Advanced Security Concepts (Standard 2009)

4/24/2012

Microsoft Corporation

November 2009

Summary

Windows Embedded Standard 2009 offers developers a componentized version of the Windows XP operating system. You can choose exactly those components required to complete your design requirements with a reduced footprint. This article presents a technical overview of important security considerations in the componentized environment offered by Windows Embedded Standard 2009.

Introduction

Unique Security and Reliability Benefits

Security Considerations for Baseline Configurations

Embedded Device Threats and Vulnerabilities

Mapping Security Features to Components

Security Review Checklist

Conclusion

Introduction

Windows Embedded Standard 2009 is based on the same binary files as Windows XP Professional. Windows Embedded Standard 2009 enables you to rapidly develop reliable and full-featured connected devices.

The Windows Embedded Standard 2009 component database includes approximately 15,000 components. You can build Windows Embedded Standard 2009 run-time images that range from basic kernel-only configurations with minimal security requirements, to full-featured devices that contain networking, multimedia, security, and other features typically found on a computer with Windows XP Professional installed.

Unique Security and Reliability Benefits

Windows Embedded Standard 2009 inherits all of the security features available in Windows XP Professional. In addition, Windows Embedded Standard 2009 offers the following benefits:

1. Less code — You can omit components that are not required by your product, therefore reducing operating system (OS) complexity and increasing reliability.
2. Less hardware — You can include only the hardware you need in your design to increase reliability. This also translates into a more secure system because there are fewer hardware access points.
3. Total control of access points — You can control the input and output devices exposed to the user, which allows you to specify the devices you want to support. The embedded device can also be configured as a closed system, which means devices can be selectively supported. For example, you can prevent the support of externally accessible devices such as USB devices, mouse, keyboard, game controllers, floppy-disk drive, and networking through careful selection of device-driver components.
4. Single-purpose configuration — You can configure your device to serve a single purpose. You can control which applications run on the device and whether third-party applications can be installed, therefore reducing the possibility of application-compatibility problems or security attacks.
5. Reduced network vulnerability — You can reduce your security vulnerability by selecting only those components you require for your target device. For example, unless it is required for maintenance purposes, you can remove network Telnet functionality, which might otherwise offer an attacker an entry point.
6. Prevent modifications to system data or applications — You can use the Enhanced Write Filter (EWF) or the File-Based Write Filter (FBWF) component to make a read-only storage volume appear to the OS as a read/write device. This is accomplished by redirecting disk-write activity to an alternate, writable storage location, such as system memory, or to a special disk-overlay partition. For example, the El Torito CD-ROM boot component, when used with EWF configured to redirect disk-write activity to system memory, allows you to boot from a read-only CD-ROM.
7. Prevent installation of rogue applications — You can use EWF or FBWF to prevent installation of rogue applications, and prevent other permanent configuration changes. If the design contains no read/write storage device, the design is considered stateless between boots because the system is guaranteed to boot the same way each time. Any changes made to the OS between boots are maintained only in system memory and lost when the system restarts. For example, this technique is used in gaming devices, which are required by law in some states, to retain no information between system boots.
8. Backup and restore benefits — The following two benefits allow you to create a more secure backup and restore environment:
   1. Faster system backup and restore. Backup and restore are typically faster and more reliable because of the reduced storage footprint of your device.
   2. Default restore. When used, the stateless El Torito CD-ROM system automatically causes the system to restore to its original state when the system is rebooted or power cycled. This eliminates special backup and restore procedures and the corresponding security concerns associated with backup and restore.
9. Does not require moving parts — You can make your design more rugged by using storage devices that do not have hard drives, such as Disk-On-Chip, flash devices, and other silicon-based storage devices.
10. Simplified design, test, and validation — A reduced footprint design reduces system testing, allowing you to allocate more time for testing your embedded application.

