I've been following the latest CIS hardening document for windows 7 and using Nessus to monitor my GPO progress. However I've come accross one setting which I don't seem to understand the logic of and wanted others opinion. If I have no legacy in my domain why would I do this? I can see you may want to add exceptions but this seems to be lowering security and seems to be saying just fall back on other security at the OS level???
Check Name: 1.12.4 Turn off Data Execution Prevention for Explorer
Information This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process. CCE-9918-4
ref: https://benchmarks.cisecurity.org/tools ... v1.2.0.pdf pg. 160
This control determines if Data Execute Prevention (DEP) is enabled or disabled for the explorer process. For all profiles, the recommended state for this setting is Disabled.
DEP, when deployed in concert with the other native Windows exploit mitigation such a ASLR, Guard Stack, and SafeSEH, provides an effective means for preventing the exploitation of certain software defects that may affect explorer.