violetkaipa - Fotolia
To get started with setting up certificate pinning, you need to deploy the EMET utility. It requires the .NET 4.0 Framework. Install that on your system. EMET is available on the Microsoft website as an MSI download you can deploy via Group Policy or your favorite software distribution method, or you can install it standalone on one system at a time. It is free.
Open the Enhanced Mitigation Experience Toolkit (EMET) and you will immediately notice that pinning is already turned on by default. Hit Ctrl + Shift + T to access the Trust section. You can see that Microsoft has preconfigured pinning rules for several of its online properties as well as Twitter and Facebook. Here you can customize additional pinning rules. In addition, you should enable the Blocking Rule checkbox on each of the already configured pins so sites are fully blocked when fraudulent certificates are detected.
This solution is not perfect, mind you. For one, EMET will only pop up warnings and they are worded for technical users and IT professionals, not for end users. If you thought user account control was going to solve all of your malware problems, then do not make the same mistake here; the value of a warning to a user is very little if he will just click on through and ignore it. A vital part of using certificate pinning involves educating your users that warnings mean something. But of course EMET doesn't just block sites by default because there are many legitimate certificates which might not meet the criteria of the certificate you have pinned -- for instance, the website may be running a new load balancer that distributes a mix of, say, VeriSign and Comodo certificates. Or the expiration date of the certificate may have been extended silently. So you have to remain vigilant about educating your users to seek help when they see EMET throw up a warning about a site they are browsing, and configure the Blocking Rule checkbox as I described earlier in this piece to get a "block first, ask questions later" sort of setup.
Certificate pinning only works within Internet Explorer. Google Chrome has a pinning rule built into it, but they do not get managed with EMET -- they are managed within Chrome. Also, EMET 5 (the latest major version) does not support the Metro or Modern versions of IE that are built into the Windows tablet operating system; it only supports IE in desktop mode. EMET 5.2 and onward support the Metro IE, but you have to update your existing EMET clients to get this protection enabled.
The best defense is a layered defense. EMET provides a lot of those layers -- other benefits you get for free -- in addition to certificate pinning. Pinning isn't perfect, but for IE centric shops it's another tool you can use to improve your overall security posture.
What is certificate pinning?
Dig Deeper on Windows Server troubleshooting
Related Q&A from Jonathan Hassell
Certificate pinning allows admins to verify a legitimate certificate once and receive warnings if it changes. Continue Reading