Security Considerations for Baseline Configurations

You can use Target Designer to build your base design configuration by using one of the following baseline configurations:

1. Kernel-only — The Kernel-only configuration does not support the Microsoft Win32 application programming interface (API) and contains no built-in security features or tools.
2. Minlogon — The Minlogon configuration uses a less robust logon process compared to Winlogon. By default, Minlogon does not include the Local Security Authority Subsystem process (LSASS).
   Make sure that you do not require LSASS user authentication before choosing Minlogon.
   Without LSASS, Minlogon lacks the interactive logon and authentication features that are present in standard Windows XP Professional, and always logs on the user as the SYSTEM user.
   Target Designer can include the LSASS component in your run-time image even though you selected the Minlogon component. This happens if other components have a dependency on LSASS, or if you manually added the LSASS component.
   The LSASS component has a low display visibility setting so you must reduce the visibility level to see it displayed in Target Designer. For more information, see the Windows Embedded Standard 2009 Help documentation.
3. Winlogon — The Winlogon configuration uses the standard Windows logon process that ships with Windows XP Professional.
   In Windows XP Professional, Session Manager (Smss.exe) is the first user-mode process created in the system. Session Manager in turn launches the Windows subsystem process and the standard Windows logon process. The standard Windows logon process requires LSASS.
   LSASS is a user-mode process responsible for the following areas:
   1. The local system security policy, such as which users are allowed to log on to the computer, password policies, privileges granted to users and groups, and the system security auditing settings.
   2. User authentication.
   3. Sending security audit messages to the event log.

Certain components that you add to your design might require the Winlogon baseline configuration, even if you originally specified the kernel-only, or Minlogon, configuration. These components express their requirement as a component dependency on Winlogon, which will result in the Winlogon component being automatically added to your design when you run a Target Designer dependency check.

Note

The default user password is blank and should be changed to a strong password to ensure proper authentication security. For more information see Strong Passwords.

The following table shows the available design templates and whether they support Minlogon or Winlogon.

Design template	Minlogon	Winlogon
Windows-based Terminal Professional		X
Information Appliance		X
Basic Set-Top Box	X	X
Digital Set-Top Box	X	X
Advanced Set-Top Box		X
Kiosk/Gaming Console	X	X
Home Gateway		X
Retail Point-of-Sale Terminal		X
Network Attached Storage		X

When choosing your design template, you should consider the following questions:

1. Who is your target user, and what level of access security is required?
2. If the device contains sensitive data, how is the data being secured or protected from being corrupted or compromised?
3. What security measures are in place with respect to any additional device(s) or user(s) that it communicates with?
4. In what ways could a malicious entity have physical access to the device? Is it adequately secured?

For more information, see the Windows Embedded Standard 2009 Help documentation.

Embedded Device Threats and Vulnerabilities

The book Writing Secure Code, by Michael Howard and David LeBlanc, offers practical information about secure design, secure coding, and testing techniques.

To implement the mitigation techniques in the book, you should map Windows XP security features to components as described in Mapping Security Features to Components.

Using the STRIDE model described in Writing Secure Code, the following table shows the major security threats and the corresponding Windows XP Professional security features that you can use to mitigate risk.

Threat	Description	Mitigation techniques
Spoofing identity	Illegally accessing a system either locally or remotely.	Authentication Support security features: Digest authentication; Passport authentication; Kerberos authentication, X.509 certificate authentication, and so on.
Tampering with data	Malicious modification of data.	Authorization Support and Tamper-resistance security features: Access control lists (ACLs), Privileges, Encrypted File System (EFS), IPSec, Digital signatures, and so on.
Repudiation	Users denying an action without allowing another party a way to prove otherwise.	Authentication Support, Authorization Support, and Security Support security features: Auditing, IPSec, Digital signatures, and so on.
Information disclosure	Exposing information to individuals who should not have access.	Authorization and Tamper-resistance security features: Authorization, Privacy-enhanced protocols, Encryption, and so on.
Denial of service	Denying service to valid users.	Internet Connection Security Support and API security features: Firewall, Authentication, Authorization, Filtering, Throttling, and so on.
Elevation of privilege	An unprivileged user gaining privileged access in order to compromise or destroy a system.	Authentication, Authorization and Security management security features: Group policy, software/system restrictions, and so on.

Mapping Security Features to Components

Windows Embedded Standard 2009 supports the same configurable security options as Windows XP Professional. Default security settings are defined in Defltwk.inf. To see how custom security settings can be applied to an embedded device, see Security in the System Design Guide.

