Windows XP Pro x64 Data Protection Features

I've been experimenting with the Windows XP Professional x64 Edition beta, a product that's surprisingly similar to its 32-bit cousin even though Microsoft only recently decided to add most of the functionality from the 32-bit version of XP Service Pack 2 (SP2). (See my "Windows XP Professional x64 Edition Preview" on the SuperSite for Windows at http://www.winsupersite.com/article/showcase/windows-xp-professional-x64-edition-preview.aspx) for a peek behind the history of this release.) Now due in the first half of 2005 along with the release of Windows Server 2003 Service Pack 1 (SP1), XP Pro x64 will include virtually all the features from XP Professional Edition (32-bit), except for the 16-bit subsystem that enables DOS application compatibility and various legacy protocols such as Apple Computer's AppleTalk and NetBEUI.

The current XP Pro x64 beta--the publicly available build 1218--is a curious amalgamation of Windows 2003 and XP SP2 with features from the XP Luna UI, the Bluetooth stack, XP SP2 Windows Firewall, and a few interesting new features that are specific to this release. For example, XP Pro x64 has 32-bit and 64-bit versions of Microsoft Internet Explorer (IE), presumably because none of the IE add-ons will work in the 64-bit version.

Data Execution Prevention
XP Pro x64 supports the data execution prevention (DEP) technologies that Microsoft developed for XP SP2, but the XP Pro x64 version has some pretty significant differences. DEP helps protect against software-based attacks by intercepting attempts to execute code in memory that's marked for data only. It can be an effective prevention against the common buffer overrun-type attacks that are so prevalent today.

In 32-bit versions of XP SP2, DEP is a purely software-based technology because current 32-bit microprocessors don't support this feature, although future versions likely will. However, 64-bit chips, such as those based on the AMD64 processor (AMD Athlon 64 and AMD Opteron) and on the Intel Extended Memory 64 Technology (EM64T--new Xeon and Pentium 4 designs), do support DEP. On these 64-bit systems, XP Pro x64 interacts with unique hardware features of each platform--the no execute (NX) page protection feature on AMD64 and the Execute Disable feature on EM64T--to raise an exception when software attempts to execute code improperly. The result is a more stable and secure operating environment.

Microsoft originally intended for 32-bit versions of XP SP2 to ship with the software-based DEP feature enabled by default. However, during SP2 testing, the company discovered that far too many legitimate applications were triggering DEP exceptions. To the user, a DEP exception can be quite jarring: You receive a DEP alert that informs you that Windows has closed the offending program to protect you from potential harm. However, you can click Change Settings to add that program to a list of DEP exceptions (i.e., programs that will no longer be protected by DEP).

Because these alerts were so annoying to testers, Microsoft opted to turn off DEP for non-OS applications in 32-bit versions of XP SP2. You can see how this feature is configured on such a system by navigating to System Properties, Advanced, Performance, Data Execution Prevention. In 32-bit versions of XP SP2, you have two options. You can turn on DEP for essential Windows programs and services only (i.e., those applications and services that ship as part of XP SP2), which is the default, or you can turn on DEP for all programs and services except for those you select. If you choose the latter option, Add and Remove buttons help you configure which applications are protected.

In XP Pro x64, DEP configuration is a bit different. With this implementation, you get three choices: Turn on DEP for all programs (the default), turn off DEP, and turn off DEP for all programs except for a list of user-specified programs. The latter option is enabled the first time you see a DEP Alert and configure DEP to allow the offending application. Oddly enough, in my time using XP Pro x64, the only DEP exceptions I've gotten so far have been for Microsoft applications. In one typical example, I was able to install Microsoft Office 2003 without any problems, but the Office 2003 SP1 installer triggered a DEP Alert on Windows Installer. Microsoft's warning dialog box is so vague that it's useless: "To see if an updated version of this program is available, contact the publisher." (Hey, thanks for the advice.) But at least you can add this application to the exceptions list and it will run properly.

That said, I think it's commendable that Microsoft is protecting its own applications with DEP in both the 32-bit and 64-bit versions of XP, and as Microsoft Group Product Manager Barry Goffe told me, this protection speaks volumes about the quality of work that went into SP2. "We wanted to leave \[DEP\] on for user mode applications, but a large chunk of the applications that people wanted to use were triggering alerts," he said. "So we turned it off \[in SP2 32-bit\]. But all \[of the\] Microsoft bits \[in the OS\] are protected, which is a great thing. It's an awesome technology."

Application and Driver Support
As far as application compatibility is concerned, I've been impressed with the sheer number of 32-bit applications I've been able to install and run on XP Pro x64. Only certain utilities--such as Microsoft PowerToys for XP; some games; and certain applications, such as Windows Media Player (WMP) 10, which are specifically designed to ensure they're not installed on x64 systems--don't work. Driver support has also exceeded my expectations. Back in May when I spoke with Microsoft Senior Vice President Bob Muglia about the Windows Server road map, he frankly discussed the superiority of the x64 platform but admitted that driver support might be problematic. However, the HP Pavilion a640n desktop I'm using for testing purposes has worked flawlessly with both XP Pro x64 and Windows 2003 SP1 x64 betas, and only the audio drivers weren't installed out of the box (although I was able to install them from the company's Web site). And when I switched out the lackluster bundled video card for a more capable NVIDIA solution, I was able to find NVIDIA's beta 64-bit drivers without a problem. It all works.

Looking Forward
XP Pro x64 beta is still incomplete and will likely be improved dramatically before its final release in the first half of 2005. But I'm impressed by its stability, performance, and compatibility. I have little doubt that x64-based PCs running this OS will be viable and recommended alternatives to the more limited 32-bit systems they compete with by mid-2005. An investment in x64 is an investment in the future, and when you combine the unique features and capabilities of this OS with the extended memory and resource headroom, along with Microsoft's Technology Exchange Program (http://www.winnetmag.com/article/articleid/43413/43413.html) one thing is clear: The x64 platform is the wave of the future, especially for PCs and workstations. I'll be looking more closely at x64 server variants as well, but if the client is any indication, this platform has legs.

XP SP2 and SharePoint Feedback
My apologies for not publishing the results of the feedback I received about XP SP2 and Windows SharePoint Services (WSS) deployments yet. I received a wide range of responses and hope to be able to organize that information into something cohesive this week. If you provided feedback and didn't explicitly say whether you'd prefer to have your name or organization withheld (many did), please do so now. I'll try to contact anyone I intend to quote, but it's helpful to know ahead of time if you're not interested in having that information published. Thanks for reading!

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish