18.9.24.2 (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) - BannedFunctions

Information

This setting configures the default action after detection and advanced ROP mitigation.
The recommended state for this setting is:

- Default Action and Mitigation Settings - Enabled
- Deep Hooks - Enabled
- Anti Detours - Enabled
- Banned Functions - Enabled
- Exploit Action -User Configured

Rationale:
These advanced mitigations for ROP mitigations apply to all configured software in EMET:

- Deep Hooks protects critical APIs and the subsequent lower level APIs used by the top level critical API.
- Anti Detours renders ineffective exploits that evade hooks by executing a copy of the hooked function prologue and then jump to the function past the prologue.
- Banned Functions will block calls to ntdll!LdrHotPatchRoutine to mitigate potential exploits abusing the API.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\Default Action and Mitigation Settings
Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:
The advanced mitigations available in EMET will be enabled and actively applied to all software they are configured for.

Default Value:
User configured.

References:
1. CCE-35473-8

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-39, 800-53|SI-16, CSCv6|8.4, CSCv7|8.3

Plugin: Windows

Control ID: 3f7bc2d23d589768c4e2fdbcb52c527e8a6cdb085794fd80f97b5ca51390e692