follows:
- Updates by enabling automatic updates:
Windows Update can be set up to automatically download and install both important updates and recommended updates in Windows. This is the simplest way to make sure your PC stays up to date, just set it up and forget it.
- Open Windows Update (click the Start button, click All Programs, and then click Windows Update)
- Select Change Settings and choose Install Updates Automatically (Recommended)
- Change the time of update if necessary
- Click Start, then click on Control Pane
- Click Automatic Updates
- Choose Automatic (Recommended)
- Change the time of update if necessary
- Start Internet Explorer
- Browse to http://update.microsoft.com/windowsupdate/
*The website will check to see if you have the latest version of the Windows Update program on your computer.
- Choose Express to check for High-priority updates. Windows Update will check for High-priority updates for your PC and display them for your review. Select the updates you want, and then click Install Updates
- After applying any critical updates you must revisit Windows Update web site until you are told there are no more critical updates needed. Otherwise, you will still be vulnerable. Some updates can only be applied after earlier ones are applied.
References:
How to retrieve email fullheader
E-mail Header
What is a Email Header?
Every email comes with a Header which is one part of an e-mail structure. It has basic information such as from whom the email comes, to whom it is addressed, date/time it was sent and the subject of the email. It is similar to an electronic postmark. This basic information comes in all brief/basic headers that most email programs will automatically show. However, there are other detail technical information that an email has. This detail technical information can be viewed in a full header. All email programs can be set to show only brief header or full header and it is up to the users to set the program whether to view only brief header or full header.
Full header will have information such as the mail servers name that the email passed through on its way to the recipeint, recipient and sender's IP address and even the name of the email program and its version used. This information is essential for analysis and investigation purposes on cases involving email abuse, spamming, mailbombing. This information could not be found in a brief header. Thus, it is important anyone reporting to their ISP or to their CERT Team, to include a full header for cases involving email abuse, worm infected email, harassment and forgeries.
Examples of Headers
Brief Header
A brief header will look like this with the following information:
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
To: [email protected]
Subject: happy holiday
Full Header
And a full header will look like this with the following detail information:
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
What is in a Header?
Now lets look what is in a header. The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.
How to read Header?
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
Now let see what they mean,
- Return-Path: [email protected]
The Return-Path line mean the address in which the reply for this mail will be sent to -
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from hole.com and mailed to relay13.jaring.my. Further, it went to ace.cdc.abu.com which was the recipient's Internet host. So, if your mail bounced, this part in the header showed how far the mail went and which machine rejected it.
-
Message-Id: <[email protected]>
The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail. -
From: [email protected]
The 'From' line showed who sent the mail and his/her email.
This 'From' information can be easily be faked/forged. -
To: [email protected]
The 'To' line listed the email address/es of the recipients of the mail. There mightbe also a Cc line which listed all the people who received copies of this mail.
This address could also be a hidden list of emails; thus your email may not appear in here eventhough you received the mail. -
Subject: happy holiday
The subject line gave some idea of what the mail is about. -
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.
Note: the exact order of an email's header may vary from system to system, but it will always include these fundamental header that are vital for the delivery.
How to retrieve a full header?
Without full header of the original e-mail, it would be impossible to determine the originating IP of the email, to further trace the sender of the email. Do take note that the information in header can be forged especially the 'From' and 'To'. However, in a full header, information such as the routing information, originating IP address could not be forged. Thus it is essential to analyse on the routing information and the source/originating IP address to assist in cases involving email abuse, harrassment, forgeries etc.
By default, header is not set to full in your email program. You must reset your email program proprieties in order to retrieve the full header.
