Export (0) Print
Expand All

Advanced Security Concepts (Standard 2009)


Microsoft Corporation

November 2009

Windows Embedded Standard 2009 offers developers a componentized version of the Windows XP operating system. You can choose exactly those components required to complete your design requirements with a reduced footprint. This article presents a technical overview of important security considerations in the componentized environment offered by Windows Embedded Standard 2009.

Windows Embedded Standard 2009 is based on the same binary files as Windows XP Professional. Windows Embedded Standard 2009 enables you to rapidly develop reliable and full-featured connected devices.

The Windows Embedded Standard 2009 component database includes approximately 15,000 components. You can build Windows Embedded Standard 2009 run-time images that range from basic kernel-only configurations with minimal security requirements, to full-featured devices that contain networking, multimedia, security, and other features typically found on a computer with Windows XP Professional installed.

Windows Embedded Standard 2009 inherits all of the security features available in Windows XP Professional. In addition, Windows Embedded Standard 2009 offers the following benefits:

  1. Less code — You can omit components that are not required by your product, therefore reducing operating system (OS) complexity and increasing reliability.
  2. Less hardware — You can include only the hardware you need in your design to increase reliability. This also translates into a more secure system because there are fewer hardware access points.
  3. Total control of access points — You can control the input and output devices exposed to the user, which allows you to specify the devices you want to support. The embedded device can also be configured as a closed system, which means devices can be selectively supported. For example, you can prevent the support of externally accessible devices such as USB devices, mouse, keyboard, game controllers, floppy-disk drive, and networking through careful selection of device-driver components.
  4. Single-purpose configuration — You can configure your device to serve a single purpose. You can control which applications run on the device and whether third-party applications can be installed, therefore reducing the possibility of application-compatibility problems or security attacks.
  5. Reduced network vulnerability — You can reduce your security vulnerability by selecting only those components you require for your target device. For example, unless it is required for maintenance purposes, you can remove network Telnet functionality, which might otherwise offer an attacker an entry point.
  6. Prevent modifications to system data or applications — You can use the Enhanced Write Filter (EWF) or the File-Based Write Filter (FBWF) component to make a read-only storage volume appear to the OS as a read/write device. This is accomplished by redirecting disk-write activity to an alternate, writable storage location, such as system memory, or to a special disk-overlay partition. For example, the El Torito CD-ROM boot component, when used with EWF configured to redirect disk-write activity to system memory, allows you to boot from a read-only CD-ROM.
  7. Prevent installation of rogue applications — You can use EWF or FBWF to prevent installation of rogue applications, and prevent other permanent configuration changes. If the design contains no read/write storage device, the design is considered stateless between boots because the system is guaranteed to boot the same way each time. Any changes made to the OS between boots are maintained only in system memory and lost when the system restarts. For example, this technique is used in gaming devices, which are required by law in some states, to retain no information between system boots.
  8. Backup and restore benefits — The following two benefits allow you to create a more secure backup and restore environment:
    1. Faster system backup and restore. Backup and restore are typically faster and more reliable because of the reduced storage footprint of your device.
    2. Default restore. When used, the stateless El Torito CD-ROM system automatically causes the system to restore to its original state when the system is rebooted or power cycled. This eliminates special backup and restore procedures and the corresponding security concerns associated with backup and restore.
  9. Does not require moving parts — You can make your design more rugged by using storage devices that do not have hard drives, such as Disk-On-Chip, flash devices, and other silicon-based storage devices.
  10. Simplified design, test, and validation — A reduced footprint design reduces system testing, allowing you to allocate more time for testing your embedded application.

