18.9.24.2 Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) - DeepHooks

Information

This setting configures the default action after detection and advanced ROP mitigation.

The recommended state for this setting is:

Default Action and Mitigation Settings - Enabled

Deep Hooks - Enabled

Anti Detours - Enabled

Banned Functions - Enabled

Exploit Action -User Configured

Rationale:

These advanced mitigations for ROP mitigations apply to all configured software in EMET:

Deep Hooks protects critical APIs and the subsequent lower level APIs used by the top level critical API.

Anti Detours renders ineffective exploits that evade hooks by executing a copy of the hooked function prologue and then jump to the function past the prologue.

Banned Functions will block calls to ntdll!LdrHotPatchRoutine to mitigate potential exploits abusing the API.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\Default Action and Mitigation Settings

Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:

The advanced mitigations available in EMET will be enabled and actively applied to all software they are configured for.

Default Value:

User configured.

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CSCv6|8.4

Plugin: Windows

Control ID: f4bf76a0aed1e62c3558b138d4378579e35d820a4f4c004134cdf71168111ffd