This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
2. - Windows XP end-of-life triage: XP security tactics: Read more in this section
- How to use Windows Event logs to detect a targeted attack
- ASLR and DEP: Two critical Windows XP security features
- Use EMET to harden Windows XP against attacks
Explore other sections in this guide:
- 1. - Ripped from the headlines: Windows XP security dangers
- 3. - Windows XP end-of-life transition: XP migration planning
However, these security features only work if they are incorporated into an application by developers and Secunia's report (.pdf) reveals that many popular software applications don't yet support them, or developers improperly implement them. At the time of the report, Java, Apple QuickTime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer and VLC media player all failed to integrate either DEP or ASLR. I imagine this is why many malicious hackers attack applications rather than Windows itself, as most Microsoft-built applications take full advantage of DEP and ASLR. Thankfully, since the report was published, several vendors have added support for these security options in recent patches, or are in the process of doing so.
I imagine the main reasons many organizations don't turn on DEP or ASLR Windows security features are time and money. However, having enterprise developers learn how to incorporate these security controls into internal applications is certainly recommended. If the enterprise's developers use Microsoft's Visual Studio, then implementing these two security features is fairly trivial and the process well documented. There are also several Microsoft resources online that provide step-by-step instructions on how to incorporate them into programs. The Visual C++ Team Blog covers setting the linker options /DYNAMICBASE and /NXCOMPAT: /DYNAMICBASE modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS. ASLR and /NXCOMPAT are used to specify an executable as compatible with DEP. You can set these two options explicitly in Visual Studio and in Visual Studio 2010; the default setting is already set to "on."
Windows Vista SP1, Windows XP SP3 and Windows Server 2008 add a new API, SetProcessDEPPolicy, which allows a developer to set DEP on the process at runtime rather than using linker options. Microsoft's Michael Howard explains this in more detail on his blog while the MSDN Library covers some of the programming considerations and application compatibility issues you will need to take into account when using these controls.
ASLR and DEP are two important security features that enterprises should look to incorporate into their applications. Microsoft provides lots of information about how to do this, so even though it may be something new for developers to learn, it's not difficult, and applications will be a lot more secure as a result.