Hi,

The GP settings, explanations and workarounds for IE8 are totally
unsatisfactory. The issues are not well documented, I had to scour through
various forums etc. and it was only after reading the answer from the MSDN
rep's that I realised how poorly implemented the DEP control within GP is.

Once you understand how DEP is configured/enabled you soon begin to realise
why there is no GP setting to enable/disable or opt- in/out.

This is because it is contained in the boot.ini file. The suggested
workaround is to use a start-up script, with CACLS, to break/restore file
permissions on the boot.ini and amend the options as you desire. I'm glad
someone at M$ was smart enough to realise that to autonomise that process
within GP (with a simple check box) would have borked an untold number of
machines and resulted in huge support overheads/costs for themselves.

So instead they leave it up to the sys Admins to discover, with horror, that
they have to use a script that will most likely break half their enterprise
(e.g. scripts failing to execute properly, I/O errors on the local disk,
CACLS not completing, non-standard partition layouts etc etc.) to disable a
setting that is turned on by default when SP3 is installed. Marvellous!

This is just the first part of my gripe. The real killer and poor
implementation of group policy would be this:

If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior to
this I've disabled all the add-ons, installed a third party java engine and
this gets round half the problem (our DEP error). However, not all parts of
the system are stable and it only works really well when used in conjunction
with the memory protection disabled in IE8.

HOWEVER, if you use the advanced tab > security within IE8 and then disable
memory protection then low and behold it works (despite DEP being enabled at
the OS /boot.ini level). Weird, but at least a possible workaround.

So I fired up a clean image. Took a snap-shot before and after changing the
setting (within IE8 NOT GP) and sure enough I found the key and value to
simulate user disabling of DEP/NX.

Located here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"DEPOff"=dword:00000001

So I created a custom ADM template based on this setting and what d'ya know?
It works. It mimics the user selection (I know it's a machine policy setting,
I mean it mimics the user disabling it manually in IE8) and it works even
though DEP is enabled for the OS (and I haven’t even had to tell it to
opt-out for IE!).

Sooooo.... please could someone explain to me why:

1) This is not available as one of the default machine templates?
2) Why your MSDN rep's would provide an incredibly dangerous solution to the
problem when a more elegant and less intrusive workaround to the problem
clearly already resides within the machine registry as shown above?
(obviously I realise the only way to disable DEP autonomously would be to use
the script at ones own risk, otherwise you would have to manually edit each
one individually, but the GP for IE8 does not work via the GP setting
provided with DEP enabled on the OS unless you use the registry setting
above).
3) Why is DEP enabled by default when you install SP3? We now have 700+
machines that may have more issues in the future because of DEP and we might
not be so lucky the next time an issue arises. My next task will be modifying
our build images to make sure DEP is disabled for all future builds.

Thanks,

1 x frustrated Sys Admin (aka Bryn)




----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communities...plorer.general

Always state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
posting to this newsgroup.

Feel better now?

And your Suggestion would be...?

PS: No one here works for or represents Microsoft (including me).


Bryn wrote:
> The GP settings, explanations and workarounds for IE8 are totally
> unsatisfactory. The issues are not well documented, I had to scour through
> various forums etc. and it was only after reading the answer from the MSDN
> rep's that I realised how poorly implemented the DEP control within GP is.
>
> Once you understand how DEP is configured/enabled you soon begin to
> realise
> why there is no GP setting to enable/disable or opt- in/out.
>
> This is because it is contained in the boot.ini file. The suggested
> workaround is to use a start-up script, with CACLS, to break/restore file
> permissions on the boot.ini and amend the options as you desire. I'm glad
> someone at M$ was smart enough to realise that to autonomise that process
> within GP (with a simple check box) would have borked an untold number of
> machines and resulted in huge support overheads/costs for themselves.
>
> So instead they leave it up to the sys Admins to discover, with horror,
> that
> they have to use a script that will most likely break half their
> enterprise
> (e.g. scripts failing to execute properly, I/O errors on the local disk,
> CACLS not completing, non-standard partition layouts etc etc.) to disable
> a
> setting that is turned on by default when SP3 is installed. Marvellous!
>
> This is just the first part of my gripe. The real killer and poor
> implementation of group policy would be this:
>
> If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
> IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior
> to this I've disabled all the add-ons, installed a third party java engine
> and this gets round half the problem (our DEP error). However, not all
> parts of the system are stable and it only works really well when used in
> conjunction with the memory protection disabled in IE8.
>
> HOWEVER, if you use the advanced tab > security within IE8 and then
> disable
> memory protection then low and behold it works (despite DEP being enabled
> at
> the OS /boot.ini level). Weird, but at least a possible workaround.
>
> So I fired up a clean image. Took a snap-shot before and after changing
> the
> setting (within IE8 NOT GP) and sure enough I found the key and value to
> simulate user disabling of DEP/NX.
>
> Located here:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
> "DEPOff"=dword:00000001
>
> So I created a custom ADM template based on this setting and what d'ya
> know?
> It works. It mimics the user selection (I know it's a machine policy
> setting, I mean it mimics the user disabling it manually in IE8) and it
> works even though DEP is enabled for the OS (and I haven’t even had to
> tell
> it to opt-out for IE!).
>
> Sooooo.... please could someone explain to me why:
>
> 1) This is not available as one of the default machine templates?
> 2) Why your MSDN rep's would provide an incredibly dangerous solution to
> the
> problem when a more elegant and less intrusive workaround to the problem
> clearly already resides within the machine registry as shown above?
> (obviously I realise the only way to disable DEP autonomously would be to
> use the script at ones own risk, otherwise you would have to manually edit
> each one individually, but the GP for IE8 does not work via the GP setting
> provided with DEP enabled on the OS unless you use the registry setting
> above).
> 3) Why is DEP enabled by default when you install SP3? We now have 700+
> machines that may have more issues in the future because of DEP and we
> might
> not be so lucky the next time an issue arises. My next task will be
> modifying our build images to make sure DEP is disabled for all future
> builds.
>
> Thanks,
>
> 1 x frustrated Sys Admin (aka Bryn)
>
>
>
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow
> this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
> http://www.microsoft.com/communities...plorer.general

