Toughen your computer security with EMET 5.1

Keeping your computer secure has always been tough. It seems like every week there is another exploit making the rounds. Nobody can predict what kind of attack hackers will use next. But you can protect your computer from the most common actions and techniques used with the Enhanced Mitigation Experience Toolkit 5.1 (EMET).

The main screen inside of EMET 5.1
The main screen inside of EMET 5.1

What is EMET? It monitors selected programs (Internet Explorer, Microsoft Office programs, etc.) for known attack actions and techniques. When one of the several pseudo mitigation technologies is triggered, EMET can block or even terminate the program in question. It will also validate digitally signed SSL certificates inside of Internet Explorer. Here's is the current list of mitigations EMET currently looks for.

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray allocation
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Bottom-up randomization
  • Return Oriented Programming (ROP)
  • Attack Surface Reduction (ASR)

The about screen inside of EMET 5.1
The about screen inside of EMET 5.1

EMET 5.1 includes the following improvements:

  • Attack Surface Reduction (ASR) has been updated to limit the attack surface of applications and reduce attacks.
  • Export Address Table Filtering Plus (EAF+) has been updated to improve and extend the current EAF mitigation.
  • 64-bit ROP mitigations have been improved to anticipate future exploitation techniques.
  • Several security, compatibility and performance improvements.

EMET can also be customized via the registry (see EMET manual for instructions). Here are a few of the items that can be modified:

  • Enable unsafe configurations.
  • Configuring custom message for user reporting.
  • Configuring certificate trust feature for third party browsers.
  • Configuring local telemetry for troubleshooting
  • Configuring EMET Agent icon visibility.

Here's a quote from Microsoft's website:

The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.

EMET should never monitor anti-malware and intrusion prevention or detection software, debuggers, software that handles digital rights management (DRM) technologies or software that uses anti-debugging, obfuscation, or hooking technologies. Click here for the EMET 5.1 application compatibility list.

For more information on EMET, just follow the links below,

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit 5.1 download

How to safely remove external drives

External storage devices like flash drives or hard drives are so convenient for carrying data between computers. Just plug and play, as they say. But did you know it's not the same for when you unplug your drives? Here's how to safely remove external drives from your Windows computer.

How to safely remove external drives

Recently I was at customer's location repairing her computer and needed some files from one of my usb flash drives. When I was done, I went through the process of ejecting the usb drive from her computer. She was surprised that I didn't just pull the flash drive out. Most of the time you can just unplug an usb device like mouse or printer without having to do anything to your Windows based computer. It's only when you have a storage device, like a flash drive or external hard drive that you have to take an extra step to safely remove the device.

What is write caching?

Windows by default enables write caching on storage devices for better performance, whether internal or external. With write caching, it allows programs to write to the device and continue on without waiting for the data to be actually written. By properly ejecting a storage device, you are ensuring that the cache is getting written to the device before you disconnect it.

How to safely remove external drives

  1. Left-click on the Safely Remove Hardware icon on the Taskbar.
    Safely Remove Hardware icon on the Windows 8 Taskbar
  2. Left-click on the device you want to disconnect.
    List of removable drives ready to be ejected

or

  1. Open File Explorer (Windows logo key Windows logo key + E).
  2. Under This PC / Computer, right-click the drive you want to disconnect and select Eject.

Windows will display a notification when it's safe to disconnect the drive.

The correct ways to shut down your Windows based computer

Doing computer repair, I see allot of different issues. But there is one problem I am seeing over and over again, start up corruption. This most commonly occurs when the computer is not turned off properly. And it appears that laptops are more prone to this issue than desktops are. So here's how to properly shutdown your Windows based computer.

Which power button do you use to shut down your computer?

Logic dictates that if you use a button to turn on a device you should also use it to turn it off (button on / button off). You use a button to turn on and off your TV, audio / video components and smartphone. But this is not necessarily the case when it comes to your computer. It is always recommended that you allow the operating system close down all applications and turn the computer off itself.

