Monday, May 14, 2007

Securing Windows XP with DEP

Data Execution Prevention (DEP) is a set of hardware and software technologies designed to prevent malicious code from running in memory. The majority of malware exploits buffer overruns in Windows or other software to run malicious code in memory. DEP prevents code in protected memory spaces from running.

There are 2 types of DEP - hardware and software. Most modern CPUs (2005 and later) from AMD and Intel have hardware DEP support. Software DEP is provided by Windows XP SP2 and Windows Vista.

Hardware DEP

To determine if your CPU has hardware DEP support, download Securable from Gibson Research Corporation. Run the program, it will inspect your processor's maximum bit length supported, hardware DEP and hardware virtualization support.

You can also determine if hardware DEP is available in Windows by using the Wmic command-line tool. Type in the following command into the command-line:

  1. wmic OS Get DataExecutionPrevention_Available

If the value returned is TRUE, hardware-enforced DEP is available. To determine if hardware DEP is running enter the following command:

  1. wmic OS Get DataExecutionPrevention_Drivers

If the value returned is TRUE, hardware DEP is running in Windows.

Software DEP

Right-click My Computer and select Properties. Click on the Advance tab and under Performance click Settings.

In the Performance Options windows click on the tab Data Execution Prevention. Here you can turn on DEP for Windows system processes or for all processes. By default it is set to Turn On DEP for essential Windows programs and services only.

Turning on DEP for all processes is a good idea to secure your system. However, some programs will crash with DEP turned on due to insecure programming practices.

To work around this problem, install Process Explorer from Sysinternals. Run the program and select View -> Select Columns, and check DEP Status. This will display whether DEP is enabled for each running program.

Now turn on DEP for all processes. For each process that Process Explorer shows with DEP disabled copy them down. Exclude all those programs from DEP. Then slowly select one or two programs at a time to allow DEP. Test it for a few hours or days. If everything runs fine, move on to the next set of programs. If any program with DEP enabled crashes, then disable DEP for the program permanently.

The steps outlined here are for Windows XP. Windows Vista also has DEP and the steps involved are nearly identical as that shown here.

Sources: Microsoft KB 875352, Microsoft KB 912923 and Windows Secret Newsletter.

Technorati tags: , , , , ,

No comments: