server needs to be rooted to take effect.
DEP switches in the Windows boot file Boot.ini
Global DEP settings for Windows can be made with a switch called "no execute" in the Boot.ini
file. Configuring via Boot.ini is convenient for systems administrators since it can be scripted.
Two additional configuration settings not present in the graphical interface already discussed are
available. Thus, there are four DEP configuration settings possible in Boot.ini, corresponding
to.four possible values for the switch "/no execute". Unfortunately, the notation used is
confusing; the switch values don't always mean what you might think they mean. Table I
describes the four possibilities. The first two are equivalent to the settings already described
above. The last two are for systems administrators and override user settings.
Table I. Possible values for switch "no execute" Configuration Description
OptIn - The default value. Limits DEP to Windows system binaries.
OptOut - Turns on DEP for all programs and services. (Yes, the name seems contradictory.)
AlwaysOn - This setting provides full DEP coverage for the whole system with no exceptions and
cannot be changed by the GUI method described previously. For systems administrators.
AlwaysOff - This setting turns DEP off for the whole system, regardless of hardware DEP support,
and cannot be changed by the GUI method described previously. For systems administrators.
How to Determine What DEP Policies are in Effect
Using the Wmic command-line tool to check if hardware DEP was available was described above.
This tool can also be used to determine which of the four configurations or policies described in
Table I are in effect. Open a command prompt and enter
wmic OS Get DataExecutionPrevention_SupportPolicy
The command will return an integer from 0 to 3. The meaning of the output is given in Table II.
Table II. Determining DEP policies Output Policy in effect
0 AlwaysOff
1 AlwaysOn
2 OptIn (default)
3 OptOut
--
Warren Simondson
Ctrl-Alt-Del IT Consultancy Pty Ltd
Website: http://www.ctrl-alt-del.com.au
On Wed, Jun 10th, 2009 at 3:29 PM, James Scanlon <scanjam@hotmail.com> wrote:
>
> Any ideas how to change the Server D.E.P settings via script or GPO?
> _________________________________________________________________
> Get the latest news, goss and sport Make ninemsn your homepage!
> http://windowslive.ninemsn.com.au/article.aspx?id=813730
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************
No comments:
Post a Comment