Sorry, I didn't actually specify the Domain/OS. My bad, I also should have
made my final points clearer. I don’t really post a lot as the
questions/answers are always within reach (thanks to sites like this one).

We are running a 2K3 domain with XP hosts. Like a lot of enterprises, we
(and our clients) rely on IE6 integration for a lot of intranet applications
etc. that are generally having a bit of a hard time trying to move with the
times.

I also never said all that info was found here either; it was a mixture of
public/private sites across the web, with a fraction of it on these groups.
But IMO, anyone who has a whole lot of M$ letters after their name when
posting in a forum and then they RTM back to me is a M$ rep (whether paid or
otherwise).

And no, I'm not a Linux/Mac fanboi either and yes, I appreciate the fact
that M$ have woven a black magic all of their own that has provided me with a
decent living over the years. I even like 7 so much I've been recommending to
all my friends that they go out on the 22nd of October and beta test it for
M$ too (ed. I mean buy a copy) since it runs so well. Sarcasm aside, I really
do like 7.

So back to my suggestions:

We already have DEP enabled in our AV solution and whilst we're not adverse
to the idea of having that additional layer of software protection, it would
have been nice to have the decision to enable it in the first place (re: XP
SP3). The fact the only way to disable it en-masse is to use a particularly
risky script is what makes that previous point even more annoying. Obviously
M$ realised that too or there would have been a simple GP setting to
configure it.
Suggestion 1) DEP is disabled by default when upgrading to SP3 within XP. Or
an option is provided to enable/disable it during the installation with an
adequate explanation for domain users/admin's that there is no safe way to
turn this off via GP (on a 2K3 one anyway).

The disabling of DEP is handled differently when a user does it via the host
XP pc in IE8. Being controlled by the registry setting:
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
> "DEPOff"=dword:00000001

I have found this is a good workaround to the problem caused by XP machines
not adhering to the group policy setting that M$ provides to disable DEP/NX
for IE8. As stated within the GPM, the DEP/NX GP setting for IE8 does not
work unless DEP for XP is disabled or set to opt-out. As this can only be
done by editing the boot.ini file, the above registry setting is a much safer
option for Admins/application integrators to try first.
Suggestion 2) Provide a GP setting to disable DEP in IE8 running on an XP
(x86 client) via the registry option above.


I know x64 machines have hardware DEP as default (or the option to in the
BIOS). Out of curiosity, does the 64bit (x64/Itanium) versions of XP also
have software DEP by default too? If they do, is it safe to assume it is also
controlled via the boot.ini?

I also do really appreciate the fact that you, and others like you, have a
far more in-depth knowledge of Windows than I. And that you take the time out
to reply to people in your own time as well. I went through about 3 years
worth of posts and was surprised that no one else had found/mentioned the
registry workaround above.

