Re: Data Execution Prevention closes IIS on AMD64-based SBS2003

HI Susan,

Thanks again for updates.

I think the issue should be different according to different SBS setup. It
might be relate to other services which have relationship with IIS. For
example, if we implement some third party isapi filters on IIS. We may
encounter some issue when running IIS services, the system might consider
the danger code is include in IIS, so it might block the IIS process when
system start.

Also some other third party codes which is implemented by third party
services might also cause the issue. But it might be difficult to detect
such issue.

Hope this information helpful.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Date: Sun, 13 Nov 2005 23:58:26 -0800
| From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@xxxxxxxxxxx>
| User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
| X-Accept-Language: en-us, en
| MIME-Version: 1.0
| Subject: Re: Data Execution Prevention closes IIS on AMD64-based SBS2003
| References: <QqJdf.52906$iC7.10005@xxxxxxxxxxxxxxxxxxxxxx>
<tMxh#jM6FHA.3796@xxxxxxxxxxxxxxxxxxxxx>
<#$CXu$N6FHA.4076@xxxxxxxxxxxxxxxxxxxx>
<OgB9P$O6FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
| In-Reply-To: <OgB9P$O6FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
| Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| Content-Transfer-Encoding: 7bit
| Message-ID: <uT#shEP6FHA.2524@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 69.106.186.114
| Lines: 1
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:221954
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Yeah..but I have DEP on my servers here and have not had to disable it
| for IIS?
|
| Charles Yang [MSFT] wrote:
| > HI Susan,
| >
| > Thanks for updates.
| >
| > Here I would like to add some more information to this issue, hope this
| > helpful to clarify the issue more clearly:
| >
| > This issue is due to DEP ( Data execution prevention ) feature of
Windows
| > 2003 SP1. When you install the Windows 2003 SP1 on server DEP is
getting
| > enabled by default. This feature is also Available in windows XP SP2.
| >
| > How to identify the DEP is enabled in Windows 2003 and XP SP2 systems
| > =========================
| > Check the Boot.ini file in any of the OS listed above and check for
| > NoExecute Entry. This looks like follows
| >
| > multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows Server 2003,
Enterprise"
| > /fastdetect /noexecute=OptOut
| >
| > /noexecute Switch
| > ================
| > The /noexecute parameter enables Data Execution Prevention (DEP), a set
of
| > hardware and software technologies designed to prevent harmful code
from
| > running in protected memory locations /noexecute={alwayson | optout |
optin
| > | alwaysoff}
| >
| >
| > Switch noexecute=OptOut
| > Enables DEP for the operating system and all processes, including the
| > Windows kernel and drivers.
| > Switch noexecute=alwayson
| > Enables DEP for the operating system and all processes, including the
| > Windows kernel and drivers. All attempts to disable DEP are ignored.
| > Switch noexecute=optin
| > Enables DEP only for operating system components, including the Windows
| > kernel and drivers.
| > Switch noexecute=alwaysoff
| > Disables DEP. Attempts to enable DEP selectively are ignored. This
| > parameter also disables physical address extension (PAE). To re-enable
| > (PAE), use the /pae parameter.
| >
| > More information on DEP and Noexecute
| > ================================
| >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base
| > /data_execution_prevention.asp
| >
| >
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx
| >
| >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ddtools/hh/
| > ddtools/bootini_aff45176-bd02-43cf-9895-c212fa392de2.xml.asp
| >
| >
| > Here is also some other solution for this issue:
| > Workaround 1
| > -------------------
| > Use the noexecute=optin parameter in Boot.ini file. This is how we can
set
| > it bootcfg /raw "/fastdetect /NoExecute=optin" /ID 1
| >
| > Workaround 2
| > ----------------------
| > let the noexecute=OptOut remain like that only in Boot.ini file and
follow
| > below listed steps to allow W3WP.exe process to be run properly on
server.
| >
| > My Computer -- > Advanced --> Performance -- >Settings -- > Data
| > Execution Prevention --> 2nd radio button ( Turn on DEP for all
programs
| > and services except those I select) -- Add W3WP.EXE process in
exception
| > list (no need for reboot). The workaround I refer in my post, it should
be
| > a quick workaround.
| >
| > By doing this what we are doing is setting W3WP.exe in exception list
of
| > DEP
| >
| > Workaround 3
| > -----------------------
| > set noexecute=Alwaysoff in boot.ini file and that will turn off the
DEP.
| > This is how we will set it up
| >
| > bootcfg /raw "/fastdetect /NoExecute=AlwaysOff" /ID 1 (reboot of
system
| > is needed after this)
| >
| > (we do not suggest using the last workaround)
| >
| > Hope the above information helpful for you. Thanks again for any effort
| > here.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Date: Sun, 13 Nov 2005 21:55:25 -0800
