Several software packages on our SOE Windows machines come with DEP and ASLR memory protections off by default. More troubling is that these applications run as SYSTEM and load their own drivers.
Given that these are expected memory protections and these are modern applications, is there any reason why they would/should be disabled for applications?
Am I, as an administrator, able to forcibly enable them without? What is the risk of having such applications in the environment?
DEP/ASLR is just layer of security. It doesn't secure you against everything, and against any sophisticated attack in particular. Unlike @ConsideredHarmful thinks, DEP/ASLR being disabled alone isn't a vulnerability, as DEP/ASLR just adds a layer of complexity to an attack by randomising memory locations.
The security paradigm in general should be not to try to come up with a single "indestructible" layer of security, but instead apply as many of layers of security as possible, so if one layer is compromised, the other layers would protect. Just like democracy! With ASLR/DEP disabled, you make it easier for a potential attacker to attack, but this isn't the end of the world
The risk of such applications being in your environment is trivial escalation of exploitable memory corruption in the application to arbitrary code execution as SYSTEM. This is likely a compile-time fail as there aren't really compelling reasons for modern applications to disable ASLR (particularly if they're loading unmanaged code such as drivers). Furthermore, if they're loading drivers the attack surface for memory corruption is much larger than pure managed code.
I would not allow these applications on security-critical devices in my environment.
