Web Server Security (Compact 2013)
3/26/2014
The web server is designed to run over a network and function as an extensible network server. This topic covers the security risks and best practices for configuring the web server.
The web server has the following potential security risks:
- It can run on a network. If the device is run on a public network, such as the Internet, and the security of the device is compromised, it could expose the device or the local network to the public network.
- It can function as a network server. If the security of the web server is compromised, it could expose the device or local network to multiple remote clients.
- It is extensible. If the extensions do not use the correct security and authentication procedures, they could compromise the security of the device or the local network.
Best Practices
Limit deployment to ten connections at the same time
A typical deployment uses a web server in a private network to provide a remote user interface to configure a headless device. The registry defines the number of connections and when the MaxConnections registry value is not set, the registry limits the number to 10.
Do not use the web server to perform critical operations
A typical deployment uses the web server to display status information or to host a family or community web site. You should not use the web server to perform critical operations, such as computer control or financial processing.
Use authentication
Use the NTLM or Basic authentication mechanism to limit access to known users only. You can set the option in the HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.
Use Secure Sockets Layer (SSL)
The SSL protocol helps protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support.
Use user access lists
Carefully select your virtual roots and limit access to the appropriate files by providing appropriate user access lists. Anonymous users who have access to the virtual root may be able to access files and directories within that virtual root. You can set the options in HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS registry key. For specific security information, see Virtual Path Registry Settings. See also Web Server Authentication and Permissions.
Remove or disable sample ISAPIs and other development tools when you create the release image.
Some sample ISAPIs that you include in your device could allow unauthorized users to access the system resources or protected data. Many of the samples provided are for development and debugging only and pose a significant security risk if deployed on a public network.
Enable a firewall on the network device
For enterprise environments, we recommend the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, we recommend that you include and configure the Windows Embedded Compact IP firewall on the network device. For more information about how to configure the Windows Embedded Compact IP firewall, see Firewall Service.
Default Web Server Registry Settings
You should be aware of the registry settings that affect security. In the registry settings documentation you will find a Security Note for those values with security implications.
For more information about web server registry information in Windows Embedded Compact, see Web Server Registry Settings.
Web Server Ports
The following table shows the ports that the web server uses.
For more information, see Web Server Registry Settings.
Port number |
Registry values |
|---|---|
80 |
Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD |
443 |
Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD\SSL |