Using the Start menu / Start screen to shut down Windows

This may seem like a no-brainer, but you would be amazed how many people don't use this method. It's mainly laptop users who just instinctively reach for the power button. But if you don't watch how long you hold the power button down, you could perform a hardware shutdown. It's just simpler and recommended to use the shut down button on the Start menu / Start screen.

Windows Vista

Shut down button location in Windows Vista
Start button > Power button > Shut down

Windows 7

Shut down button location in Windows 7
Start button > Shut down

Windows 8

Sign out button location in Windows 8
1. Start screen > Sign out
Shut down button location in Windows 8
2. Sign in screen > Power button > Shut down

Windows 8.1

Shut down button location in Windows 8.1
Start screen > Power button > Shut down

Or

Power users shut down button location in Windows 8.1
Power users menu (Windows logo key + X) > Shutdown or sign out > Shut down

Using the power button on the computer to shut down Windows

This method is acceptable for turning off your computer, as it performs the same shutdown command as the shut down button on the Start menu / Start screen. But you have to check and make sure that the power options inside the operating system are configured to shut down the system when the power button is pressed.

Power button options inside of Windows 8.1
Power button options inside of Windows 8.1

The power button can be configured to put the system into sleep or hibernate. And if your system loses power while it's asleep, you will get an error when you restart it. This happens quite often with laptops when they are not using the ac adapter the battery runs out.

Using the power button on the computer to force it to shut down

So how do you turn off computer when it freezes up and you don't have a reset button? This is where the Advanced Configuration and Power Interface (ACPI) specification comes into play. This spec has been built into every computer for well over a decade now. It mandates that when the power button is held down for 10 seconds or more the system performs a hard shutdown, turning off power to all components. This will most likely cause an error upon restart.

Strengthen your computer security with EMET 5

It seems like every day a new software exploit or vulnerability is found. Software vendors' work hard at keeping their software secure, but it can take time to test and deploy patches. So what can you do to protect your computer? The Enhanced Mitigation Experience Toolkit (EMET) from Microsoft does just that.

The main window inside of EMET 5
The main window inside of EMET 5

EMET is designed to prevent attackers from taking control of your system. It works as 'shim' in-between your programs and the operating system. EMET looks for the most common attack techniques and will block and/or terminate any program it is monitoring. EMET works alongside your favorite anti-virus and anti-malware programs for layered security.

I have been using EMET as part of my layered security for years and have written a few blogs on it. With each version, Microsoft keeps improving it. Some of the improvements in EMET 5 include Attack Surface Reduction (ASR), Export Address Table Filtering Plus (EAF+) and 64-bit ROP mitigations. Here's is the current list of mitigations EMET currently looks for.

  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP)
  • Heapspray allocation
  • Null page allocation
  • Mandatory Address Space Layout Randomization (ASLR)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Bottom-up randomization
  • Return Oriented Programming (ROP)
  • Attack Surface Reduction (ASR)

There are two (2) different ways to configure EMET, a Graphic User Interface (GUI) and a command line tool. It is best to configure EMET through the GUI, since the command line tool doesn't allow access to all of EMET's features. The built-in configuration wizard allows you use either the recommenced settings, keep previous settings (upgrade install) or to manually configure EMET (new install).

Easily configure programs to monitor in EMET 5
Easily configure programs to monitor in EMET 5

Once you have EMET installed, it's pretty easy to add programs to monitor. Just open the program you want EMET to monitor and then open EMET. On the lower part of the main window you will see Running Processes. Just find the program you want to monitor in the list, right-click on it and select Configure Process. You will have to restart any program you have just configured inside of EMET.

For more information on Microsoft EMET 5, just follow the links below.

Enhanced Mitigation Experience Toolkit
Enhanced Mitigation Experience Toolkit 5.0 download

How to safely optimize your solid state drive

When it comes to getting the best performance out of your computer, nothing can beat a Solid State Drive (SSD). Right out-of-the-box they are extremely faster reading / writing data than a Hard Disk Drive (HDD). But there are a few things that you have to do differently with an SSD. Here's how to safely optimize your solid state drive.