You can use Target Designer to build your base design configuration by using one of the following baseline configurations:

  1. Kernel-only — The Kernel-only configuration does not support the Microsoft Win32 application programming interface (API) and contains no built-in security features or tools.
  2. Minlogon — The Minlogon configuration uses a less robust logon process compared to Winlogon. By default, Minlogon does not include the Local Security Authority Subsystem process (LSASS).
    Make sure that you do not require LSASS user authentication before choosing Minlogon.
    Without LSASS, Minlogon lacks the interactive logon and authentication features that are present in standard Windows XP Professional, and always logs on the user as the SYSTEM user.
    Target Designer can include the LSASS component in your run-time image even though you selected the Minlogon component. This happens if other components have a dependency on LSASS, or if you manually added the LSASS component.
    The LSASS component has a low display visibility setting so you must reduce the visibility level to see it displayed in Target Designer. For more information, see the Windows Embedded Standard 2009 Help documentation.
  3. Winlogon — The Winlogon configuration uses the standard Windows logon process that ships with Windows XP Professional.
    In Windows XP Professional, Session Manager (Smss.exe) is the first user-mode process created in the system. Session Manager in turn launches the Windows subsystem process and the standard Windows logon process. The standard Windows logon process requires LSASS.
    LSASS is a user-mode process responsible for the following areas:
    1. The local system security policy, such as which users are allowed to log on to the computer, password policies, privileges granted to users and groups, and the system security auditing settings.
    2. User authentication.
    3. Sending security audit messages to the event log.

Certain components that you add to your design might require the Winlogon baseline configuration, even if you originally specified the kernel-only, or Minlogon, configuration. These components express their requirement as a component dependency on Winlogon, which will result in the Winlogon component being automatically added to your design when you run a Target Designer dependency check.

The default user password is blank and should be changed to a strong password to ensure proper authentication security. For more information see Strong Passwords.

The following table shows the available design templates and whether they support Minlogon or Winlogon.

Design template Minlogon Winlogon

Windows-based Terminal Professional



Information Appliance



Basic Set-Top Box



Digital Set-Top Box



Advanced Set-Top Box



Kiosk/Gaming Console



Home Gateway



Retail Point-of-Sale Terminal



Network Attached Storage



When choosing your design template, you should consider the following questions:

  1. Who is your target user, and what level of access security is required?
  2. If the device contains sensitive data, how is the data being secured or protected from being corrupted or compromised?
  3. What security measures are in place with respect to any additional device(s) or user(s) that it communicates with?
  4. In what ways could a malicious entity have physical access to the device? Is it adequately secured?

For more information, see the Windows Embedded Standard 2009 Help documentation.

The book Writing Secure Code, by Michael Howard and David LeBlanc, offers practical information about secure design, secure coding, and testing techniques.

To implement the mitigation techniques in the book, you should map Windows XP security features to components as described in Mapping Security Features to Components.

Using the STRIDE model described in Writing Secure Code, the following table shows the major security threats and the corresponding Windows XP Professional security features that you can use to mitigate risk.

Threat Description Mitigation techniques

Spoofing identity

Illegally accessing a system either locally or remotely.

Authentication Support security features: Digest authentication; Passport authentication; Kerberos authentication, X.509 certificate authentication, and so on.

Tampering with data

Malicious modification of data.

Authorization Support and Tamper-resistance security features: Access control lists (ACLs), Privileges, Encrypted File System (EFS), IPSec, Digital signatures, and so on.


Users denying an action without allowing another party a way to prove otherwise.

Authentication Support, Authorization Support, and Security Support security features: Auditing, IPSec, Digital signatures, and so on.

Information disclosure

Exposing information to individuals who should not have access.

Authorization and Tamper-resistance security features: Authorization, Privacy-enhanced protocols, Encryption, and so on.

Denial of service

Denying service to valid users.

Internet Connection Security Support and API security features: Firewall, Authentication, Authorization, Filtering, Throttling, and so on.

Elevation of privilege

An unprivileged user gaining privileged access in order to compromise or destroy a system.

Authentication, Authorization and Security management security features: Group policy, software/system restrictions, and so on.

Windows Embedded Standard 2009 supports the same configurable security options as Windows XP Professional. Default security settings are defined in Defltwk.inf. To see how custom security settings can be applied to an embedded device, see Security in the System Design Guide.

