PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut

df8e6841-1dd4-42ce-b374-28f997e12b6d

Attackers are constantly looking for vulnerabilities in systems and applications. Data Execution Prevention (DEP) prevents harmful code from running in protected memory locations reserved for Windows and other programs.

Remediation

Configure DEP to at least OptOut.
Note: Suspend BitLocker before making changes to the DEP configuration via BCDEDIT

BCEDIT Method:
- Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator).
- Enter "BCDEDIT /set nx OptOut".
- "AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP.

System Properties Method:

  • Open "System" in Control Panel.
  • Select "Advanced system settings".
  • Click "Settings" in the "Performance" section.
  • Select the "Data Execution Prevention" tab.
  • Applications that are opted out are configured in the window below the selection "Turn on DEP for all programs and services except those I select:".

STIG
Desktop
W11: https://stigviewer.com/stigs/microsoft_windows_11/2024-09-12/finding/V-253283
W10: https://stigviewer.com/stigs/microsoft_windows_10/2024-11-25/finding/V-220726

NIST 800-53: CM-7(2)
CSCv6: 8.4
NIST 800-171 Rev2: 3.4.7
NIST 800-171 Rev3 FPD: 3.4.8.b
NIST 800-171 Rev3: 03.04.08.b
CMMC v2.0 L2: CM.L2-3.4.7
CMMC V2.1 L2: CM.L2-3.4.7



Tags

stig-high-desktop desktop compliance-desktop security-desktop nist800-53-desktop cmmc2-l2-desktop nist800-171-desktop cis-csc-desktop

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.