Browsium

Knowledge Base

Knowing when to enable/disable DEP/NX with Ion

Applies to

Ion 2.x

Summary

This article details how and when to disable or enable support for DEP/NX within Ion profiles.

 

What is DEP/NX?

At a high level, DEP and NX are hardware-level security improvements created out of the security crisis of the early 2000’s. Essentially, DEP & NX help prevent rogue, malicious or hacked software from running data in memory as an executable. It’s a common hacker attack vector: load data into memory on the machine, and then trick Windows to ‘run’ the memory they own instead of a real program. With DEP/NX, anything loaded into memory is marked as either an executable or data, and if an attempt is made to run memory marked as data, the DEP/NX functionality forces the app to crash – better to crash (and thus stop running) than to allow a rogue program access to your system! DEP/NX are enabled at the hardware level (although Windows makes an attempt to emulate DEP/NX in software if you’re running on old hardware that doesn’t support DEP/NX). Other modern operating systems like Linux and Mac OS also support DEP/NX.

DEP/NX support is a good thing: it helps limit hacker attack vectors and reduces the risk that the bad guys can get arbitrary software to run on your computer. DEP/NX is part of Microsoft’s broad defense-in-depth strategy to mitigate the threat of attack (alongside technologies such as ASLR, SafeSEH and Enhanced GS).

DEP and NX are useful tools in the fight for security, but there’s a problem: benign applications (or browser add-ons including toolbars and ActiveX controls) written before the introduction of DEP/NX (essentially, written prior to 2004) can inadvertently trip the security feature despite not having any malicious intent. In fact, DEP/NX was first included in Windows XP Service Pack 2 (released in 2004) and Internet Explorer 7 (released in 2006), but was disabled in IE primarily due to incompatibility with older add-ons. Here’s a quote from Microsoft:

Internet Explorer 7 had DEP/NX disabled by default because Microsoft had identified compatibility problems. Essentially, IE7 with DEP/NX enabled failed to play well with browser add-ons that were put together using an outdated variant of the ATL library. (link)

 

Compatibility or security?

In essence, old add-ons built with this type of common code library often caused the DEP/NX feature to close legitimate add-ons, which as a result crashed the browser as well. This left IT with the difficult choice: compatibility or security. IT could either enable DEP/NX for maximum security, or leave it disabled for maximum compatibility.

It is of course these older versions of web pages and add-ons that Ion is designed to help run. Many of the applications and add-ons we see our customers using were written and designed around 10 years ago, well prior to the introduction of DEP/NX.

 

What’s DEP/NX got to do with Ion?

Enter the Browsium solution: we work with the Windows architecture and allow you to turn DEP/NX off only for the older web applications that aren’t compatible with this useful security feature. You can turn DEP/NX off via an Ion Profile for a single application or web page and keep DEP/NX enabled for the browser everywhere else! It’s the best of both worlds: maximum compatibility with the old apps you want to run, and maximum security with the open Internet.

For each individual profile in Ion, there’s an option that you can toggle to enable or disable DEP/NX. Simply disable this option for any Ion Profile, and DEP/NX will be disabled for that Profile alone, which grants you maximum compatibility with your old applications and add-ons. Enabling or disabling this feature does not affect add-ons running in your installed browser, meaning you can keep DEP/NX enabled for your users while they browse the Internet at large (keeping them more secure), but when Ion loads this custom Profile for your internal web application, DEP/NX is disabled for that site only.

Here’s where you toggle the option in Ion clients. Note that by default, DEP/NX is disabled in IE Quirks, Adaptive IE Quirks and IE7 profiles in Ion:

deppic1

OS Compatibility

Corporations running Windows XP SP3, Windows Vista or Windows 7 or later can all take advantage of this option (Windows XP SP2, while it supports DEP/NX in the OS, does not support 3rd party applications such as Ion enabling or disabling the functionality programmatically).

 

You can keep your organization safer with DEP/NX and Ion working together

Remember, Ion Profiles are only loaded when your users visit the web sites you direct them to, meaning that your users won’t visit a web site with DEP/NX disabled unless you configure things that way.

 

Posted in: Ion Knowledge Base

  • Share:  

Request Demo

Internet Explorer End of Life problems?Learn More