18.9.25.8 (L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out'

Information

This setting determines how applications become enrolled in Structured Exception Handler Overwrite Protection (SEHOP).

The recommended state for this setting is: Enabled: Application Opt-Out

When a software component suffers from a memory corruption vulnerability, an exploit may be able to overwrite memory that contains data structures that control how the software handles exceptions. By corrupting these structures in a controlled manner, an exploit may be able to execute arbitrary code. SEHOP verifies the integrity of those structures before they are used to handle exceptions, which reduces the reliability of exploits that leverage structured exception handler overwrites.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out :

Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System SEHOP

Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:

SEHOP protections will be enabled on

all

applications unless EMET has been specifically configured to opt-out of SEHOP for that application.

See Also

https://workbench.cisecurity.org/benchmarks/14291

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 729497ac08b88dffce111751f9deb82472ab77bc43c3645deb316ce86bb53b8d