EMET and Windows 10: Is EMET Still Needed?
Back in February, Microsoft released version 5.5 of the Enhanced Mitigation Experience Toolkit (EMET). This new release gave us official Windows 10 support. But we waited a long time for that support. Windows 10 was available to the masses in July 2015.
But Microsoft has suggested that this new EMET is not necessary for everyone:
EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time, we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10.
But what does that mean exactly?
What makes EMET on Windows 10 unnecessary?
Windows 10 builds in protections similar to that provided by EMET. Let’s look at each protection and how they replace what EMET gives us.
Device Guard ensures that only authorised applications run on your device. It also protects against unauthorised changes to those applications. Device Guard does not work in isolation but in conjunction with other features such as:
Modern hardware will meet the most of the requirements for this feature. But if you’re not running Windows 10 Enterprise it’s a non-starter:
- Windows 10 Enterprise;
- UEFI 2.3.1 and above;
- Virtualisation Extensions;
- 64-bit architecture;
Control Flow Guard (CFG)
Control Flow Guard provides developers an extra layer of security for their applications. The technology itself is simple but requires applications created with Visual Studio 2015 or later. The release date of Visual Studio 2015 was July 2015 so if you have anything older it’s not protected.
System Administrators can apply application and permission policies to your device using AppLocker. Used in combination with Device Guard it will manage application trusted publishers. And like Device Guard, it needs Windows 10 Enterprise.
EMET Technology In Microsoft Edge
The new Windows 10 browser, Microsoft Edge, has similar EMET features built right in. So when using Microsoft Edge, EMET doesn’t provide any extra protection.
In it’s current form Microsoft Edge is limited. While rumoured to be coming, the browser currently lacks any support for add-ons and has had a reserved response from many Windows 10 users. So while you might like Microsoft Edge, it’s unlikely to be your primary browser.
So, do I still need EMET if I’m using Windows 10?
Remember what Microsoft said:
With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10.
They said that Windows 10 can make EMET unnecessary. Not that it has.
Reading the Windows IT press you’d believe that every device runs Windows 10. You’d also believe that we’re all running it in enterprises. In January Microsoft stated that 200 million devices were now running Windows 10. Only 22 million of those devices were running Windows 10 Enterprise. That’s just over 10 percent.
The vast majority of devices do not run Windows 10 Enterprise. So the vast majority of devices cannot use the new features that make EMET unnecessary. So EMET is still a powerful tool to help keep your device safe and secure.
But what if you are running Windows 10 Enterprise? You still need supported hardware. You still need to use only modern software compiled with Control Flow Guard. You need to ditch your browser and only use Microsoft Edge. And you still need your System Administrators to configure those new features. Until that time EMET is still useful to keep your device safe and secure too.
So if you’re like me, EMET is still something that you want to use.
But when all is said and done, you are greatest protection for your device. Don’t open suspicious attachments. Don’t visit suspicious sites. And don’t click on suspicious links. If you’re not sure if something is safe, be safe than sorry and just skip it.
You can download EMET from the Microsoft Download Center. Or install it using my preferred method of Chocolatey.
Use EMET or not, how do you stay secure?