Our organization still has a sizable number of Windows XP machines due to legacy application compatibility issues. That said, we want to harden Windows XP as much as possible. One expert recommended using the Microsoft Enhanced Mitigation Toolkit Experience (EMET). How does it work, is it worth the effort and are there any negative ramifications?
Ask the Expert!
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
We should begin this answer by discussing the status of ongoing security updates for Windows XP. Microsoft business and developer products, including Windows and Office, receive a minimum of 10 years of support at the service pack level, five of which is for mainstream support followed by five years of extended support. Because Windows XP SP3 and Office 2003 will soon be 10 years old, they will go out of support on April 8, 2014. After this date, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.
I understand that migrating legacy applications can be a time- and resource-consuming undertaking, but running unsupported software is a big risk. First, an unsupported and unpatched system is an attractive target for hackers because any vulnerabilities they find will remain exploitable. Second, it could put the network in breach of compliance or regulatory requirements. An internal or external audit body would mark running end-of-life software as a control failure, which could lead to a suspension of a variety of certifications.
Based on historical Microsoft customer deployment data, the average enterprise deployment of a new operating system can take 18 to 32 months from making the initial business case through to a full deployment. Yet that lengthy timeline can be a blessing in disguise, as it affords an equally long runway to undergo the equally challenging process of upgrading and redeveloping legacy applications that won't support the newer OS. Hopefully, this is a process you have already started.
In the meantime, the advice you received regarding EMET is sound. Microsoft's Enhanced Mitigation Experience Toolkit (EMET) retroactively applies various security mitigation technologies to selected applications, blocking attacks that exploit common attack vectors, such as buffer overflows and memory corruption. (Technologies that make it more difficult for an attacker to exploit vulnerabilities in a software application are known as mitigation technologies.) A graphical user interface is used to configure and observe the status of different running processes.
One of the advantages of using EMET is that proprietary in-house software doesn't need to be recompiled to set the various flags to enable Data Execution Prevention (DEP) and Mandatory Address Space Layout Randomization (ASLR), which are two important technologies in the battle against zero-day exploits. Access to the actual source code for an application is not required, as EMET allows applications to be opted in on a per-process basis. When a process within a suite of applications is not compatible with a particular mitigation technology, an organization can simply turn that mitigation off for that process. Any applications that are opted into EMET need to be restarted for it to become active. Also, it is essential that any changes made using EMET are tested before rolling them out to production systems. Some security settings may break certain applications or change their behavior.
EMET can help manage risks by making it harder for hackers to exploit any vulnerabilities present in legacy software while migration plans are finalized. It has built-in support for enterprise deployment and configuration-administrators can use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations. EMET is updated as new mitigation technologies become available, with the latest version being 3.0.
This was first published in May 2013