The Devil's Guide to Windows Vista Security

It sounds good in theory, but too often DEP shuts down legitimate programs -- particularly third-party installers used by software developers that release their products for download off the Web. Equally too often, DEP fails to show any sort of warning or information prompt telling you it shut off a process, leaving you scratching your head and wondering why your machine is ignoring you.

You might want to turn off Data Execution Prevention globally by issuing the following at an elevated command prompt (i.e., a shell running with administrative credentials): bcdedit.exe /set {current} nx AlwaysOff
(As you might imagine, it's almost as simple to turn it back on should you want DEP's protection back on your side. The following command will do the trick: bcdedit.exe /set {current} nx AlwaysOn)

Neuter the built-in Windows Internet Explorer protections

The new Protected Mode -- available in Windows Vista -- runs IE in an isolated security setting, working in conjunction with most of the other, under-the-hood architectural improvements in Windows Vista. With Protected Mode enabled, Internet Explorer runs within a low-right environment no matter which user actually launched the process.

Add-ins, like ActiveX controls and browser toolbars, subsequently run with low rights as well. This helps to prevent browser-based malware from latching onto your system through IE, which was a significant problem in previous versions of Windows.

But maybe you want to surf with all caution to the wind, since you trust yourself. Or maybe some of the restrictions of Protected Mode, like having to open separate windows to switch between intranet sites and Internet sites or other cross-security zone jumps, drive you crazy. In this case, you can turn off Protected Mode by double-clicking the lower right corner of any IE window and, on the resulting Internet Security dialog box (shown in Figure 2), unchecking the Enable Protected Mode box. You'll have to restart IE to make the change effective.

Figure 2 Turning off Protected Mode (Click image to see larger view)

For more information:

• Jesper Johanssen, former senior security strategist at Microsoft, on UAC
  
• "What is an administrator account?"
  
• "Data Execution Prevention: frequently asked questions"
  
• "Understanding and Working in Protected Mode Internet Explorer"

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics ranging from networking and security to Windows administration. He is currently an editor for Apress LLC, a publishing company specializing in books for programmers and IT professionals.

Read more about networking and internet in Computerworld's Networking and Internet Knowledge Center.