| > | From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
| > <sbradcpa@xxxxxxxxxxx>
| > | User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
| > | X-Accept-Language: en-us, en
| > | MIME-Version: 1.0
| > | Subject: Re: Data Execution Prevention closes IIS on AMD64-based
SBS2003
| > | References: <QqJdf.52906$iC7.10005@xxxxxxxxxxxxxxxxxxxxxx>
| > <tMxh#jM6FHA.3796@xxxxxxxxxxxxxxxxxxxxx>
| > | In-Reply-To: <tMxh#jM6FHA.3796@xxxxxxxxxxxxxxxxxxxxx>
| > | Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| > | Content-Transfer-Encoding: 7bit
| > | Message-ID: <#$CXu$N6FHA.4076@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 69.106.186.114
| > | Lines: 1
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:221921
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Sure he can disable it ..but I think he's wondering why a default IIS
| > | from Microsoft needs to have it disabled?
| > |
| > | Charles Yang [MSFT] wrote:
| > | > HI Jim,
| > | >
| > | > Welcome to SBS newsgroup.
| > | >
| > | > Issue description:
| > | > =================
| > | >
| > | > I understand that you got the warning "To help protect your
computer,
| > | > Windows has closed this program" when you start your SBS server.
| > | >
| > | > Analyzing and suggestion:
| > | > =================
| > | >
| > | > Generally speaking, this behavior occurs because Microsoft Windows
uses
| > the
| > | > Data Execution Prevention (DEP) feature to help prevent damage from
| > viruses
| > | > and from other security threats
| > | >
| > | > You can disable the warning message by following the steps below:
| > | >
| > | > My Computer -- > Advanced --> Performance -- >Settings -- > Data
| > | > Execution Prevention --> 2nd radio button ( Turn on DEP for all
| > programs
| > | > and services except those I select) - Add W3WP.EXE process in
exception
| > | > list (no need for reboot).
| > | >
| > | > More info:
| > | > ==================
| > | >
| > | > For more detailed information, I suggest you refer to the KB
article
| > below,
| > | > although it is related with Windows XP, it is also useful for
| > understanding
| > | > the issue on Windows 2003:
| > | >
| > | > 886348: You receive a Stop error when a driver is not compatible
with
| > the
| > | > Data Execution Prevention (DEP) feature in Windows XP Service Pack
2 or
| > in
| > | > Windows XP Tablet PC Edition 2005
| > | > http://support.microsoft.com/?id=886348
| > | >
| > | > 875352: A detailed description of the Data Execution Prevention
(DEP)
| > | > feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition
| > 2005,
| > | > and Windows Server 2003
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;875352
| > | >
| > | > 875351: You receive a "Data Execution Prevention" error message in
| > Windows
| > | > XP Service Pack 2 or in Windows XP Tablet PC Edition 2005
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;875351
| > | >
| > | > I really appreciate your understanding on this issue, please feel
free
| > to
| > | > post back your results. I am glad to be of further assistance.
| > | >
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Charles Yang (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
check
| > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | From: "Jim Staunton" <sbsbofh@xxxxxxxxxxxxxx>
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | Subject: Data Execution Prevention closes IIS on AMD64-based
SBS2003
| > | > | Lines: 187
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | Message-ID: <QqJdf.52906$iC7.10005@xxxxxxxxxxxxxxxxxxxxxx>
| > | > | X-Complaints-To: abuse@xxxxxxxxxxxx
| > | > | Organization: EasyNews, UseNet made Easy!
| > | > | X-Complaints-Info: Please be sure to forward a copy of ALL
headers
| > | > otherwise we will be unable to process your complaint properly.
| > | > | Date: Sun, 13 Nov 2005 16:00:48 GMT
| > | > | Path:
| > | >
| >
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
| > | >
| >
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
| > | >
| >
ews.com!newsfeed2.easynews.com!easynews.com!easynews!easynews-local!fe08.new
| > | > s.easynews.com.POSTED!not-for-mail
| > | > | Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.sbs:221762
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | A box running SBS2003 Premium, w/ SBS2003 SP1, Exchange 2003 SP2.
| > SQL2000
| > | > is
| > | > | installed, but not ISA.
| > | > |
| > | > | Every time this server boots, when you log on you get the error
| > message
| > | > |
| > | > | "To help protect your computer, Windows has closed this program.
| > | > | Name: Internet Information Service
| > | > | (...)" (screenshot attached)
| > | > |
| > | > | If I click Change Settings I get the warning
| > | > |
| > | > | "Disabling Data Execution Prevention for a Windows component may
| > expose
| > | > your
| > | > | system to unauthorized accesses..."
| > | > |
| > | > | but if I click OK have the option to turn off DEP for IIS.
| > | > |
| > | > | 1) Should I do this?
| > | > | 2) Why is IIS triggering this error anyway?
| > | > |
| > | > | Jim
| > | > |
| > | > |
| > | > |
| > | >
| > |
| >
|

.