18.9.24.8 Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out'

Information

This setting determines how applications become enrolled in Structured Exception Handler Overwrite Protection (SEHOP).

The recommended state for this setting is: Enabled: Application Opt-Out.

Rationale:

When a software component suffers from a memory corruption vulnerability, an exploit may be able to overwrite memory that contains data structures that control how the software handles exceptions. By corrupting these structures in a controlled manner, an exploit may be able to execute arbitrary code. SEHOP verifies the integrity of those structures before they are used to handle exceptions, which reduces the reliability of exploits that leverage structured exception handler overwrites.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out:

Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System SEHOP

Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:

SEHOP protections will be enabled on all applications unless EMET has been specifically configured to opt-out of SEHOP for that application.

Default Value:

User configured.

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CSCv6|8.4

Plugin: Windows

Control ID: 42edffc55b04194163e27b24762443d8ccb9c99357e778779f8d1210d11fd32e