18.10.24.7 (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out'

Information

This setting determines how applications become enrolled in Data Execution Protection (DEP).

The recommended state for this setting is: Enabled: Application Opt-Out

DEP marks pages of application memory as non-executable, which reduces a given exploit's ability to run attacker-controlled code.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out :

Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System DEP

Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:

DEP protections will be enabled on

all

applications unless EMET has been specifically configured to opt-out of DEP for that application.

See Also

https://workbench.cisecurity.org/benchmarks/15290

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 1e47dafcb3f030a608f22afcdc1e4b9296165c85e6c655437fba90609f3642b7