AD2053: AllowIsolation¶

Summary¶

Property	Value
ID	AD2053
Name	AllowIsolation
Category	Security
Severity	Warning
Applies to	PE (Windows)

Description¶

Binaries should allow isolation (i.e., not have the NO_ISOLATION flag set) to enable proper Windows manifest-based features including User Account Control (UAC) manifests and side-by-side assembly loading.

How It Works¶

The rule checks if the IMAGE_DLLCHARACTERISTICS_NO_ISOLATION (0x0200) flag is set in the PE optional header's DLL characteristics. When this flag is NOT set, the binary properly supports isolation.

Why This Matters¶

Manifest Processing¶

Windows uses application manifests for several important features:

UAC elevation requests: The requestedExecutionLevel manifest element controls how UAC handles the application
Side-by-side assemblies: Manifests specify which versions of shared assemblies (like Visual C++ runtime) to load
DPI awareness: Manifest settings control high-DPI scaling behavior
Common Controls v6: Enable visual styles through manifest

When NO_ISOLATION is set, Windows ignores the application manifest, potentially causing: - Missing UAC prompts or running with wrong privileges - Loading wrong versions of DLLs - Visual style issues - Accessibility problems

When NO_ISOLATION Might Be Used¶

The /NXCOMPAT:NO linker option or setting this flag directly is rarely needed. Some legacy scenarios include: - Very old applications with incompatible manifest requirements - Specific COM interop scenarios - Debugging manifest issues

Performance Considerations¶

Allowing isolation has no runtime performance impact:

Aspect	Impact
Runtime overhead	None
Startup time	Negligible manifest parsing
Memory usage	None

Why there's no overhead: - Manifest processing happens once at load time - The flag only controls whether Windows reads the manifest - No ongoing runtime checks

There is no performance reason to disable isolation. Disabling it only removes functionality.

Resolution¶

Ensure Isolation Is Enabled (Default)¶

In most cases, simply don't disable isolation:

# Do NOT use these linker options:
# /ALLOWISOLATION:NO

The default behavior is to allow isolation.

In Visual Studio¶

Open project Properties
Go to Linker → Advanced
Set Allow Isolation to Yes (or leave as default)

Verify With dumpbin¶

dumpbin /headers myapp.exe | findstr "DLL characteristics"

The output should NOT include No Isolation in the characteristics.

AD2029: Enable Integrity Check
AD2015: Enable High Entropy VA