The "Understanding Data Execution Prevention" help topic in Microsoft Windows Server 2003 with Service Pack 1 (SP1) contains the following incorrect entry:
By default, DEP is only turned on for essential Windows operating system programs and services. To help protect more programs with DEP, select Turn on DEP for all programs and services except those I select.
By default, in Windows Server 2003 SP1, DEP is turned on for all programs and services except those that the administrator selects. By default, the "Turn on DEP for all programs and services except those I select" OptOut policy is already selected.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the Data Execution Prevention tab in System Properties.
To verify your settings, follow these steps:
Click Start, click Run, type sysdm.cpl in the Open box, and then click OK.
Click the Advanced tab, and then click Settings under Performance.
Click the Data Execution Prevention tab, and then use one of the following procedures:
Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
Click Turn on DEP for all programs and services except those I select to select the OptOut policy, and then click Add to add the programs that you do not want to use the DEP feature.
Click OK two times.
By default in Microsoft Windows XP, the Turn on DEP for essential Windows programs and services only OptIn policy is selected.
DEP configuration for the computer can also be configured by using switches in the Boot.ini file.
To select the OptOut policy, add the /noexecute=optout parameter to the boot entry. For example:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003" /fastdetect /noexecute=OptOut
To select the OptIn policy, add the /noexecute=optin parameter to the Boot.ini file. For example:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003" /fastdetect /noexecute=OptIn
To support DEP, Windows loads a Physical Address Extension (PAE) kernel, even though the /PAE parameter is not in included in the Boot.ini file.
If the /noexecute parameter is not found in the boot entry, Windows Server 2003 uses the OptIn policy for DEP.
For more information about the DEP feature and Windows Server 2003 with SP1, visit the following Microsoft Web site: