Information
This setting configures the default action after detection and advanced ROP mitigation.
The recommended state for this setting is:
- Default Action and Mitigation Settings - Enabled
- Deep Hooks - Enabled
- Anti Detours - Enabled
- Banned Functions - Enabled
- Exploit Action -User Configured
Rationale:
These advanced mitigations for ROP mitigations apply to all configured software in EMET:
- Deep Hooks protects critical APIs and the subsequent lower level APIs used by the top level critical API.
- Anti Detours renders ineffective exploits that evade hooks by executing a copy of the hooked function prologue and then jump to the function past the prologue.
- Banned Functions will block calls to ntdll!LdrHotPatchRoutine to mitigate potential exploits abusing the API.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\Default Action and Mitigation Settings
Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).
Impact:
The advanced mitigations available in EMET will be enabled and actively applied to all software they are configured for.
Default Value:
User configured.
References:
1. CCE-35473-8