The following tables contain information associated with Windows XP security features and how they relate to components. A feature requires a component that owns the key binary file as well as the component's dependencies.

Some of the listed components might not be visible. If that's the case, you will need to reduce the visibility in Target Designer in order to see them.

This section discusses these topics:

Authentication Support

Authorization Support

API Support

Tamper-Resistance and Data-Privacy Features on the Storage Media

Tamper-Resistance and Data-Privacy Features on the network

Wireless Security Support

Internet Connection Security Support

Security Management Support

Authentication Support

Authentication is a process where one user or device proves his or her identity to another principal, a user, or a device. The following table shows how authentication features are mapped to components.

Feature	Key binary file	Component
Common binaries (apply to each Authentication feature)	Lsass.exe, Lsasrv.dll	Local Security Authority Subsystem (LSASS)
	Secur32.dll	Primitive: Secur32
	Crypt32.dll	Primitive: Crypt32
	Cryptdll.dll	Primitive: Cryptdll
	Netapi32.dll	Primitive: Netapi32
	Netlogon.dll	Netlogon/NetJoin
Basic The native authentication mechanism built into HTTP. If used, you should require an SSL-encrypted link with strong server-side authentication to secure the connection.	Advapi32.dll	Win32 API - Advanced
Digest A simple Challenge and Response protocol. Intended to replace Basic authentication.	Wdigest.dll	Digest Authentication Security Package
NTLM Windows NT LAN Manager. The native authentication protocol in Windows NT version 4.0. Includes cross-domain authentication. Supported in Windows XP for backward compatibility.	Msv1_0.dll	Local Security Authority Subsystem (LSASS)
Kerberos Provides secure industry-standard authentication.	Kerberos.dll	Local Security Authority Subsystem (LSASS)
Passport Online user authentication service that enables a user to create a single user name and password for easy, secure access to all Passport accounts.	Wininet.dll	Wininet Library
Credential Manager Secure storage for password information that allows users to input user names and passwords once so that the system can automatically apply the information for subsequent visits.	Credui.dll	Credential Management User Interface
	Keymgr.dll	Key Manager
	Advapi32.dll	Win32 API - Advanced
Secure Channel (X.509 certificates)Supports multiple levels of a certification authority hierarchy using digitally-signed certificates.	Schannel.dll	Local Security Authority Subsystem (LSASS)
	Cryptnet.dll	Cryptographic Network Services
Smart Card Windows Embedded Standard 2009 integrates smart card capabilities into the OS, including support for smart card logon to Terminal Services sessions.	Scardsvr.exe; Scardssp.dll	Smart Card Subsystem
	Winscard.dll	Primitive: Winscard
The Credential Security Support Provider (CredSSP) protocol lets an application delegate user credentials from the client to the target server for remote authentication.	credssp.dll; tspkg.dll	CredSSP

Credential Security Service Provide (CredSSP) — CredSSP is a new Security Service Provider (SSP) that is available in Windows XP SP3 via the Security Service Provider Interface (SSPI). CredSSP enables an application to delegate user credentials from the Client (via Client-side SSP) to the target Server (via Server-side SSP). Windows XP SP3 uses only the Client side SSP implementation currently used by Remote Desktop Protocol (RDP) 6.1 Terminal Services (TS). This implementation can be used by any third-party application willing to use the client-side SSP to interact with applications that are running server-side SSP implementations on Vista or Windows Server 2008.

Note   CredSSP is turned off by default in Windows Embedded Standard 2009.

Authorization Support

Once a principal, a user, or a computer is authenticated the authorization process establishes what that principal is allowed to do. The following table shows how authorization support features are mapped to components.

