LISTSERV 16.0 - MSUNAG Archives

I'm guessing that like others on campus, we starting seeing a larger volume
of user profile viruses beginning this fall that were proving to be quite
the headache. Our solution was to force DEP to execute in OptOut mode
instead of its default of OptIn on Microsoft's workstation OS's. It's proven
extremely effective in stopping the bulk of these exploits before they have
a chance to execute. If you aren't familiar with DEP, here is some reading I
would recommend: http://support.microsoft.com/kb/875352

You'll need to do some extensive software testing before you roll it out,
but it is possible to set up process exclusions if you do hit a conflict.
Older java applications are the worst about this, but I have found that
replacing the jvm.dll file in the JRE with one from JRE1.6 through JRE 1.6u9
(anything after that is a major overhaul and doesn't work) fixes
compatibility. I wrote this script and set it to execute at system shutdown,
but system startup should work as well. I wouldn't recommend adding it to a
user logon script since it requires admin rights.

I didn't write any error handling for systems that don't support the NX bit
as we don't have those in our environment. Keep that in mind if it is the
case for you.


@@echo off
Echo DEP OptOut Mode Script for Windows XP/Vista/2003/2008
Echo.
Echo David Graff
Echo Michigan State University Physical Plant
Echo [log in to unmask]
Echo 12/28/2009 v1.3
Echo.

Echo.
Echo Detecting Operating System:
ver | find "5.1.2600" > NUL &&amp; goto XP
ver | find "5.2.3790" > NUL &&amp; goto 2003
ver | find "6.0.600" > NUL &&amp; goto Vista_2008
ver | find "6.1.7" > NUL &&amp; goto Vista_2008
goto wrong_OS


:XP
:2003
Echo.
Echo Windows XP/2003 detected
Echo.
if not exist %homedrive%\boot.ini goto boot.ini_not_found
find /I "/NoExecute=OptOut" %homedrive%\boot.ini > NUL &&amp; goto DEP_on
find /I "/NoExecute=AlwaysOn" %homedrive%\boot.ini > NUL &&amp; goto DEP_on
Echo Updating boot.ini
Echo.
bootcfg /raw "/fastdetect /NoExecute=OptOut" /id 1 || goto admin_rights
Echo.
eventcreate /id 1 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION
/d "Data Execution Prevention policy successfully changed to Opt Out mode."
exit /b 0


:Vista_2008
Echo.
Echo Windows Vista/2008/7 detected
Echo.
bcdedit.exe > NUL || goto admin_rights
bcdedit.exe | find /I "OptOut" > NUL &&amp; goto DEP_on
bcdedit.exe | find /I "AlwaysOn" > NUL &&amp; goto DEP_on
Echo Enabling DEP OptOut mode.
bcdedit.exe /set nx OptOut > NUL || goto admin_rights
Echo.
eventcreate /id 10 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION
/d "Data Execution Prevention policy successfully changed to Opt Out mode."
exit /b 0


:wrong_OS
eventcreate /id 1 /l SYSTEM /so "Data Execution Prevention" /t WARNING /d
"OS not supported. Data Execution Prevention cannot be enabled."
exit /b 1

:boot.ini_not_found
echo boot.ini file not found. Aborting script.
eventcreate /id 2 /l SYSTEM /so "Data Execution Prevention" /t ERROR /d
"Boot.ini file not found. Data Execution Prevention policy cannot be set."
exit /b 2

:DEP_on
echo DEP already enabled.
eventcreate /id 10 /l SYSTEM /so "Data Execution Prevention" /t INFORMATION
/d "Data Execution Prevention policy already set to OptOut or AlwaysOn."
exit /b 0

:admin_rights
echo Command failed. Verify that script was executed with admin rights.
echo Aborting script.
eventcreate /id 4 /l SYSTEM /so "Data Execution Prevention" /t ERROR /d "A
general failure occured while attempting to change Data Execution Prevention
policy. Make sure that the script was run with admin credentials."
exit /b 4