Information
This setting determines how applications become enrolled in Data Execution Protection (DEP).
The recommended state for this setting is: Enabled: Application Opt-Out.
Rationale:
DEP marks pages of application memory as non-executable, which reduces a given exploit's ability to run attacker-controlled code.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out:
Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System DEP
Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).
Impact:
DEP protections will be enabled on all applications unless EMET has been specifically configured to opt-out of DEP for that application.
Default Value:
User configured.
References:
1. CCE-35484-5