Feature	Key binary files	Component
Access control lists (ACLs), Principals, PrivilegesA mechanism to protect system objects. For example, a folder or file share can be configured to either accept the default ACL settings or you can implement custom ACL settings to restrict access to the object.	Ntdll.dll	Primitive: Ntdll
	Lsass.exe; Lsasrv.dll	Local Security Authority Subsystem (LSASS)
	Authz.dll	Primitive: AuthZ
GPO, Restrictions (Software, Computer) Group Policy Object (GPO) management and control. Use GPO to define policy settings to be applied to computers and/or users.	Gptext.dll	Group Policy Client Core
	Profmap	Primitive: Profmap
Local, Roaming profiles	Userenv.dll	Local Profile Core
		Roaming Profile
Auditing	Ntdll.dll	Primitive: Ntdll
	Lsass.exe, Lsasrv.dll	Local Security Authority Subsystem (LSASS)
	Msaudite.dll	Auditing Resource DLLs
	Eventlog.dll	Event Log

API Support

You can take advantage of the full-featured security API support built into Windows XP. The following table shows how API support features are mapped to components.

Feature	Key binary files	Component
CryptoAPI CryptoAPI provides services that enable application developers to add security to applications. Includes functionality for encoding to and decoding from ASN.1, encrypting and decrypting data, and for authentication using digital certificates.	Crypt32.dll	Primitive: Crypt32
	Cryptnet.dll	Cryptographic Network Services
SSPI (Security Support Provider Interface) APIs for credential management, context management, message support, and package management.	Secur32.dll	Primitive: Secur32
	Ksecdd.sys	Primitive: Ksecdd
	Lsasrv.dll	Local Security Authority Subsystem (LSASS)
Microsoft Cryptographic Module The Microsoft DSS/DH Software Cryptographic Service Provider. The Microsoft RSA Software Cryptographic Service Provider.	dssenh.dll; rsaenh.dll	Cryptographic Service Providers
Smartcard Cryptographic service providers	gpkcsp.dll; gpkrsrc.dll; sccbase.dll; sccsccp.dll; slbcsp.dll; slbiop.dll; slbrccsp.dll	Smart Card Cryptographic Service Providers

Microsoft Cryptographic Module — Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation. This has been added to the crypto module rsaenh.dll.

XP SP2 crypto modules Rsaenh.dll, Dssenh.dll, and Fips.sys had been certified according to FIPS 140-1 specifications. The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard. For more information, see the Microsoft Kernel Mode Cryptographic Module.

Tamper-Resistance and Data-Privacy Features on the Storage Media

The level of file system security in your embedded run-time configuration is largely established by the file-system components you choose. The following table shows how tamper-resistance and data-privacy features on the storage media are mapped to components.

Feature	Key binary files	Component
EFS Encrypted File System (EFS) with multi-user support is part of NTFS file system (NTFS). EFS encrypts each file with a randomly generated key that is transparent to the user.	Efsadu.dll	User Interface Core
	Ntfs.sys	NTFS
	Crypt32.dll	Primitive: Crypt32
	Lsasrv.dll	Local Security Authority Subsystem (LSASS)
NTFS Windows NT File System supports Access Control List (ACL) to protect file-system objects.	Ntfs.sys	NTFS
Driver Rollback Part of the Windows XP System Restore feature. Driver Rollback can be used to replace a given device driver with a previously installed version.	Newdev.dll	Add Hardware Control Panel
	Setupapi.dll	Primitive: Setupapi
System Restore A subsystem that creates periodic system snapshots, allowing you to restore the OS to a previous state.	Sr.sys; Srrstr.dll; Srsvc.dll; Srclient.dll	System Restore Core
Volume Shadow Copy Service Manages and implements volume shadow copies used for backups and other purposes.	Volsnap.sys	Volume Shadow Copy Service
	Srv.sys	File Sharing

Tamper-Resistance and Data-Privacy Features on the network

The level of network security in your embedded run-time image is largely established by the network components you choose. The following table shows how tamper-resistance and data-privacy features on the network are mapped to components.

