Servicing with Windows XP Embedded with Service Pack 2
by Katherine Enos
Applies to Microsoft® Windows® XP Embedded
Providing a device servicing solution is critical to the security of a device. This white paper describes the servicing solutions that Microsoft® Windows® XP Embedded with Service Pack 2 supports. These include Microsoft Windows XP Embedded Device Update Agent, Microsoft® Software Update Services version 2.0 client, and Microsoft® Systems Management Server 2003 Advanced Client.
A major goal for Microsoft® Windows® XP Embedded with Service Pack 2 (SP2) was to provide an increasingly secure platform for embedded device development. To meet this goal, Windows XP Embedded with Service Pack 2 incorporates the full spectrum of security changes that Windows XP Professional Service Pack 2 provides.
Building security into a device is a complex task that continues over the life of the device, however. It is not enough to add security components to a run-time image. To maintain a reasonable level of security, your device must be deployed with a servicing strategy.
Windows XP Embedded with SP2 offers support for the following run-time management and servicing technologies:
- Microsoft Windows XP Embedded Device Update Agent (DUA)
- Microsoft® Software Update Services version 2.0
- Microsoft® Systems Management Server 2003
This white paper briefly describes and compares these technologies.
It is impossible to completely secure a device. But you can and should design your run-time image to reduce your exposure to attack. Designing security into devices requires balancing the device scenarios that you want to support with the level of security that you need to provide. A risk reduction strategy can be broken down into the following steps:
- Reduce footprint. Use only the components that are required by your device or run-time image. Footprint reduction limits your vulnerability to attack by restricting the exposed surface area.
- Secure your run-time image. Use Enhanced Write Filter (EWF) to write-protect disk volumes. Disable services that your run-time image does not require. Close ports that your device will not use.
- Include a servicing strategy. No security plan is complete without a servicing strategy. Your design process should include a means for run-time management and servicing throughout the life of your device.
Windows XP Embedded with SP2 addresses each of these steps. This release of Windows XP Embedded provides increased support for footprint reduction by listing component dependencies in the revised Component Help documentation. Windows XP Embedded with SP2 provides a stronger foundation for securing your run-time image by incorporating Microsoft® Windows® XP Professional SP2 security changes. Finally, Windows XP Embedded with SP2 supports new technologies that you can use to service deployed devices. These technologies are described and compared in the following sections.
For more information about footprint reduction, see Footprint in the Windows XP Embedded documentation.
For more information about securing a network device, see Network Security Considerations in the Windows XP Embedded documentation. For information about how to secure a run-time image, see How to Protect Your Run-Time Image in the Windows XP Embedded documentation.
To learn more about Microsoft's approach to patch management, see the white paper entitled Understanding Patch and Update Management: Microsoft's Software Update Strategy, on the Microsoft Web site.
Windows XP Embedded with SP2 offers new support for embedded run-time management and servicing. Windows XP Embedded now supports several servicing solutions, including:
- Microsoft Windows XP Embedded Device Update Agent (DUA)
- Microsoft Software Update Services (SUS)
- Microsoft Systems Management Server (SMS)
The following table provides a quick reference and comparison of the Windows XP Embedded servicing options, including the option to update from CD-ROM. The following topics describe these management and servicing options in greater depth.
|Option||Benefit||Cost||Pros and cons|
|Device Update Agent (DUA)
A Windows XP Embedded product for patch management.
|Provides a robust servicing solution. Created for Windows XP Embedded.||Included in both Windows XP Embedded with SP1 and in Windows XP Embedded with SP2.||Pros: Small footprint. Complete control over installation of the updates.
Cons: Can only use with Windows XP Embedded.
|Software Update Services (SUS)
An enterprise technology for servicing.
|Uses an intelligent management schema for updating devices.||The client component is free. See the SUS Web site for information about the cost of the server component.||Pros: Enterprise-level servicing solution that works with both Windows XP Professional and Windows XP Embedded. Provides autoscan capabilities to check for deployed security updates.
Cons: Uses only security updates that are provided by Microsoft.
|Systems Management Server (SMS)
An enterprise technology for management and servicing.
|Uses an integrated management schema for updating devices.||The client component is free. See the SMS Web site for information about the cost of the server component.||Pros: Enterprise-level managing and servicing solution for Microsoft Windows. Provides reporting and scheduling capabilities.
