Tuesday, January 19, 2010

Enable DEP using GPO and Powershell

As a response to recent security threats, it is highly advised to enable Data Execution Prevention (DEP). However, how to succeed in such a goal using group policy?

Why is there no administrative template for enabling DEP?

The DEP setting is defined inside the boot.ini file.
Thus it is not as simple as setting a registry value.
In addition, we have to be aware of the following issues:
- on windows XP, there is no command such as bcdedit, thus you will have to write an additional appropriate script to the one described here. This is really risky, since if the boot.ini is badly formatted, the system just will not boot anymore!
- on windows Vista, enabling it will break Bitlocker.
- on Windows 7, no problem. First of all, DEP is enabled as default, but you since you are reading this post, you probably want to enforce it.

How to enable DEP on a single computer?

A lot of websites already cover this topic.
They do not explain it is possible to define the DEP enhancement using command line: (as an administrator)
%windir%\system32\bcdedit /set nx [MODE]
where [MODE] is either: {AlwaysOff; AlwaysOn; OptOut;OptIn}

- AlwaysOff : This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in PAE mode with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.

- AlwaysOn : This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.

- OptOut : DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel. IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect

- OptIn : On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in"

How to enable DEP on a domain?

Please note:this is one possible solution for Windows Vista and Windows 7 computers.
1/ install the powershell feature on windows vista versions (it cannot be removed on windows 7)

2/ use startup scripts to enable Unrestricted execution policy for powershell scripts:
- Create a GPO
- navigate to Computer configuration > Policies > Windows settings > Scripts (startup / shutdown)
- add a command startup script: "powershell set-execution policy unrestricted"

3/ add this powershell script inside the Machine>scripts>startup folder of the GPO:
###############
$winver = (Get-WmiObject Win32_OperatingSystem).version
$WIN_VISTA = 6
$MODE = "AlwaysOn" #of whatever DEP option you want to set
###############
if($win -lt $WIN_VISTA) { #code for windows XP
# write your own script editing the bcdedit

} else if ($win -eq $WIN_VISTA) { #code for windows vista
# check if bitlocker is enabled. see the bitlocker manipulation using powershell link below
# if bitlocker is disabled, then enable DEP

} else { # win 7 and greater
%windir%\system32\bcdedit /set nx $MODE

}
###############


References
- my colleague Pascal Sauliere for his advises regarding DEP related issues on Windows XP and Vista.

4 comments:

  1. Trying to create a DEP exclusion list for a couple of programs through group policy or a startup script. How would I incorporate an exclusion policy via a startup script (for example, for Adobe Acrobat Pro)??

    ReplyDelete
    Replies
    1. Hi

      Not sure if you would have found the answer by now, but here goes.

      To add exceptions for DEP via Group Policy, you'll need to add registry values to the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers. Add a new REG_SZ value as the full name of the application you wish to exclude, then set the data as DisableNXShowUI.

      Hope this helps

      Delete
  2. That worked a treat "thirdwheel"
    excellent

    ReplyDelete