Feature	Key binary files	Component
IPSec Internet Protocol (IP) Security.Uses cryptographic security services to enable organizations to transmit data securely over a virtual private network (VPN).	Ipsec.sys; Ipsecsvc.dll; Winipsec.dll	IP Security Services
SSL/TLSSecure Sockets Layer. HTTPS is the name of the URL scheme used with the SSL port 443.	Schannel.dll	Local Security Authority Subsystem (LSASS)
	Cryptnet.dll	Cryptographic Network Services
	Secur32.dll	Primitive: Secur32
	Crypt32.dll	Primitive: Crypt32
	Cryptdll.dll	Primitive: Cryptdll
	Netapi32.dll	Primitive: Netapi32
	Netlogon.dll	Netlogon/NetJoin
Secure RPCsMSRPC applies Windows security to COM+, DCOM, and RPC.	Rpcrt4.dll	RPC Local Support
	Secur32.dll	Primitive: Secur32
	Authz.dll	Primitive: AuthZ
		Secure RPC over Kerberos
		Secure RPC over Negotiate
		Secure RPC over NTLM
		Secure RPC over SSL
IPSec Simple Policy Update This update helps simplify the creation and maintenance of IPSec filters, reducing the number of filters that are required for a server and domain isolation deployment. The Simple Policy Update removes the requirement for explicit network infrastructure permit filters and introduces enhanced fallback to clear behavior. Microsoft Knowledge Base article 914841 describes this previously released update in more detail.	ipsec.sys; ipsecsvc.dll; oakley.dll; polstore.dll; winipsec.dll	IP Security Services
Network Access Protection (NAP) is a policy-enforcement platform you can use to better protect network assets by enforcing compliance with system health requirements.	dhcpqec.dll; eapolqec.dll; eapqec.dll; kmsvc.dll; mssha.dll; msshavmsg.dll; napclientprov.mof; napclientschema.mof; napipsec.dll; napmontr.dll; napstat.exe; qagent.dll; qagentrt.dll; qcliprov.dll; qutil.dll; rasqec.dll	Network Access Protection
"Black Hole" Router Black hole router detection (detecting routers that are silently discarding packets). Turned on by default.	TCPIP.CHM TCPIP.SYS WSHTCPIP.DLL	TCP/IP Networking
	TCPIP6.SYS WSHIP6.DLL	TCP/IP Version 6
Background Intelligent Transfer Service (BITS) 2.5. BITS 2.5 is required by Microsoft System Center Configuration Manager 2007 and Windows Live OneCare. BITS 2.5 helps you improve security. If you use BITS 2.5 to transfer data, the new features also improve flexibility. Microsoft Knowledge Base article 923845 describes BITS 2.5.	bitsprx2.dll (Proxy for BITS1.5 interfaces); bitsprx3.dll (Proxy for BITS2.0 interfaces.); bitsprx4.dll (Proxy for BITS2.5 interfaces); qmgr.dll; qmgr.inf; qmgrprxy.dll	Background Intelligent Transfer Service
Credential Roaming (formerly Digital Identity Management Service, or DIMS) makes it possible for users who log on to any domain-joined computer to silently access all of their certificates and private keys for applications and services.	dimsntfy.dll; dimsroam.dll	Credential Roaming
Peer Name Resolution Protocol (PNRP) 2.1. This update enables Windows XP SP3–based programs that use PNRP to communicate with Windows Vista programs that use PNRP. Microsoft Knowledge Base article 920342 describes this previously released update. Enables the Peer-to-Peer platform. Lets users communicate and share information securely with one another while at home, at work, or from mobile devices.	p2p.dll; p2p.inf; p2pgasvc.dll; p2pgraph.dll; p2pnetsh.dll; p2psvc.dll; pnrpnsp.dll; SQLDB20.DLL; SQLQP20.DLL; SQLSE20.DLL	Peer to Peer Networking
Remote Desktop Protocol (RDP) 6.1. Used for communication between the Terminal Server and the Terminal Server Client. RDP is encapsulated and encrypted within Transmission Control Protocol (TCP). This update better facilitates communication between computers running Windows XP and Windows Vista. Knowledge Base article 186607 describes RDP. Knowledge base article 951616 describes RDP 6.1.	mstsc.exe (Terminal Services Client Executable); mstsc.exe.mui	Terminal Server Client

Wireless Security Support

Wireless networking offers a new set of security issues to consider. The following table shows how 802.11 / Wireless security support features are mapped to components.

