Did you know that Windows XP SP2 and Windows Vista contain a powerful feature that you can activate that will protect your PC against many of the vulnerabilities that plague Windows users?  This is called DEP - Data Execution Prevention and what DEP does is prevent data stored in memory from being run as code - a trick that some malware uses to try to execute nasty code on your PC.

There are two kinds of DEP:

• Hardware-enforced
• Software-enforced

By far the most effective form of DEP is hardware-enforced DEP.  This relies on having a CPU that supports the NX or XD bit.  Modern AMD processors support NX (which stands for No eXecute) while modern Intel CPUs support XD (which stands for eXecute Disable).  Both features carry out the same function and differ only in name.  If you don't have a CPU that understands NX/XD then you are limited to the inferior software-enforced DEP and you'd have to upgrade the CPU or buy a new PC if you wanted to use hardware-enforced DEP. 

By default DEP on Windows XP SP2 only monitors essential Windows programs and services but you can extend this to cover all applications and services quite easily:

• Click Start > Control Panel
• Click on Performance and Maintenance (if you are in Classic View, skip this step)
• Click on System
• Click on the Advanced tab
• In the Performance group, click on Settings
• On the Performance Options dialog, click on the Data Execution Prevention tab
• Click on Turn on DEP for all programs and services except those I select
  
• Click OK
• Click OK to confirm that the system will need to be restarted
• Finally, reboot the system

The process for fully activating DEP on Windows Vista is a little different:

• Click Start > Control Panel
• Click System and Maintenance
• Click on System
• Click on Advanced system settings
• Click Continue on the User Account Control dialog that will be generated
• In the Performance group, click on Settings
• On the Performance Options dialog, click on the Data Execution Prevention tab
• Click on Turn on DEP for all programs and services except those I select
• Click OK to confirm that the system will need to be restarted
• Click OK
• Finally, reboot the system

Once you’ve rebooted, you can test that DEP is working by downloading and running a small utility called NXTEST by Robert Schlabbach.

So, what can DEP protect you against?  Well, there have been three big security scares this year that have been stopped in their tracks by hardware-enforced DEP.  These include the WMF vulnerability from the beginning of the year and the latest VML vulnerability affecting Internet Explorer.  You should never rely solely on hardware-enforced DEP to protect you against malicious code, but given that the detect rate for the VML vulnerability is still pretty awful, it's a handy safety net to be running.

Technorati Tags: Windows XP, SP2, Windows Vista, Data Execution Prevention, DEP

This entry was posted on Thursday, September 21st, 2006 at 11:49 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.