Solved

DEP / PAE running on server?

Posted on 2010-09-15
5
581 Views
Last Modified: 2013-11-10
Hi

I am running a Windows 2003 SP2 server, Enterprise edition. This is a virtual server.

If I go to System Properties, I can see "Physical Address Extension" listed under the memory info.

However, if I look at th boot.ini file, I can't see any PAE switch. The boot.ini is copied below:

WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect

I've read the the optout switch means that DEP is enabled. And if DEP is enabled, PAE is enabled too automatically, we don't need to add an extra /PAE switch to the boot.ini file.

Could someone confirm if this is true?

The reason I ask is because we are in talks with a vendor to install a finance application on our servers, and they advise not to use PAE with their application. Why, I'm not sure.

Could someone advise:

i) What are the actual benefits of DEP
ii) Can we leave DEP running but disable PAE
iii) Is it recommended to have DEP with PAE disabled

Any help appreciated.
0
Comment
Question by:Joe_Budden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
LMiller7 earned 500 total points
ID: 33688530
1. DEP is a security feature. A common security exploit is to force the execution of arbitrary data as if it were code. DEP prevents this. Unless you have good reason to do otherwise, DEP should be enabled.

2. PAE has two primary features which can be enabled independently. Enabling DEP (as you specified in boot,ini) will load the PAE kernel, even without specifying the PAE switch. The PAE switch will load the PAE kernel but does not in itself enable DEP but permits accessing memory above the 4GB mark.

3. Having DEP enabled without specifying the PAE switch is a common situation. With modern 32 bit client systems this situation is almost universal. It is also common with servers. But if you wish to access more than 4GB RAM then the PAE switch is essential..

Specifying the PAE switch has few implications for applications, although there are exceptions.
DEP is far more likely to be a problem for applications. With your configuration DEP will be enabled for all applications except for those identified in the DEP configuration. If an application has issues with DEP you will need to specifically add it to the exception list.
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 33689186
Thanks LMiller.

Some follow up q's if that's cool...

1. Just to confirm, with my situation above, we do actually have PAE enabled don't we (albeit indirectly)?

2. Is it possible (and recommended) to have DEP but not PAE enabled (or, indeed, if it's possible to disable PAE on an app-by-app basis)?

3. Is it possible (and recommended) to have PAE but with DEP disabled for our app

4. What does "/noexecute=optout /fastdetect" actually mean and do?
0
 
LVL 10

Expert Comment

by:LMiller7
ID: 33691109
1. The form of PAE that enables DEP is enabled. The form that enables memory above 4GB is not.

2. The situation with DEP enabled without the PAE switch is the default on almost all modern client systems and most servers as well. The PAE switch should not be enabled unless you need access to more than 4GB RAM when it is essential. The PAE switch is a global setting that cannot be disabled or enabled for individual applications.

3. Certainly.

4. "/noexecute=optout" means that DEP is enabled for all applications, except for those that are to be excluded. This would be recommended for servers running a limited number of applications - the usual case. "/fastdetect" is another switch with an entirely unrelated purpose.

"/noexecute=optin" means that DEP is enabled only for important system processes and others that have been explicitly selected. This is more common with client systems that typically run a wider set of applications.

Remember that there are two forms of PAE. One is associated with DEP, the other with memory above 4GB. They are independently selectable with only one thing in common - the both require the PAE kernel.
All combinations are possible and useful. DEP shuld be enabled unless you have a good reason to do otherwise.
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 33691711
Thanks again.

I assume that when the vendor stated that their application had issues with PAE, they meant the version that supports > 4GB memory on x32 machines.

I did have one last question on this comment:

"Specifying the PAE switch has few implications for applications, although there are exceptions.
DEP is far more likely to be a problem for applications"

From your experience, what sort of problems occur with applications that have issues with DEP? What sort of problems would signify that DEP was the cause?
0
 
LVL 10

Expert Comment

by:LMiller7
ID: 33692000
An application that has a problem with DEP would crash, with a message identifying DEP as the cause.

DEP prevents the execution of data as if it were code. Any attempt to do this will trigger an exception and terminate the application to prevent what may be a security exploit. The problem is that this is sometimes done in applications for entirely legitimate purposes. This is most common with older applications written before the introduction of DEP.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question