| 1 | Claris E-Mailer | Under Mail select Show Long Headers. |
| 2 | Eudora Light | Select Tools --> Options -->Fonts & Display then Show all headers |
| 3 | Eudora Pro | Open the mail, double click on the subject line. |
| 4 | Gmail | 1. Open the message you'd like to view headers for. 2. Click the down arrow next to Reply, at the top-right of the message pane. 3. Select Show original. |
| 5 | HotMail | To expose the full message header, click "Options" on the Hotmail Navigation Bar on the left side of the page. On the Options page, click "Preferences." Scroll down to "Message Headers" and select "Full." |
| 6 | Lotus Notes 4.6.x | From the menu bar, select Actions, then Deliver Information. Copy the information from the bottom box into your e-mail report at the top of the spam. |
| 7 | Lotus Notes R5 | From the menu bar, select Actions, then Tools, then Delivery Information. Copy the information from the bottom box into your e-mail report at the top of the spam. |
| 8 | Lotus Notes 6.x | Lotus Notes Version 6.x, you can retrieve the full header information by clicking on: View/Show/Page Source. This will show the entire contents of the message, with of course, the headers at the top of the message. |
| 9 | Outlook 97 | Microsoft Outlook 97 may require an update called the Internet Mail Enhancement Patch (http://office.microsoft.com/downloads/9798/outlimep.aspx) in order to display the email headers. After applying the patch, you should be able to view the headers by selecting the message, then going to the File menu and selecting Properties. |
| 10 | Outlook 98 and Outlook 2000 | Open the message and select View, then Options from the drop-down menus. Near the bottom of the screen you'll see a section titled INTERNET HEADERS. You can copy the headers and paste them into an email elsewhere to get them to the proper people. |
| 11 | MSN Hotmail | 1. Select Options from the top MSN Hotmail navigation bar. 2. Make sure the Mail category is selected. 3. Choose Mail Display Settings. 4. Set Message Headers to Full. 5. Click OK. 6. Now you can go back to the MSN Hotmail Inbox (or any folder) to open a message with full headers. |
| 12 | MS Outlook Express 4, 5 and 6 for Windows |
There's an even easier solution to expanding Microsoft's Outlook Express headers so that you can copy and paste it to another window. You need to be viewing the message in its own window or in a preview pane, then:
If you have disabled the preview pane. Using the keyboard:
Address the message to the WHOA ISA who is working with you or to the abuse department to whom you wish to report the message. Move your cursor to the body of the new message. Press Ctrl & V to paste the information from the clipboard to the body of the new message. |
| 13 | Outlook Express for Macintosh | Select the email. From the View menu, choose Source. A new window will appear containing the email with full headers. Press command+a to select all, then command+c to copy. |
| 14 | Outlook Web Access | 1. Left click on the letter you want to open and click on properties 2. When that opens click on the details tab 3. Then on message source 4. This will open the email so the full headers will be available for viewing 5. Select and copy the text. Paste into a new message. |
| 15 | Netscape 3 | In the mail viewing window: Options Show Headers All - When all the headers are displayed in the NS3 mail window, they are formatted. This is much more readable than the display in a text editor such as Notepad. |
| 16 | Netscape 4.xx and above | Double click on the email in your inbox. Click on View - Headers - All. |
| 17 | Nettamer | a MS DOS based email and USENET group reader you must save the message as an ASCII file, then the full header will be displayed when you open the saved file with your favorite ASCII editor. |
| 18 | Pegasus mail | to view the full headers for each message, use CTRL-H. This will show the full headers for the particular message, but will not add them to any reply or forward. You need to cut/paste the message into the reply/forward to send these headers. |
| 19 | PINE | In Main Menu goto Setup, type C for configure, highlight the enable-full-header-cmd and press X for set if it is not already setup. The goto the mail and press H for header |
| 20 | Thunderbird | 1. Open the message you'd like to view headers for. 2. From the View menu select "Message Source" |
| 21 | Windows Live Hotmail | 1. Click on the desired message in the list with the right mouse button. 2. Select View source from the menu. |
| 22 | Yahoo |
Log into your Yahoo! Mail account. For New Yahoo Mail:
For Yahoo Mail Classic:
|
| 23 | Microsoft Office 2003 & 2007 |
1) Right click on the message in its mailbox and select Message Options. |
| 24 | Apple Mail | 1) Select the email that you want to retrieve the full header. 2) Click on View, and choose Message, and select Raw Source. |
SSH configuration for a better security
1.0 Introduction
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Common uses of SSH includes:
- Login to a shell on a remote host (alternative for telnet and rlogin)
- Executing a single command on a remote host (alternative for rsh)
- Secure file transfer (SCP and SFTP)
- Port forwarding and tunneling
- Mounting a directory on a remote server as a filesystem (SSHFS)
The standard TCP port 22 has been assigned for contacting SSH servers.