The following tables contain information associated with Windows XP security features and how they relate to components. A feature requires a component that owns the key binary file as well as the component's dependencies.

Some of the listed components might not be visible. If that's the case, you will need to reduce the visibility in Target Designer in order to see them.

This section discusses these topics:

Authentication Support

Authorization Support

API Support

Tamper-Resistance and Data-Privacy Features on the Storage Media

Tamper-Resistance and Data-Privacy Features on the network

Wireless Security Support

Internet Connection Security Support

Security Management Support

Authentication Support

Authentication is a process where one user or device proves his or her identity to another principal, a user, or a device. The following table shows how authentication features are mapped to components.

Feature Key binary file Component

Common binaries

(apply to each Authentication feature)

Lsass.exe, Lsasrv.dll

Local Security Authority Subsystem (LSASS)



Primitive: Secur32



Primitive: Crypt32



Primitive: Cryptdll



Primitive: Netapi32





The native authentication mechanism built into HTTP. If used, you should require an SSL-encrypted link with strong server-side authentication to secure the connection.


Win32 API - Advanced


A simple Challenge and Response protocol. Intended to replace Basic authentication.


Digest Authentication Security Package


Windows NT LAN Manager. The native authentication protocol in Windows NT version 4.0. Includes cross-domain authentication. Supported in Windows XP for backward compatibility.


Local Security Authority Subsystem (LSASS)


Provides secure industry-standard authentication.


Local Security Authority Subsystem (LSASS)


Online user authentication service that enables a user to create a single user name and password for easy, secure access to all Passport accounts.


Wininet Library

Credential Manager

Secure storage for password information that allows users to input user names and passwords once so that the system can automatically apply the information for subsequent visits.


Credential Management User Interface



Key Manager



Win32 API - Advanced

Secure Channel (X.509 certificates)Supports multiple levels of a certification authority hierarchy using digitally-signed certificates.


Local Security Authority Subsystem (LSASS)



Cryptographic Network Services

Smart Card

Windows Embedded Standard 2009 integrates smart card capabilities into the OS, including support for smart card logon to Terminal Services sessions.

Scardsvr.exe; Scardssp.dll

Smart Card Subsystem



Primitive: Winscard

The Credential Security Support Provider (CredSSP) protocol lets an application delegate user credentials from the client to the target server for remote authentication.

credssp.dll; tspkg.dll


Credential Security Service Provide (CredSSP) — CredSSP is a new Security Service Provider (SSP) that is available in Windows XP SP3 via the Security Service Provider Interface (SSPI). CredSSP enables an application to delegate user credentials from the Client (via Client-side SSP) to the target Server (via Server-side SSP). Windows XP SP3 uses only the Client side SSP implementation currently used by Remote Desktop Protocol (RDP) 6.1 Terminal Services (TS). This implementation can be used by any third-party application willing to use the client-side SSP to interact with applications that are running server-side SSP implementations on Vista or Windows Server 2008.

Note   CredSSP is turned off by default in Windows Embedded Standard 2009.

Authorization Support

Once a principal, a user, or a computer is authenticated the authorization process establishes what that principal is allowed to do. The following table shows how authorization support features are mapped to components.

Feature Key binary files Component

Access control lists (ACLs), Principals, PrivilegesA mechanism to protect system objects. For example, a folder or file share can be configured to either accept the default ACL settings or you can implement custom ACL settings to restrict access to the object.


Primitive: Ntdll


Lsass.exe; Lsasrv.dll

Local Security Authority Subsystem (LSASS)



Primitive: AuthZ

GPO, Restrictions (Software, Computer)

Group Policy Object (GPO) management and control. Use GPO to define policy settings to be applied to computers and/or users.


Group Policy Client Core



Primitive: Profmap

Local, Roaming profiles


Local Profile Core



Roaming Profile



Primitive: Ntdll


Lsass.exe, Lsasrv.dll

Local Security Authority Subsystem (LSASS)



Auditing Resource DLLs



Event Log

API Support

You can take advantage of the full-featured security API support built into Windows XP. The following table shows how API support features are mapped to components.