Feature	Key binary files	Component
Wired Equivalent Privacy (WEP)	Wzcsvc.dll	Primitive: Wzcsvc
	Wzcsapi.dll	Wireless Zero Configuration
Wi-Fi Protected Access 2 (WPA2) This update to Windows XP provides support for WPA2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard. Microsoft Knowledge Base article 893357 describes this update. Provides automatic configuration and authentication for 802.11 wireless network adapters.	Wzcsapi.dll Wzcsvc.dll	Wireless Zero Configuration

Internet Connection Security Support

There are many ways you can take advantage of full-featured Internet connection security support. The following table shows how Internet connection security support features are mapped to components.

Feature	Key binary files	Component
Internet Connection Firewall (ICF) Protects devices from common Internet attacks.	Hnetcfg.dll; Alg.exe	Internet Connection Sharing and Firewall
S/MIME Secure e-mail using encryption.	Mapi32.dll	Mapi32 Libraries
	Cryptnet.dll	Cryptographic Network Services
	Crypt32.dll	Primitive: Crypt32
WebDAV/Web Folders If you use Encrypted File System (EFS) to encrypt and decrypt files, and you want to keep your files encrypted when they are shared across a network, use Web Distributed Authoring and Versioning (WebDAV) and Web Folders.	Msonsext.dll	Web Folders
HTTPS The classic URL scheme, HTTP, used port 80 and incorporated no security. The HTTPS URL scheme uses port 443 and incorporates SSL/TLS encryption security.	Wininet.dll	Wininet Library
	Schannel.dll	Local Security Authority Subsystem (LSASS)
	Cryptnet.dll	Cryptographic Network Services
	Secur32.dll	Primitive: Secur32
	Crypt32.dll	Primitive: Crypt32
	Cryptdll.dll	Primitive: Cryptdll
	Netapi32.dll	Primitive: Netapi32
	Netlogon.dll	Netlogon/NetJoin
PPTP/L2TP You can securely access a private network through the Internet or other public network by using a VPN connection with the Point-to-Point Tunneling Protocol (PPTP). Level 2 Tunneling Protocol (L2TP), when used with IPSec, offers data transfer that is as secure as within a single LAN at a corporate Web site.	Raspptp.sys; Rasl2tp.sys	Dial-Up Networking Common Libraries

Security Management Support

In Windows Embedded Standard 2009, you can use the full set of management tools available in Windows XP Professional. The following table shows how security management support features are mapped to components.