An SSH client program is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, Linux, FreeBSD, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
2.0 Security Issues
Since SSH-1 has inherent design flaws that make it vulnerable (e.g., man-in-the-middle attacks), it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. While most modern servers and clients support SSH-2, some organizations still use software with no support for SSH-2, and thus SSH-1 cannot always be avoided.[2]
In all versions of SSH, it is important to verify unknown public keys before accepting them as valid. Accepting an attacker's public key as a valid public key has the effect of disclosing the transmitted password and allowing man-in-the-middle attacks.
In a normal server situation nowadays, most successful break-in are result from a successful brute-force attacks.
Figure 1.0. Brute Force Attack
Figure 1.0 shows a brute force the output from the /var/log/authlog in one of the OpenBSD Server (the hacking hostname has been obfuscated). You can see that this is a brute force attack trying to crack the "root" password. The time between the attack is just a second or less, which would be too quick for a normal human. This is most lightly to be an automated attack from a brute-forcing script.
3.0 Tips and tricks.
Most administrators tend to install an SSH server and leave it at its default settings, a typical intruders/attacker may take advantages on the default settings such as default port and root login. Below are few of the steps that you might want to take note in securing your SSH servers.
3.1 Change the default ssh port number
By default, ssh listen to port 22 for connections. Attackers will use a port scanner software (such as nmap) to scans for an open port. Normally these port scanners do not scan higher ports.
To change the default port, you will need to open the configuration file using your favorite text editor (vi,nano) located in /etc/ssh/sshd_config and look for a line that says: Port 22
Figure 2.0 sshd_config file that mention Port 22
Change the port number to something like Port 10000 #use your own and restart the ssh server by typing /etc/init.d/ssh restart
*Note: you may need to be root in order to change and restart the ssh service.
By changing the default port, you now can connect to the server by typing the following command: ssh –p username@server
3.2 Allow only specific users to login:
Not every users need to be able to gain ssh service on your server. You can specify which user can connect to the server by changing the configuration file in /etc/ssh/sshd_config
For example, if you only allow user "john" to connect to the server, add in the line below:
AllowUsers john
3.3. Do not allow root ssh login
It is always wise not to allow root login because common brute-force attack is using username root. Change or put in the line in your /etc/ssh/sshd_config
PermitRootLogin no
3.3 Disable keyboard interactive login
This setting gives you a decent protection against automated brute-forcing password attempts. But the downside is that the user will need to take some time to create encryption keys before they can log in. [1]
First thing that you need to do is to create a key pair. You can do that by typing the following command in your Linux terminal: $ ssh-keygen –v –t rsa
If you notice the command is followed with two option which is –v and –t.
The –v command is for verbose. It is not really a necessary option to put but just in case if you like to see what is going on.
The second is –t for setting up the type of key to be generated. You can use either RSA or DSA for the encryption.
After you have entered the above command, you will be prompted for the location to save the file. The default location is in the folder /.ssh/id_rsa/ or /.ssh/id_dsa depending on what kind of encryption did you use.
Just hit enter to save if to your default location. You will then be prompted for a passphrase. Just hit enter for an empty passphrase. This way, you can disable the interactive keyboard login.
You should be able to see something like this:
Figure 3.0 Creating public/private key pair
The next step is to copy your generated public key to you .ssh/authorized_keys file into the server that you want to access. To do that, just type in the command below:
$ cat id_rsa.pub | ssh username@server "cat >> .ssh/authorized_keys
To enable key-based logins you need to tweak your sshd_config file and enable it with two lines below:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
It is important that you confirm that you can log in without a password. To do that , just try the command below :
$ ssh server
You should be able to login to your ssh server like normal. You can now disable the keyboard logins with modifying/adding the two lines below to your /etc/ssh/sshd_config :
PasswordAuthentication no
ChallengeResponseAuthentication no
3.4 Blacklisting and Whitelisting with DenyHosts
DenyHosts is a tools that looks for bad login or attempts from hosts then add them to a blacklist. More information on the DenyHosts features can be found here: http://denyhosts.sourceforge.net/features.html .
To install DenyHosts on Ubuntu server is very easy. You can do that by typing $ sudo apt-get install denyhosts
DenyHosts acts as a dynamic blocker for SSH and other services. It relies on the /etc/hosts.deny and hosts.allow.