I also came across a borked netbook recently that was caused by a failed IE8
installation. To be fair that was probably the fault of the Ask toolbar
add-on (I never found out from the client if that was what they did but the
posts online pointed at that). And while M$ can’t be blamed for a third
parties implementation of code, it does highlight the danger of controlling
DEP options via the boot.ini. I suppose a third suggestion would be then:

3) If it must be done at boot (and thus assuming this is a better
implementation than our AV provided DEP) then don’t use the boot.ini alone to
enable/disable DEP. An M$ developed and integrated boot loader (similar to
grub) that would rely on user interaction (or an encrypted file with script
info for GP action) and thus be more secure from an online/malware based
attack. This could also have a built-in backup/restore function that could
detect/fix an unbootable machine. For example, our HDD encryption provider
sits at the MBR level and is MoD approved. Perhaps M$ could push more third
party vendors out of the game by raising their own game and improving their
own code (instead of just buying other peoples) for a change.

Once again, thank you for your time.

Bryn



"PA Bear [MS MVP]" wrote:

> Always state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
> posting to this newsgroup.
>
> Feel better now?
>
> And your Suggestion would be...?
>
> PS: No one here works for or represents Microsoft (including me).
>
>
> Bryn wrote:
> > The GP settings, explanations and workarounds for IE8 are totally
> > unsatisfactory. The issues are not well documented, I had to scour through
> > various forums etc. and it was only after reading the answer from the MSDN
> > rep's that I realised how poorly implemented the DEP control within GP is.
> >
> > Once you understand how DEP is configured/enabled you soon begin to
> > realise
> > why there is no GP setting to enable/disable or opt- in/out.
> >
> > This is because it is contained in the boot.ini file. The suggested
> > workaround is to use a start-up script, with CACLS, to break/restore file
> > permissions on the boot.ini and amend the options as you desire. I'm glad
> > someone at M$ was smart enough to realise that to autonomise that process
> > within GP (with a simple check box) would have borked an untold number of
> > machines and resulted in huge support overheads/costs for themselves.
> >
> > So instead they leave it up to the sys Admins to discover, with horror,
> > that
> > they have to use a script that will most likely break half their
> > enterprise
> > (e.g. scripts failing to execute properly, I/O errors on the local disk,
> > CACLS not completing, non-standard partition layouts etc etc.) to disable
> > a
> > setting that is turned on by default when SP3 is installed. Marvellous!
> >
> > This is just the first part of my gripe. The real killer and poor
> > implementation of group policy would be this:
> >
> > If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
> > IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior
> > to this I've disabled all the add-ons, installed a third party java engine
> > and this gets round half the problem (our DEP error). However, not all
> > parts of the system are stable and it only works really well when used in
> > conjunction with the memory protection disabled in IE8.
> >
> > HOWEVER, if you use the advanced tab > security within IE8 and then
> > disable
> > memory protection then low and behold it works (despite DEP being enabled
> > at
> > the OS /boot.ini level). Weird, but at least a possible workaround.
> >
> > So I fired up a clean image. Took a snap-shot before and after changing
> > the
> > setting (within IE8 NOT GP) and sure enough I found the key and value to
> > simulate user disabling of DEP/NX.
> >
> > Located here:
> >
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
> > "DEPOff"=dword:00000001
> >
> > So I created a custom ADM template based on this setting and what d'ya
> > know?
> > It works. It mimics the user selection (I know it's a machine policy
> > setting, I mean it mimics the user disabling it manually in IE8) and it
> > works even though DEP is enabled for the OS (and I haven’t even had to
> > tell
> > it to opt-out for IE!).
> >
> > Sooooo.... please could someone explain to me why:
> >
> > 1) This is not available as one of the default machine templates?
> > 2) Why your MSDN rep's would provide an incredibly dangerous solution to
> > the
> > problem when a more elegant and less intrusive workaround to the problem
> > clearly already resides within the machine registry as shown above?
> > (obviously I realise the only way to disable DEP autonomously would be to
> > use the script at ones own risk, otherwise you would have to manually edit
> > each one individually, but the GP for IE8 does not work via the GP setting
> > provided with DEP enabled on the OS unless you use the registry setting
> > above).
> > 3) Why is DEP enabled by default when you install SP3? We now have 700+
> > machines that may have more issues in the future because of DEP and we
> > might
> > not be so lucky the next time an issue arises. My next task will be
> > modifying our build images to make sure DEP is disabled for all future
> > builds.
> >
> > Thanks,
> >
> > 1 x frustrated Sys Admin (aka Bryn)
> >
> >
> >
> >
> > ----------------
> > This post is a suggestion for Microsoft, and Microsoft responds to the
> > suggestions with the most votes. To vote for this suggestion, click the "I
> > Agree" button in the message pane. If you do not see the button, follow
> > this
> > link to open the suggestion in the Microsoft Web-based Newsreader and then
> > click "I Agree" in the message pane.
> >
> > http://www.microsoft.com/communities...plorer.general
>
>