Vista and Windows 7 contain a security feature called SEHOP (also known as
SEH chain validation) that is disabled by default due to compatibility
concerns. Basically, it walks through a program's heap allocation and looks
for breaks in the execution order and kills the process if found. This is
the general profile for buffer overflow attacks on an application and it is
extremely effective at stopping the drive-by downloads that have been such a
problem lately. http://support.microsoft.com/kb/956607
To enable it, you need to create a DWORD called
"DisableExceptionChainValidation" = 0 in
HKLM\SYSTEM\CurrentControlSet\Session Manager\kernel and reboot. Your
systems likely do not have this registry value and the kernel will default
to disabling SEHOP if it isn't found in the registry. This, in conjunction
with DEP OptOut mode and Heap Randomization also introduced with Vista, goes
a very long way to locking down your systems even if they are running
software with known exploits. It obviously isn't going to help much with
problems originating from behind the keyboard, but hopefully your AV
software can handle that. I provided a script that can enable DEP on systems
on a Feb 9th post entitled "Enabling DEP on Workstations".
The biggest drawbacks seem to be compatibility issues with Cygwin and Skype,
but since this feature is enabled by default on 2008 and 2008 R2 I am
assuming that new versions have fixed it at this point (I don't use either
program). The performance impact seems to be unnoticeable.
|