Feature Key binary files Component


CryptoAPI provides services that enable application developers to add security to applications. Includes functionality for encoding to and decoding from ASN.1, encrypting and decrypting data, and for authentication using digital certificates.


Primitive: Crypt32



Cryptographic Network Services

SSPI (Security Support Provider Interface)

APIs for credential management, context management, message support, and package management.


Primitive: Secur32



Primitive: Ksecdd



Local Security Authority Subsystem (LSASS)

Microsoft Cryptographic Module

The Microsoft DSS/DH Software Cryptographic Service Provider.

The Microsoft RSA Software Cryptographic Service Provider.

dssenh.dll; rsaenh.dll

Cryptographic Service Providers

Smartcard Cryptographic service providers

gpkcsp.dll; gpkrsrc.dll; sccbase.dll; sccsccp.dll; slbcsp.dll; slbiop.dll; slbrccsp.dll

Smart Card Cryptographic Service Providers

Microsoft Cryptographic Module — Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation. This has been added to the crypto module rsaenh.dll.

XP SP2 crypto modules Rsaenh.dll, Dssenh.dll, and Fips.sys had been certified according to FIPS 140-1 specifications. The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard. For more information, see the Microsoft Kernel Mode Cryptographic Module.

Tamper-Resistance and Data-Privacy Features on the Storage Media

The level of file system security in your embedded run-time configuration is largely established by the file-system components you choose. The following table shows how tamper-resistance and data-privacy features on the storage media are mapped to components.

Feature Key binary files Component


Encrypted File System (EFS) with multi-user support is part of NTFS file system (NTFS). EFS encrypts each file with a randomly generated key that is transparent to the user.


User Interface Core






Primitive: Crypt32



Local Security Authority Subsystem (LSASS)


Windows NT File System supports Access Control List (ACL) to protect file-system objects.



Driver Rollback

Part of the Windows XP System Restore feature. Driver Rollback can be used to replace a given device driver with a previously installed version.


Add Hardware Control Panel



Primitive: Setupapi

System Restore

A subsystem that creates periodic system snapshots, allowing you to restore the OS to a previous state.

Sr.sys; Srrstr.dll; Srsvc.dll; Srclient.dll

System Restore Core

Volume Shadow Copy Service

Manages and implements volume shadow copies used for backups and other purposes.


Volume Shadow Copy Service



File Sharing

Tamper-Resistance and Data-Privacy Features on the network

The level of network security in your embedded run-time image is largely established by the network components you choose. The following table shows how tamper-resistance and data-privacy features on the network are mapped to components.

Feature Key binary files Component

IPSec Internet Protocol (IP) Security.Uses cryptographic security services to enable organizations to transmit data securely over a virtual private network (VPN).

Ipsec.sys; Ipsecsvc.dll; Winipsec.dll

IP Security Services

SSL/TLSSecure Sockets Layer. HTTPS is the name of the URL scheme used with the SSL port 443.


Local Security Authority Subsystem (LSASS)



Cryptographic Network Services



Primitive: Secur32



Primitive: Crypt32



Primitive: Cryptdll



Primitive: Netapi32




Secure RPCsMSRPC applies Windows security to COM+, DCOM, and RPC.


RPC Local Support



Primitive: Secur32



Primitive: AuthZ



Secure RPC over Kerberos



Secure RPC over Negotiate



Secure RPC over NTLM



Secure RPC over SSL

IPSec Simple Policy Update

This update helps simplify the creation and maintenance of IPSec filters, reducing the number of filters that are required for a server and domain isolation deployment. The Simple Policy Update removes the requirement for explicit network infrastructure permit filters and introduces enhanced fallback to clear behavior. Microsoft Knowledge Base article 914841 describes this previously released update in more detail.






IP Security Services

Network Access Protection (NAP) is a policy-enforcement platform you can use to better protect network assets by enforcing compliance with system health requirements.

