The definition of tweak

There are plenty of articles out there that will give you a ton of different tweaks you can use to speed up the SSD access time. From turning off disk indexing to disabling Prefetch and Superfetch. Some may work for you, some may not. Generally speaking, if you're running Windows 7 or higher, the operating system should recognized the SSD and modify its behavior accordingly. The following tweaks are completely safe and will not harm your system in any way.

General SSD maintenance

SSD's operate differently from HDD's and there are a couple of things you should never do to an SSD. Since SSD's have limited read / write cycles, any program that intensively accesses the SSD could shorten the life span of the drive. Running a disk defragment program on an SSD is definitely not recommended. And as far as Check Disk (CHKDSK) is concerned, you'll need to contact the manufacturer of your SSD to find out if they recommend it or not.

Microsoft started building in support for SSD's in Windows 7 / Windows Server 2008 R2 and has expanded on it in Windows 8 / 8.1 & Windows Server 2012. Since low-level operation of SSD's is different from HDD's, the Trim command was introduced to handle deletes / format requests. To verify that Trim is on, you'll need to open an Administrative Command Prompt.

How to open a Command Prompt with Administrator privileges in Windows 7
How to open a Command Prompt with Administrator privileges in Windows 8

You can verify that Trim is enabled by typing the following into an Administrative Command Prompt:

fsutil behavior query DisableDeleteNotify

If the command returns a 0 then Trim is enabled. If it returns a 1, then it is not. To enable Trim, just type the following into the Admin Command Prompt:

fsutil behavior set DisableDeleteNotify 0

SSD free space maintenance

SSD's do have one down side; their capacity is smaller than HDD's, so maintaining an adequate amount of free space is necessary. Now there are two scenarios for setting up computers with SSD's: Single-drive (SSD only) and Multiple drives (SSD + HDD). Laptops are usually single-drive and desktops are almost always multiple-drive. Here's a few ways to maintain free space.

Single-drive (SSD only)

The options here are limited. To free up space you could store your personal files like documents, photos and music to an external drive or to the cloud. Here are a few more ideas.

Turn off Hibernation.
With the speed of an SSD, boot times will be quite faster than with an HDD. You'll find that you can boot your computer just as fast as if you brought it out of hibernation. And since hibernation writes the system memory to disk, you'll free up the same amount of disk space that is equal to the total system memory. And if you have a lot of memory, this can free up a big chunk of space on your SSD.

Disable Windows hibernation and free up disk space

Turn off the virtual memory / pagefile.
Use this with caution! Technically, virtual memory is used when all of the system memory is full. If you have a large amount of system memory (16GB or more) and you don't run memory hog software like Photoshop, you should be alright disabling it. And you'll free up a few GB's of drive space in the process.

Managing Virtual Memory / Pagefile in Windows 7
Managing Virtual Memory / Pagefile in Windows 8

Clean up drive on a regular basis.
Temporary files and browser caches are a few items you'll need to keep an eye on. Using a program like Piriform's CCleaner or Disk Cleanup that comes with Windows will take care of these files. Disk Cleanup can also be run as a scheduled task too.

Free up more disk space with Windows 7 Disk Cleanup
Clean up your hard drive in Windows 8 with Disk Cleanup
Clean up and optimize your computer for free with CCleaner

Multiple-drive (SSD + HDD)

This is the optimal setup. Everything under single-drive scenario applies here. Windows and program files need to be on the SSD. Almost anything else that Windows doesn't require for normal operation can go over to the HDD.

Move the virtual memory / pagefile.
Instead of turning it off, just move it to the HDD (see link above).

Move personal files to HDD.
Your documents, photos and music can take up a large amount of space on your drive. Get them off of the SSD and over to the HDD.

Modifying the default locations of user files and library properties in Windows 7
Modifying the default locations of user files and library properties in Windows 8

There are plenty of other tweaks you can do, like moving location of your browser cache and temp folders to the HDD. You can find all of that information and more with a quick search on Google.

Professional Service + Affordable Prices = Geeks in Phoenix

Like Geeks in Phoenix on Facebook
Follow Geeks in Phoenix on Twitter
Watch Geeks in Phoenix on YouTube