Gateway Security (Windows Embedded CE 6.0)
1/5/2010
The Gateway design template has potential security risks because it allows multiple devices on a private or internal network to have access to a larger public or external network, typically the Internet. A gateway can also provide many different network services. When creating a gateway, you should be careful to only include and enable the minimum amount of services that are required for your OS design. You should make sure that only privileged applications will run on the gateway device.
For more information about security issues that can affect a gateway, see the following topics:
- File Server Security
- FTP Server Security
- ICS Security
- IPv6 Security
- IP Firewall Security
- Network Bridging Security
- Print Server Security
- Reference Gateway User Interface Security
- Remote Configuration Framework Security
- SNTP Security
- TCP/IP Security
- USB Flash Config Tool Security
- Web Proxy Security
- Web Server Security
- **
Best Practices
.gif "Ee480921.collapse(en-US,WinEmbedded.60).gif")
Enable a firewall on your network device
For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.
For information about configuring the IP firewall to properly manage traffic destined for an internal network, see IP Firewall Reference.
Enable broadcast forwarding only if a firewall is present on the gateway device
If no firewall is present and enabled, enabling broadcast forwarding can pose a security threat to clients on a private network. Broadcast forwarding is required to support Network Address Translation (NAT) broadcast port mappings. To enable broadcast forwarding on your firewall-protected gateway device, under the [HKEY_LOCAL_MACHINE\COMM\Tcpip\Parms] registry key, set the ForwardBroadcasts registry value of type DWORD to 1.
Use authentication and user access lists for the Web server
The gateway, by default, does not implement different user privilege levels. Any user with physical access to the gateway device may be able to impact the device. To prevent potential attacks, it is important that you configure user permissions and access rights on the gateway Web server. Failing to do so could result in exposure of the device to remote attacks.
Use NTLM and/or a basic authentication mechanism to limit access to known users only. You can configure user access in the HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. Carefully choose the virtual roots and limit access to the appropriate files by providing appropriate user access lists. Unknown users with access to the virtual root may be able to access files and directories within that virtual root. For more information, see Web Server Authentication and Permissions.
Enable logging on your Gateway device
To maintain a log of all events that occur on the public and private side of your network, enable logging on your gateway device. For more information, see Gateway Logging.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For information about Gateway registry settings, see Gateway Registry Settings.