Cons: Does not provide patch scanning.
Used to manually update devices.
|Provides a controlled update mechanism.||Free.||Pros: Extremely reliable.
Cons: Resource intensive.
Device Update Agent
Windows XP Embedded provides a servicing solution in Device Update Agent (DUA), a robust, small-footprint service for updating deployed devices. The DUA service performs administrative tasks including copying files, creating registry keys, and executing processes.
DUA works by polling a remote or local path for a script file and then executing it. You can build your own scripts or redistribute the DUA script compiler. The Device Update Agent component is included in the Windows Embedded Studio component database. The documentation for Windows XP Embedded with SP2 provides detailed supporting information for DUA, including how-to topics and a tutorial.
DUA was created by the Windows XP Embedded product team specifically for embedded scenarios. Unlike Microsoft Software Update Services (SUS) and Microsoft Systems Management Server (SMS), DUA requires no purchase other than Windows XP Embedded. The DUA servicing solution also meets the small-footprint requirements of embedded devices.
For more information about DUA, see Device Update Agent in the Windows XP Embedded documentation.
Microsoft Software Update Services
Windows XP Embedded with SP2 provides support for Microsoft Software Update Services (SUS). SUS provides a complete servicing solution for the distribution of Windows updates to Windows clients, including Windows XP Embedded. SUS scans deployed devices and then downloads the necessary security updates to those devices. You can configure this process to work automatically, and can manage it remotely.
To use SUS as your servicing solution, you must set up and configure a SUS server on the intranet at your enterprise location. Windows Automatic Update must also be enabled. The configured SUS server component provides you with a Windows Update Server that polls the Microsoft Windows Update Web site and downloads the available updates. SUS uses Internet Information Services (IIS) and Background Intelligent Transfer Service (BITS) to download updates to clients.
After the SUS server is created, an administrator manages the update process. Administrative tasks include configuring Group Policy on deployed devices, and testing and approving Windows updates for distribution to deployed devices. SUS can be configured so that the user is queried before an update is downloaded, or updates can be silently installed.
Using Windows XP Embedded with SUS instead of directly with Windows Update provides some benefits. For example, SUS:
- Works automatically.
- Optimizes network bandwidth.
- Controls the distribution of updates.
- Provides installation reports for updates.
The distribution capabilities of SUS are limited, however, to security updates. SUS does not distribute device drivers or other updates from the Windows Update Web site at http://www.windowsupdate.com.
Like Microsoft Systems Management Server (SMS), SUS scales to the enterprise and requires purchases above the cost of Windows XP Embedded. However, SUS does not offer the broad management capabilities that SMS provides. And, in contrast to DUA, SUS is not a small-footprint solution.
For detailed information about using SUS to service embedded run-time images, see the white paper entitled Using SUS with Windows XP Embedded Service Pack 2, on the MSDN Web site.
For general information about SUS, see the Microsoft Software Update Services Web site.
Microsoft Systems Management Server
Microsoft Systems Management Server (SMS) provides security patch management and servicing capabilities. Embedded developers can now use SMS to manage the deployment of security patches to Windows XP Embedded-based devices. Client and server components for SMS are not included in the Windows Embedded Studio component database and must be separately obtained.
SMS includes useful capabilities for certain scenarios, making it possible to:
- Manage embedded devices as though they are desktop machines and servers.
- Monitor the update installation process.
- Generate a single status report tracking updates on all clients, servers, and embedded devices.
However, unlike the DUA feature of Windows XP Embedded, SMS does not provide a small-footprint patching solution. Like SUS, SMS scales to the enterprise and requires purchases above the cost of Windows XP Embedded. Unlike SUS, however, SMS provides a broad range of management capabilities for Microsoft Windows operating systems, including Windows CE. SMS also cannot currently scan devices for security update status.
For more information about SMS, see the Microsoft Systems Management Server Web site.
For more information about Windows XP Embedded, see the Windows XP Embedded documentation on the MSDN Web site.
For detailed information about security changes for Windows XP Professional Service Pack 2, see the white paper entitled Changes to Functionality in Microsoft Windows XP Professional Service Pack 2 on the Microsoft Web site.