LUA, SRP, DEP, UAC...?

[Luxeon]

I am finally beginning to understand the acronyms LUA, SRP, DEP and UAC...but, have a question or two.

I have Vista x64 Home premium with UAC enabled. Currently using Defender with Spynet, NOD32, SAS (nice program), router, Windows Firewall, Firefox (soon to be equipped with NoScript and maybe AdBlock). Internet Explorer, on the rare occasion it is used, is in protected mode.

We are also using LUA.

Currently, DEP is set like this: "Turn DEP On for Essential Windows Vista Programs and Services Only"

Should I set it to the higher level "Turn DEP On for All Programs and Services Except for the Ones you Select?"

I find Software Restriction Policy to be a bit...confusing. I read this: http://www.mechbgon.com/srp/ , but apparently it doesn't apply to my system, and I admit that my understanding is still pretty...thin.

Does SRP apply to my system? (It looks like UAC is a kind of SRP-for-dummies) If so, how can I optimize it?

Man, there is a lot to learn about this stuff...

[Meriadoc]

Hi Luxeon, if your computer supports it then I'd recommend DEP for all yes*, you can then add an exception if one of your programs baulks. SRP in Vista as a Standard user is for the Business, Ultimate and Enterprise versions - have you read this thread.

*btw DEP is always enabled for 64bit native programs in 64bit versions of Windows.

To quickly tell if hardware DEP is available in Vista, as admin, enter wmic OS Get DataExecutionPrevention_Available in a command line. If TRUE is returned then it is available .

If you really want DEP to be effective then the system wide setting via boot.ini is the only way. The only thing is that certain programs might have issues with it, in my case I discovered Avast and Orbit having issues, I replaced them with Avira and FDM and it went away. Every other program installed have no issues.

[TOMxEU]

If you play games, do not enable DEP for all, it will shut them down and mostly it does not even notify, that it is because of DEP. Otherwise no problem.

[Raza0007]

I use Vista 32 bit so I will only comment on UAC and DEP, I don't think LUA and SRP are applicable to 32 bit OS.

UAC: I turned it off when I received my new computer and have not turned it back on since. You do not need it under ordinary circumstances. Keeping a good updated antivirus will provide you with adequate protection.

DEP: There are two kinds software based and hardware based.

Hardware based only has two settings enabled or disabled. You can only change it from your BIOS. It is only available if you processor supports it. Recommended setting is to leave it enabled. If it is causing problems for certain trusted software you may temporarily disable it.

Software based has four setting Optin, Optout, Always on, Always off. Default is Optin. In this setting it provides protection for essential windows programs only. You should leave it at its default setting. If some program is conflicting with it then you may select Optout. Then it protects all programs but those you mention in the exclude list.

[Osaban]

Quote:

Originally Posted by Meriadoc

Hi Luxeon, if your computer supports it then I'd recommend DEP for all yes*, you can then add an exception if one of your programs baulks.

Exceptions don't always work, as an example UltimateDefrag 2008 won't work on my Vista Ultimate32 with DEP enabled (hardware), even when the .exe is added to the exceptions.

[Meriadoc]

If you don't have hardware DEP you'll also get the warning in the exceptions window of the DEP tab telling you the processor does not support hardware DEP. (XPSP2-)

To easily check on DEP policy you can enter in a command prompt :

wmic OS Get DataExecutionPrevention_SupportPolicy

the returned value would be 0-3

0 AlwaysOff DEP is not enabled for any processes
1 AlwaysOn DEP is enabled for all processes
2 OptIn Only Windows system components and services
3 OptOut DEP is enabled for all processes, but you can create an exception

There is also Securable which will tell you if you have hardware DEP (and hardware virtualization.) It will also tell you if Hardware DEP is off in the BIOS.