Thwarting Exploits with DEP
Thwarting malware attacks that exploit software vulnerabilities is the most important element of automatic updates. But Windows 7 offers a second way of thwarting such attacks. It's called Data Execution Prevention (DEP). You don't want to use DEP as an alternative to other techniques. Rather, you want to use it in addition to other techniques.
To give you a little background, many malware attacks use a technique called buffer overflow (or buffer overrun) to sneak code (program instructions) into areas of memory that only the operating system (Windows) should be using. Those areas of memory have direct access to everything on your computer. So any bad code that sneaks into that area can do great damage.
Data Execution Prevention is a security antidote to such attacks. It monitors programs to make sure they use only safe and appropriate memory locations. If DEP notices a program trying to do anything sneaky, it shuts that program down before it can do any harm.
By default, DEP is enabled for essential Windows programs and services only. When coupled with antivirus protection, that setting is usually adequate. You can crank it up to monitor all programs and services. But if you do, you might also have to individually choose programs that are allowed to bypass DEP.
To get to options for DEP, first open the System window using whichever technique is most convenient:
- Click the Start button, right-click Computer, and choose Properties.
- Press WINDOW button, type sys, and click System under the Programs heading.
Regardless of the method used, you end up in the System window. In the left column, click Advanced System Settings. That takes you to the System Properties dialog box. In System Properties, click the Advanced tab, click the Settings button on the Performance heading, and then click the Data Execution Prevention tab.
By default, the option to apply DEP to essential Windows programs and services only is selected. For stronger protection, you can turn on DEP for all programs and services. If you choose that option, DEP may sometimes shut down a program to prevent it from running.
Note Many modern processors offer NX technologies, which prevent buffer overflows at the hardware level. When that's the case, Windows supports that hardware-based DEP. For processors that don't have hardware DEP, Windows uses DEP software to achieve the same result.
If DEP does shut down a program you need, you have a couple of choices. One is to contact the program manufacturer to find out whether there's a version of the program that runs under DEP. Otherwise, if you trust the program, you can add it to the list of programs that are allowed to bypass DEP. To accomplish that, you need to click the Add button and then navigate to and double-click the executable file (typically, such a file has the extension .exe) that DEP is shutting down.
In this tutorial:
- Windows 7 and Other software Up to Date
- Understanding Windows Live
- Updates versus upgrades
- Why updates are important
- Windows Update
- Windows Update: The essentials
- Types of Updates
- Completing an Update
- Configuring automatic Updating
- Windows Update Applet and Functions
- Manually Install Updates Using Windows Update
- Action Center
- Updates Do Not Install Properly
- Other Windows Update Settings
- Configuring Windows 7 Update to Use a Proxy Server
- Can't Find Hidden Update
- Viewing and Changing Installed Updates
- Can't Uninstall Current Update
- Upgrade Windows Anytime
- Understanding Windows Server Update Services
- Windows Update Policies
- Updating Drivers
- Using Device Manager to Update Drivers
- Windows Update Driver Settings
- Windows 7 Service Packs
- Basic Service Pack Information
- Installation of Service Packs
- Installing and Removing Software
- Installation via CD or DVD
- Problem Installing from Disc
- Installation via Downloaded Program
- Viewing and Changing Programs
- Uninstalling Software
- Compatibility Issues in 64-Bit Version
- Upgrade Issues with 64-Bit Windows 7
- Other Program Compatibility Issues
- Side-by-Side Installs and Virtual Registries
- Removing Updates from Windows 7
- Thwarting Exploits with DEP
- Microsoft Baseline Security Analyzer
- Picking Computers to Scan
- Vulnerability Checks
- Installing MBSA
- Running the MBSA
- Running the MBSACLI
- MBSACLI Location
- Running in an Isolated Environment
- Using Windows Server Update Services
- WSUS Updates
- WSUS Requirements
- Installing, Configuring, and Using WSUS
- Adding the Application Server and Web Server (IIS) Roles
- Installing the Report Viewer
- Installing WSUS
- Configuring Group Policy Settings for WSUS
- Creating a GPO to Configure Clients to Use WSUS
- Verifying That Clients Are Using GPO Settings for WSUS
- Verifying That Clients Are Using GPO Settings with GPResult
- Creating Computer Groups on WSUS
- Approving Updates in WSUS
- Viewing WSUS Reports