LKBEN10654: Howto enable Data Execution Prevention (DEP) in windows SP2 or windows 2003 Server


This article has not been checked!

LKB | Created: 02/04/2020 | Version: 0 | Language: EN | Rating: 0 | Outdated: False | Marked for deletion: False

Author: Wim Peeters - Keskon GmbH & Co. KG


Symptom

You want to be more secure and want to enable Data Execution Prevention

Cause

Data Execution Prevention is activated automatically and can cause some problems

Solution

Data Execution Prevention is a feature in Windows XP Service Pack 2, Windows XP Tablet PC and Windows Server 2003. For more information you should search for KB875352. This feature performs additional memory checks to prevent malicious code, especially prevention the execution of code from the data segment, the stack and heap. It does this by marking all memory from a process as non-executable unless it is marked as executable. It is enforced by hardware and by software and works with intel (XD = Execute Disable Bit) and AMD (NX = no execute page protection).

The configuration is done by the boot.ini file.

The following policy levels are defined:
AlwaysOn, AlwasyOff, OptIn and OptOut.

/EXECUTE -> DEP is deaktivated for the system, can be activated for certain applications

/NOEXECUTE -> DEP is activated for the system, can be deaktivated for certain applications.

/noexecute=OptIn -> DEP looks at System files and applications from the OptIn List

/noexecute=OptOut -> DEP looks at System files but not for files in the OptOut List

/NOEXECUTE=OptIn and /NOEXECUTE=OptOut can be configured from in windows. (Properties of the computer -> System Performance -> New Tab Data Execution Prevention)

/noexecute=AlwaysOn -> DEP is activated systemwide with no execeptions

/noexecute=AlwaysOff -> DEP is deaktivated systemwide

Here is an example of a boot.ini with /NoExecute=OptIn (which is standard)

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

About the Author

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux in different European countries and different European languages. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform where he is one of the most important contributors and the main developer.

Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!