96
|
Chapter 3: Fine-Tuning Windows Vista’s Appearance and Performance
Fine-Tuning Data Execution Prevention
Data Execution Prevention (DEP) is a memory protection technology. Your com-
puter uses DEP to mark all memory locations used by applications as nonexecutable
unless the location explicitly contains executable code. If an application attempts to
execute code from a memory page marked as nonexecutable, the processor can raise
an exception and prevent it from executing. This behavior is designed to thwart a
malicious program, such as a virus, from inserting itself into areas of memory. By
allowing only specific areas of memory to run executable code, DEP protects your
computer from many types of self-replicating viruses.
You can implement DEP via hardware or software. Hardware-based DEP is more
robust because you can extend it to any program or service running on the com-
puter. Software-based DEP is less robust because it typically works best when pro-
tecting Windows programs and services.
32-bit versions of Windows support DEP as implemented by Advanced Micro
Devices Inc. (AMD) processors that provide the no-execute page-protection (NX)
processor feature. Such processors support the related instructions and must be run-
ning in Physical Address Extension (PAE) mode. 64-bit versions of Windows also
support the NX processor feature.
You can determine whether your computer hardware supports DEP by completing
the following steps:
1. In the Control Panel, click the System and Maintenance category heading link.
2. Click Performance Information and Tools.
3. Under Tasks, click “Adjust visual effects.” This opens the Performance Options
dialog box.
4. Click the Data Execution Prevention tab. As Figure 3-23 shows, the lower por-
tion of this tab lists the DEP support available.
Once you’ve accessed the Data Execution Prevention tab, you can configure the way
DEP works using these options:
Turn on DEP for essential Windows programs and services only
Enables DEP only for the operating system services, programs, and components.
This is the default and recommended option for computers that support execu-
tion protection and are configured appropriately.
Turn on DEP for all programs except those I select
Enables DEP for the operating system, as well as all programs and services you
are running.
Because some programs won’t work with or will become unstable with software-based
DEP, you may find that you have to add exceptions when you enable DEP for all pro-
grams. Click Add to specify programs that should run without execution protection. In
this way, execution protection will work for all programs except those you have listed.
Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
