On Thursday, February 4th, Vikas Malhotra of Microsoft’s Trustworthy Computing Team blogged about the introduction of Data Execution Prevention (DEP) to Microsoft Office 2010.
For those of you not familiar with DEP it is a technology that marks which of the areas of memory allocated to a program are allowed to run executable code. This is important because many buffer overflow attacks rely on writing code to memory and jumping to that area to run the malicious code.
The ability for DEP to stop malicious execution relies on three primary factors:
- Processor support: DEP uses a new feature in CPUs called an NX (No eXecute) bit. Support for this has been available since the introduction of the AMD 64 processor, as well as later Pentium 4 CPUs. Most current-generation CPUs include NX support.
- BIOS support: New computers often ship with the BIOS setting for NX support disabled. To take full advantage of DEP in Microsoft Windows and other operating systems, you must enable this BIOS option. It may also be called “Enhanced Virus Protection” on AMD processors, or “eXecute Disable (XD)” on Intel-based computers.
- Address Space Layout Randomization: ASLR is another protection mechanism designed to work hand in hand with DEP. In Microsoft Windows it was introduced with Vista, and has been enhanced in Windows 7. It’s important to use these technologies in tandem, and another reason to upgrade to a Windows newer than XP.
DEP was initially introduced in Windows XP SP2, and Windows 2003 Server SP1. If you are running a 64-bit version of Windows, DEP is always on for 64-bit processes by default. If you are running 32-bit code or a 32-bit version of Windows, you have several choices to take advantage of DEP. By default, Windows is set to “Turn on DEP for essential Windows programs and services only” or “OptIn.” This only looks after a particular set of processes and services that are shipped by Microsoft.
Microsoft has published a TechNet article with detailed instructions for configuring DEP settings in Windows XP.
Microsoft also offers a software-based DEP in Windows, but it is not true DEP. On hardware that supports the NX bit you should enable hardware-based DEP whenever possible.
Microsoft offers four modes of DEP. The default, OptIn, protects primary Windows services and applications and will include Office 2010 when it is released. The second choice in the GUI, is OptOut. This setting tries to enforce DEP for all programs, but allows you to create a list of applications to exclude from protection if they are incompatible. The last two options, AlwaysOn and AlwaysOff, require you to modify boot settings in order to select them. AlwaysOn is the most secure and makes it very difficult for malicious programs to bypass DEP, but does not offer an exclusion option. AlwaysOff is the least safe and is not recommended.
The best way to configure DEP settings on Windows 7 and Vista uses the BCDEdit program. Microsoft TechNet explains the NX options for Windows Vista and 7 DEP configuration.
If your organization is considering a roll-out of Windows 7, this presents an opportunity for you to consider what you would like your standard settings to be on your workstations. I recommend enabling the AlwaysOn setting and testing to be sure your standard application load is compatible. If it is, you can set this choice in your image before deployment to take full advantage of this technology.
I am pleased to see Microsoft embrace DEP with the Office product line as it may help mitigate the risk of malicious documents and macros introducing malware onto your systems. As many organizations are considering how to upgrade from Windows XP and older versions of Office to Microsoft’s latest offerings, now is a great time to choose the strongest settings for DEP as your standard for images to deploy a more secure desktop.
Update: Sophos Australia’s Sean Richmond brought to my attention some advice for Sophos customers. If you are currently running a 32 bit desktop environment with Sophos Endpoint Security and Control you can enable our Buffer Overflow Protection Service to help protect current versions of Microsoft Office.