UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Data Execution Prevention (DEP) must be configured to at least OptOut.


Overview

Finding ID Version Rule ID IA Controls Severity
V-220726 WN10-00-000145 SV-220726r851966_rule High
Description
Attackers are constantly looking for vulnerabilities in systems and applications. Data Execution Prevention (DEP) prevents harmful code from running in protected memory locations reserved for Windows and other programs.
STIG Date
Microsoft Windows 10 Security Technical Implementation Guide 2023-09-29

Details

Check Text ( C-22441r554663_chk )
Verify the DEP configuration.
Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator).
Enter "BCDEdit /enum {current}". (If using PowerShell "{current}" must be enclosed in quotes.)
If the value for "nx" is not "OptOut", this is a finding.
(The more restrictive configuration of "AlwaysOn" would not be a finding.)
Fix Text (F-22430r554664_fix)
Configure DEP to at least OptOut.

Note: Suspend BitLocker before making changes to the DEP configuration.

Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator).
Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.)
"AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP.

Opted out exceptions can be configured in the "System Properties".

Open "System" in Control Panel.
Select "Advanced system settings".
Click "Settings" in the "Performance" section.
Select the "Data Execution Prevention" tab.
Applications that are opted out are configured in the window below the selection "Turn on DEP for all programs and services except those I select:".