March 10th, 2005, 04:57 AM
Brief look at Data Execution Protection (XP)
[Relates to Microsoft operating system]
If you've downloaded and installed Windows XP Service Pack 2 (SP2) you are using Data Execution Protection (DEP) by default.
During installation of Windows XP SP2, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation and by default, DEP is only turned on for essential Windows operating system programs and services.
What is DEP?
Data execution prevention (DEP) helps prevent damage from viruses and from other security threats that attack by executing malicious code from memory locations that only Windows and other programs should use. This kind of security threat causes damage by taking over one or more memory locations that are in use by a program. Then it spreads, and it harms other programs, files, and even your e-mail contacts.
Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable." If a program tries to run code from a protected location, DEP closes the program and notifies you. This action occurs even if the code is not malicious.
Where are simplified DEP options?
Designed for end users.
You can find DEP options by right clicking, "My Computer, Properties, Advanced, Settings, Data Execution Prevention."
If either one of the two options shown are checkmarked, DEP is installed and running.
Of course there are conditions under which DEP is not installed and no options are available.
What other DEP options are available?
Designed for IT Professionals or ISVs.
System-wide DEP configurations can be modified/controlled using a few methods.
The Boot.ini file can be modified directly with scripting mechanisms (Group policy), manual configuration or with the Bootcfg.exe tool which is included as part of Windows XP SP2.
Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP;
Configuration for DEP is controlled through Boot.ini switches, /noexecute=policy_level where policy_level is defined as OptIn, OptOut, AlwaysOn, or AlwaysOff.
A sample configuration in boot.ini is:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Pro" /fastdetect /NoExecute=OptOut
On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in,”
With this option, only Windows system binaries are covered by DEP by default.
DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel.
IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect.
This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.
This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in Physical Address Extension mode (PAE) with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.
Further DEP technical information and advanced configuration can be found at:
Beta tester of "0"s and "1"s"