 |
 |
Vista and Windows 7 contain a security feature called SEHOP (also known as SEH chain validation) that is disabled by default due to compatibility concerns. Basically, it walks through a program's heap allocation and looks for breaks in the execution order and kills the process if found. This is the general profile for buffer overflow attacks on an application and it is extremely effective at stopping the drive-by downloads that have been such a problem lately. http://support.microsoft.com/kb/956607 To enable it, you need to create a DWORD called "DisableExceptionChainValidation" = 0 in HKLM\SYSTEM\CurrentControlSet\Session Manager\kernel and reboot. Your systems likely do not have this registry value and the kernel will default to disabling SEHOP if it isn't found in the registry. This, in conjunction with DEP OptOut mode and Heap Randomization also introduced with Vista, goes a very long way to locking down your systems even if they are running software with known exploits. It obviously isn't going to help much with problems originating from behind the keyboard, but hopefully your AV software can handle that. I provided a script that can enable DEP on systems on a Feb 9th post entitled "Enabling DEP on Workstations". The biggest drawbacks seem to be compatibility issues with Cygwin and Skype, but since this feature is enabled by default on 2008 and 2008 R2 I am assuming that new versions have fixed it at this point (I don't use either program). The performance impact seems to be unnoticeable.