Rule 5: Use Exploit Mitigation Technologies
What can you expect from this document:
This document covers some basic security best practices for preventing exploit attacks on your computer system.
What is the threat?
An exploit is a piece of code developed to attack a computer system by taking advantage of a vulnerability of that system. In most cases, exploits trigger memory corruption. In this article we will provide simple guidelines for improving security with minimal efforts.
Exploit Mitigations in Windows
Windows provides out of the box functionalities to decrease the reliability and success rate of exploits.
The comparison of exploit patterns across different systems shows a clear trend: newer software releases, like Windows 7 and the 2007 Microsoft Office system, are consistently less prone to active exploitation of vulnerabilities than older releases.
These are some of the significant exploit mitigation technologies that have been added to Windows over the past few years:
1. Data Execution Prevention (DEP): Buffer overflow attacks, in which an attacker forces a program or component to store malicious code in an area of memory not intended for it, are some of the most common exploits seen today. DEP is a Windows feature that enables the system to mark one or more pages of memory as non-executable. Marking the memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for exploits involving buffer overruns to succeed.
DEP was introduced in Windows XP SP2 and has been included in all subsequent releases of Windows desktop and server operating systems. For application compatibility reasons, DEP is “opt-in” in Windows XP, Windows Vista, and Windows 7. DEP protects the operating system and core system files by default, but application developers or IT administrators must specifically configure other programs to take advantage of DEP. DEP is “opt-out” in Windows Server operating systems, meaning that DEP is enabled for all programs unless specifically disabled for a certain program.
Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits target memory locations, which are known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a great barrier for attackers to overcome.
Note: ASLR and DEP do not protect you against all types of buffer overflow attacks. Make sure you install patches regularly and in time.
ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.
How to check if the option Turn on DEP for all programs and services is enabled:
- Click Control Panel > System and Security > System > Advanced System Settings.
- In the new System properties windows, click the Advanced tab.
- In the Performance section, click Settings.
- Click the Data Execution Prevention tab.
- Check if the following setting is selected: *Turn on DEP for all programs and services, except those I select**
- If not, enable this option.
Note: Don´t add exceptions here if you are not aware of the consequences!
To improve the security of computer systems, Microsoft offers EMET, the Enhanced Mitigation Experience Toolkit. For further information, click here.
- ASLR: https://en.wikipedia.org/wiki/Address_space_layout_randomization
- DEP: https://en.wikipedia.org/wiki/Executable_space_protection#Windows
- Exploit Mitigations in Windows: https://www.microsoft.com/security/sir/strategy/default.aspx#!section_3_3
- Securing Windows Server 2012R2: https://technet.microsoft.com/en-us/library/hh831360.aspx
- EMET on servers: https://blogs.technet.microsoft.com/srd/2015/10/20/emet-to-be-or-not-to-be-a-server-based-protection-mechanism/
- EMET installation guide: https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.
Content provided by 1&1