More Thoughts on the NowSMS Security Issue

Posted by on Feb 27, 2008 in Support Blog

Topic Keywords: ,

An additional thought … if you are concerned about the potential security issues described in the previous blog entry, but you are also concerned that you do not want to hastily update to NowSMS 2008 without additional testing for your specific application(s), then you may want to enable Data Execution Prevention within Windows on the PC or server that is running NowSMS.

As a practice, we enable this setting on all of our servers, as well as our development and testing machines. This Windows configuration setting enables extra protection in the processor and within Windows to prevent this type of stack buffer overflow from allowing any malicious code to be executed.

The downside is that some software may experience difficulty with this setting being enabled, but if necessary, it is possible to disable the setting for specific applications or services that encounter problems.

If NowSMS is running as a dedicated server, I think it is a no-brainer to enable this setting. And in my opinion, it is a good idea to enable this setting on most servers.

The Data Execution Prevention setting exists in Windows XP Service Pack 1 and higher, Windows 2003 Server, Windows Vista and Windows 2008 Server. In most of the server editions of Windows, the setting is enabled by default.

To configure this setting, use the “System” option in the Windows Control Panel. Select “Advanced” / “Performance” / “Settings” / “Data Execution Prevention”. The options are to enable this setting for “essential Windows programs and services only”, or for “all programs and services except those I select”. Selecting “all programs and services except those I select” enables protection against malicious code attacks that target stack buffer overflows.

-bn

For comments and further discussion, please click here to visit the NowSMS Technical Forums (Discussion Board)...