Feature	Key binary files	Component
Certificate Management	Certmgr.dll	Certificate MMC Snap-In Tool
Security Configuration, Analysis	Scesrv.dll	Windows Security Configuration Editor Engine
	Scecli.dll	Windows Security Configuration Editor Client Engine
	Samlib.dll	Security Accounts Manager Client
	Samsrv.lib	Security Accounts Manager Server Library
	Wsecedit.dll	Security Settings Editor
	Secedit.exe	Security Configuration Engine Command-Line Utility
IP Security Management	Ipsecsnp.dll; Ipsmsnap.dll	IP Security Tools and User Interface
Group Policy Management	Gpedit.dll	Group Policy Core Administration MMC Snap-In
Local Users and Groups Management	Nusrmgr.cpl	Users Control Panel
Credential Management	Credui.dll	Credential Management User Interface
	Keymgr.dll	Key Manager
Software Restriction Policies Provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability, which ultimately lowers the cost of owning a computer.	Certmgr.dll; advapi32.dll	Local security policy snap-in
Windows Security Center Windows Security Center provides a central location for viewing security status, changing security settings, and learning more about security issues.	wscenter.mof; wscntfy.exe; wscsvc.dll; wscui.cpl	Security Center
Windows Update Agent Windows Update Agent helps keep your computer up-to-date and secure by downloading and installing the latest security and feature updates from Microsoft. Windows Update Agent determines which updates apply to your computer. Client component needed for basic access to Windows Update, Microsoft Update, and Windows Update Services servers. Includes all the functionality and UI needed for Automatic Updates and for API callers. Note   Full Windows Update Agent functionality is not available on Windows Embedded Standard, because direct updates from Windows Update are not supported.	sfc.dll; sfc_os.dll; sfcfiles.dll; wuapi.dll; wuau.adm; wuauclt.exe; wuaucpl.cpl; wuaueng.dll; wuauserv.dll; wucltui.dll; wups.dll; wups2.dll; wuweb.dll	Windows Update Agent3.0
Windows Firewall Windows Firewall drops incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic), or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.	alg.exe (Application-level proxy handling application specific protocols through NAT); fwcfg.dll; hnetcfg.mof (Home networking managed object format description file); ip6fw.sys (system driver for IPv6 firewall); netfw.inf (installation and setup information for firewall) firewall.cpl (Windows Firewall Control Panel)	Windows Firewall/Internet Connection Sharing (ICS) Windows Firewall Control Panel
Microsoft Management Console (MMC) 3.0 MMC 3.0 is a framework that unifies and simplifies day-to-day system management tasks in Windows by providing common navigation, menus, toolbars, and workflow across diverse tools.	capesnpn.dll; cic.dll; mmc.exe; mmcbase.dll; mmcndmgr.dll; mmcshext.dll	Microsoft Management Console (MMC)
MSXML6.0 MSXML6 provides better reliability, security, and conforms with the XML 1.0 and XML Schema 1.0 W3C recommendations. It also provides compatibility with System.XML 2.0.	msxml6.dll; msxml6r.dll	MSXML 6.0
Microsoft Windows Installer 3.1 v2 (3.1.4000.2435) Microsoft Windows Installer 3.1 is a minor update to Microsoft Windows Installer 3.0, which Microsoft released in September 2004. Microsoft Windows Installer 3.1 contains new and enhanced functionality. Additionally, Microsoft Windows Installer 3.1 addresses some issues that Microsoft found in the 3.0 release.	msiexec.exe (msi service and custom action server); msihnd.dll (msi ui handler); msimsg.dll (msi message dll); msisip.dll (msi digital signature SIP handler);	Windows Installer Service

For more information, see the Windows Embedded Standard 2009 Help documentation.

Security Review Checklist

You can use the following list to help you address security issues relevant to your Windows Embedded Standard 2009 device and its applications:

1. As you develop the specification and applications for your run-time image, use the security resources noted in this article.
2. Read about the latest Microsoft security and Quick Fix Engineering (QFE) updates at this Microsoft Web site.
3. Read the security information in the Windows Embedded Standard 2009 online Help.
4. Include only those driver components and applications required by your embedded device.
5. Include Windows Security Center and Windows Firewall.
6. Reduce the network port usage in your design. Remove all network interfaces that might serve as a security threat. For example, if they are not required, remove the Telnet and Simple Network Management Protocol (SNMP) components.
7. Ensure there are no other physical hardware interfaces that might serve as an access point for a malicious attack.
8. Consider using NTFS file system (NTFS), which offers secure access control lists (ACLs) for your data files. Use the Encrypted File System (EFS) feature for local encryption of data files. Use WebDAV/Web Folders if you need EFS-protected files to be securely encrypted over a network.
9. Use Internet Connection Firewall (ICF) to protect against unsafe or unauthorized network traffic.
10. Review privileges required by principals.
11. Use Software Restriction Policies. For more information, see Using Software Restriction Policies to Protect Against Unauthorized Software.
12. Read the Internet Explorer hardening document: Internet Explorer Desktop Security Guide.
13. Read the Windows XP Service hardening guide: Services and Service Accounts Security Planning Guide.

Conclusion

What you have learned

By using the components and techniques outlined in this article, you can create reduced-footprint devices that have enhanced security.

For more information about network security, see Writing Secure Code, by Michael Howard and David Leblanc, Microsoft Press, 2002, and Programming Windows Security, by Keith Brown, Addison Wesley Longman, Inc., 2000.

The following Web sites might offer additional security information:

1. For general information about security, see this Microsoft Web site.
2. For information about the Windows Embedded product, see this Microsoft Web site.
3. For information about developer issues, see the MSDN Library.
4. For information about Windows XP, see this Microsoft Web site.
5. For more information about Windows Embedded Standard 2009 security, see Security in the product documentation.

Contributors to this paper include, but are not limited to, the Windows Embedded, Security, and Componentization teams.