The file /etc/hosts.deny is where you need to list all the ip that you want to block from accessing your ssh server and on the other hand the /etc/hosts.allow is the list that you want to allow.
This article will show you how to allow only specific ip or range of ip in the network to access your ssh server. You can do that by editing your /etc/hosts.deny and add in the following lines
ALL:ALL
/etc/hosts.allow and add in the following lines
ALL: 192.168.1.0/24
This will only allow the range of ip 192.168.1.* to access your ssh server.
4.0 Conclusion
SSH server is actually pretty much secure as it is, but of course you can always tweak a few things to make it much more safer than the most commonly used attack vector. If you have any problem in the configuration mention in this article, you can always contact MyCERT for further discussion or suggestion.
5.0 Reference
Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET)
1) Introduction
Software vulnerabilities and exploits have to be faced by computer users as they are exposed to threats on the Internet. Virtually, every software product has to deal with them and consequently, users are faced with a large stream of security updates. For users who are attacked before obtaining the latest updates or before an update is even available, the results can be devastating; malware infection, loss of personal information and etc.
The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system by utilizing few techniques on thwarting exploitation technologies or techniques.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a user's computer. EMET allows users to manage these technologies on their system while providing several unique benefits:
- No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.
- Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.
- Helps harden legacy applications: It's not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk, as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
- Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.
- Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready.
The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques. [1]
This article will describe how end-user can utilize EMET to reduce or prevent from successful exploitation process. However, there is no guarantee the EMET application will prevent from new techniques on bypassing it protection.
2) Download and install
Begin by downloading EMET and install it using an account that has administrator privileges. EMET can be obtained from Microsoft's official website [2].
Microsoft digitally signs the installer; however, below are the hashes for the version 2.0.0.3 published on 18/11/2010:
MD5: 82b42f70eb45bcffab6ea4f62ae8b6a6
SHA1: 58c3d1a3caddf71a7074960416bb91e39d7988d2
The installation is very straightforward; you have the option of installing EMET for yourself or for anyone using the computer. Once installed, launch EMET by clicking on:
Start > All Programs > Enhanced Mitigation Experience Toolkit > EMET 2.0
3) Configuring EMET
To properly use EMET, it needs to be configured. Below is the step-by-step for configuring EMET for applications.
Launch EMET and click on Configure System as shown in Figure 1
Figure 1
Change the System Configuration to Maximum Security Settings as in Figure 2. This will set DEP to Always On. DEP is Data Execution Prevention, which is one of the exploitation process mitigation technique developed by Microsoft. It's recommended to enable DEP feature. Please read MyCERT's article on configuring DEP on Windows OS.
Figure 2
Click on Configure Apps to add protection for specific applications that you have installed as shown in Figure 3.
Figure 3
Click on the Add button for each application you wish to add protection for as shown in Figure 4. You will then browse to the executable file in the Programs folder to select it as in Figure 5. MyCERT recommend users to enable protection on daily basis applications such as browsers, office suite, multimedia players and communication suite.
Figure 4
Figure 5
Depending on the software applications installed on your computer, here are some suggestions for applications that would benefit from having additional protections enabled [3][4]:
- Web browsers installed on your computer (Internet Explorer, Firefox, Chrome, Opera, Safari)
- Microsoft Office suite (Access, Excel, Outlook, Power Point, Word)
- Sun (now Oracle) Java
- Media player (Windows Media Player, VLC, iTunes, RealPlayer, QuickTime, Winamp)
- Any software that waits and listens for a network connection (FTP server, Web server)
- PDF reader (Adobe Reader, Adobe Acrobat, Foxit Reader)
- Email client application (Outlook, Thunderbird)
- Instant messenger (Yahoo Messenger, Live Messenger, Gtalk, Skype, AIM, AOL, ICQ)
- Any software application that Secunia PSI (http://secunia.com/vulnerability_scanning/personal) reports as being "End of Life"
Once done, click on OK as in Figure 6.
Figure 6
Close EMET and a popup will appear asking you to restart you computer as shown in Figure 7. Restart you computer.
Figure 7
4) Troubleshooting Incompatible Applications