Data Execution Prevention

DEP can be enabled by modifying the system’s boot.ini file or through the Control Panel. The Control Panel cannot be used to configure the AlwaysOn or AlwaysOff setting. Both methods require Administrator privilege on the system.
To enable DEP through the boot.ini file, add one of the following flags to the end of each line in the [operating systems] section:
/noexecute=AlwaysOn
/noexecute=OptOut
Save the changes and reboot the system. These changes can also be made using the bootcfg.exe tool in Windows XP Professional.

Red Hat Enterprise Linux version 3 updt 3 and later, and Fedora Core 1 and later, provide DEP and address space layout randomization as part of the ExecShield feature. It is enabled by default. To verify, issue:
sysctl kernel.exec-shield
The expected output is 1. If the output is not 1, investigate /etc/sysctl.conf and startup scripts, to re-enable ExecShield. ExecShield provides hardware-enforced DEP even on older systems by using the code segment limit on all x86 processors. For further protection, install the kernel-PAE package to make use of the processor’s XD or NX feature.

Labels: computers, how to, NSA, security