Microsoft

Sleep better at night with Data Execution Prevention (DEP) in Windows Vista


A new security feature in Windows Vista is Data Execution Prevention (DEP). DEP will monitor Windows services and programs and protect harmful code from executing or running in system memory locations reserved for Windows and other programs. Once DEP realizes an attack is in progress, it will shut the program or service automatically and notify you.

By default, DEP will only protect Windows and not other programs. You will have greater security protection by enabling DEP on all programs and services. If you have a program or service that doesn't play nicely with DEP, you can turn DEP off for that particular service.

Follow these steps to turn DEP on for all Windows programs and services.

  1. Click the Start orb and type Control Panel.
  2. Click System and Maintenance | System | Advanced System Settings.
  3. UAC will prompt you to continue and choose the Advanced tab.
  4. Under Performance, click Settings.
  5. Choose the Data Execution Prevention tab.
  6. Tick the Turn on DEP for all programs and services except those I select as shown in Figure 1.

Figure 1: DEP in Windows Vista

11 comments
ali40961
ali40961

Anything else I should know? Just got a new laptop with Vista Home Pro. Have been researching how to lock it down. Any Suggestions? BTW, thanks for the advice about DEP!

comfixer
comfixer

This is available now using WinPatrol by BillP WinPatrol is real time monitoring.....

CorporateLackie
CorporateLackie

What would the typical symptoms of "not playing nicely" be for a program fighting with DEP?

winzig45
winzig45

DEP is not new it was already in XP.

guy.goiran
guy.goiran

Plse tell me what's DEP name under XP (version ?) & how do you manage it ?

ChrisHyche@AlabamaOne.Org
ChrisHyche@AlabamaOne.Org

It was added with SP2 (it is also in 2k3 SP1). System Properties->Advanced>Performance Options->Data Execution The Dialog is virtually identical to the Vista one.

dlovep
dlovep

Yes, it's the same, just the different is: It shows on Vista regardless XP, so it's new features for VISTA,...(old feature in XP) If you read it carefully on the article title. Beside, this is a useless features, since services crashed in XP or Vista, it just show up a box with "Report to Microsoft bla bla bla ..." if you treat that as notify, then this is a notify...

frank.schafer
frank.schafer

It probably would be a better security feature to clean bugs making the services and programs vulnerable. This new feature only brings a new process which itself brings new vulnerabilities to the system. How should such a process decide which code is harmful and which is not? A process monitoring the data similar to FAM on Linux would probably be a better solution.

groffg
groffg

DEP leverages the NX/XD (XD for Intel; NX for AMD) capability of modern processors that allows pages in memory to be marked as non-executable (there's also a "software DEP" in cases where the processor doesn't support NX/XD, but it protects against a different attack vector). Marking pages in memory as non-executable is meant to prevent the exploitation of buffer overflow vulnerabilities (yielding a DOS--denial of service--against the target program/service, but without leading to arbitrary code execution in the event that a malware payload was passed into the memory buffer). This feature in Windows was first made available in SP2 of WinXP (along w/ other security enhancements, like Windows Firewall). I suspect we'll see more of these joint hardware-software enhancements in the future (NX/XD being an example; TPM chips are another example; Seagate's FDE.2 Momentus drive is yet another, as it includes on-board encryption). Leveraging hardware enhancements will likely make many software-based attacks less trivial to exploit, whether they involve data security (like encryption) or security within the context of a running system (protection from buffer overflows being an obvious example). Finally, I strongly recommend applying DEP to "all programs and services" to maximize coverage and to protect against buffer overflow attacks on vulnerable programs/services. That suggestion is oddly left out of many "top 10" security lists for Windows users.

Old Man on the Mountain
Old Man on the Mountain

I agree with your recommendation with the exception of those programs that won't handle it. We had one at a previous site that wouldn't work unless we excepted it from the list. Fortunately the vendor was quick to provide and updated version, but we had many desktops to update after that.

Editor's Picks