Does my server meet the requirements for Maximum Bit Length, Hardware Data Execution Prevention, and Hardware Virtualization to use Microsoft Hyper-V?

Does my server meet the requirements for Maximum Bit Length, Hardware Data Execution Prevention, and Hardware Virtualization to use Microsoft Hyper-V?  Well I don’t know but Steve Gibson can quickly tell you.  Check out http://www.grc.com/securable.htm .  Download and run the file named SecurAble.exe .  It doesn’t install anything, it’s just a self-contained executable.

Here’s the results of my work notebook:

screenshot.6

If you click on one of the three results it will tell you in greater detail what is going on.

64-Bit Processing Available

This processor does offer 64-bit modes of operation. This means that this system is able to run the significantly more secure 64-bit versions of Microsoft’s Windows XP and Vista operating systems.

The biggest challenge for 64-bit Windows systems is the fact that existing 32-bit device drivers cannot be used by the 64-bit operating system kernel. So if you do plan to try switching to 64-bit Windows, you should be sure to have a means for reverting to 32-bit operation if your system’s hardware turns out to be incompatible with 64-bit operation. Many people have reverted to 32-bit operation after bravely giving 64-bits a try for a short time.

Hardware DEP Available

This processor does support hardware-based data execution prevention (DEP).

When hardware DEP support is teamed up with a properly configured operating system (and that part is crucial), computer security mistakes involving the deliberate overrunning of communications buffers can be automatically detected and prevented throughout the entire computer system. This makes data execution prevention, when available and active, the single most promising improvement for PC security ever. Really.

It is very important to note, however, that hardware support for DEP is only one of several enabling requirements that must be met before any benefit can be obtained. GRC will be following up the release of SecurAble with another powerful tool, DEPuty, that will help to properly configure, test and verify the operation of your system’s critical DEP subsystem.

Hardware Virtualization

This processor does offer advanced hardware support for virtualization. However, while running under a 64-bit version of Windows this program cannot execute its 32-bit kernel code to determine whether Intel’s VMX virtual machine extensions are being locked on, locked off, or neither. Since there’s a chance that your system’s BIOS may be deliberately disabling support for hardware virtualization (some do) you should re-run this program, if possible,  with administrative privileges under a 32-bit version of NT, XP, or Vista. That will allow SecurAble to run a bit of kernel-mode code in order to determine exactly what’s going on. (Note that you can also poke around in your system’s BIOS to see whether you’re able to find any references to "hardware virtualization" or "VMX", etc.

Here’s the results of my personal netbook:

screenshot.4

If you click on one of the three results it will tell you in greater detail what is going on.

64-Bit Processing Available

This processor does offer 64-bit modes of operation. This means that this system is able to run the significantly more secure 64-bit versions of Microsoft’s Windows XP and Vista operating systems.

The biggest challenge for 64-bit Windows systems is the fact that existing 32-bit device drivers cannot be used by the 64-bit operating system kernel. So if you do plan to try switching to 64-bit Windows, you should be sure to have a means for reverting to 32-bit operation if your system’s hardware turns out to be incompatible with 64-bit operation. Many people have reverted to 32-bit operation after bravely giving 64-bits a try for a short time.

Hardware DEP Disabled!!

This processor does offer hardware support for valuable Data Execution Prevention (DEP) … but it has been disabled.

Hardware DEP support is so important and powerful that Microsoft has obtained the commitment from all system manufacturers to begin enabling DEP support in all system BIOSes. However, early BIOSes either disabled hardware DEP in the interest of compatibility, or allow their users to optionally enable it through BIOS setup screens … but still disable it by default.

SecurAble has confirmed that this system’s processordoes offer valuable support for hardware DEP, but that it has been deliberately disabled by the BIOS. You should shutdown and restart this system, and enter the BIOS setup screens as the system restarts. Then locate and enable the system’s support for "Execution Disable" or "No Execute Bit" or something similarly named. Then restart your system and re-run this utility to verify that hardware DEP support has been enabled. (And please also click the Hardware D.E.P. icon again to receive additional help for the next steps to take.)

If you are unable to locate anything in your BIOS to allow hardware DEP support to be enabled please keep an eye out for our follow-on utility, DEPuty, which will provide solutions for users having very stubborn BIOSes.

No Hardware Virtualization

This processor does not offer advanced hardware support for hardware virtualization.

There is some suggestion that future operating systems of all sorts (Linux, Mac, Windows, etc.) may be able to use hardware virtualization to indirectly enforce greater security upon the operating system’s "kernel" by preventing it from being modified as a means for thwarting dangerous "root kit" style exploits.

The idea is that our future operating systems wouldalways be running inside a virtual machine under the watchful eye of an OS "hypervisor." This has not been practical before now, without hardware support for virtualization, because virtualization required too much real-time involvement of software which introduced an unacceptable amount of overhead and slowed everything down. Hardware virtualization means that virtual machines – and even the entire operating system running inside a virtual machine container – would be able to run at 100% full speed, thus making a persistent security-oriented OS "hypervisor" practical for the first time.

But don’t hope for this to ever help with the security of 32-bit Windows platforms. Due to the amount of kernel modification already being done by benign kernel drivers in 32-bit versions of Windows, "hypervisory kernel locking" could only ever be implemented under 64-bit versions of Windows where kernel modification has always been actively prohibited. And due to serious compatibility problems inherent in 64-bit systems, it’s also not at all clear (at the start of 2007) how quickly, or even whether, 64-bit Windows will become practical on the desktop.

However, the other current and real security-related application for hardware virtualization is for running your own virtual machines – at 100% full speed – on top of your host operating system. This is possible today with commercial and completely free software from Microsoft, VMware and Parallels. This has an indirect, though strongly positive, impact
upon security since possibly unsafe activities such as Internet surfing or peer-to-peer file sharing can be 100% contained within the virtual environment to make online activities much safer.

This can still be done, of course, without hardware virtualization support, but the virtual machine environment as well as the hosting operating system will be running at substantially less than full speed.

Pretty cool ‘eh?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s