Network Access Protection

"Black Hole" Router

Black hole router detection (detecting routers that are silently discarding packets). Turned on by default.




TCP/IP Networking




TCP/IP Version 6

Background Intelligent Transfer Service (BITS) 2.5.

BITS 2.5 is required by Microsoft System Center Configuration Manager 2007 and Windows Live OneCare. BITS 2.5 helps you improve security. If you use BITS 2.5 to transfer data, the new features also improve flexibility. Microsoft Knowledge Base article 923845 describes BITS 2.5.

bitsprx2.dll (Proxy for BITS1.5 interfaces);

bitsprx3.dll (Proxy for BITS2.0 interfaces.);

bitsprx4.dll (Proxy for BITS2.5 interfaces);




Background Intelligent Transfer Service

Credential Roaming (formerly Digital Identity Management Service, or DIMS) makes it possible for users who log on to any domain-joined computer to silently access all of their certificates and private keys for applications and services.



Credential Roaming

Peer Name Resolution Protocol (PNRP) 2.1.

This update enables Windows XP SP3–based programs that use PNRP to communicate with Windows Vista programs that use PNRP. Microsoft Knowledge Base article 920342 describes this previously released update.

Enables the Peer-to-Peer platform. Lets users communicate and share information securely with one another while at home, at work, or from mobile devices.











Peer to Peer Networking

Remote Desktop Protocol (RDP) 6.1.

Used for communication between the Terminal Server and the Terminal Server Client. RDP is encapsulated and encrypted within Transmission Control Protocol (TCP). This update better facilitates communication between computers running Windows XP and Windows Vista. Knowledge Base article 186607 describes RDP. Knowledge base article 951616 describes RDP 6.1.

mstsc.exe (Terminal Services Client Executable);


Terminal Server Client

Wireless Security Support

Wireless networking offers a new set of security issues to consider. The following table shows how 802.11 / Wireless security support features are mapped to components.

Feature Key binary files Component

Wired Equivalent Privacy (WEP)


Primitive: Wzcsvc



Wireless Zero Configuration

Wi-Fi Protected Access 2 (WPA2)

This update to Windows XP provides support for WPA2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard. Microsoft Knowledge Base article 893357 describes this update.

Provides automatic configuration and authentication for 802.11 wireless network adapters.



Wireless Zero Configuration

Internet Connection Security Support

There are many ways you can take advantage of full-featured Internet connection security support. The following table shows how Internet connection security support features are mapped to components.

Feature Key binary files Component

Internet Connection Firewall (ICF)

Protects devices from common Internet attacks.

Hnetcfg.dll; Alg.exe

Internet Connection Sharing and Firewall


Secure e-mail using encryption.


Mapi32 Libraries



Cryptographic Network Services



Primitive: Crypt32

WebDAV/Web Folders

If you use Encrypted File System (EFS) to encrypt and decrypt files, and you want to keep your files encrypted when they are shared across a network, use Web Distributed Authoring and Versioning (WebDAV) and Web Folders.


Web Folders


The classic URL scheme, HTTP, used port 80 and incorporated no security. The HTTPS URL scheme uses port 443 and incorporates SSL/TLS encryption security.


Wininet Library



Local Security Authority Subsystem (LSASS)



Cryptographic Network Services



Primitive: Secur32



Primitive: Crypt32



Primitive: Cryptdll



Primitive: Netapi32





You can securely access a private network through the Internet or other public network by using a VPN connection with the Point-to-Point Tunneling Protocol (PPTP). Level 2 Tunneling Protocol (L2TP), when used with IPSec, offers data transfer that is as secure as within a single LAN at a corporate Web site.

Raspptp.sys; Rasl2tp.sys

Dial-Up Networking Common Libraries

Security Management Support

In Windows Embedded Standard 2009, you can use the full set of management tools available in Windows XP Professional. The following table shows how security management support features are mapped to components.

Feature Key binary files Component

Certificate Management


Certificate MMC Snap-In Tool

Security Configuration, Analysis


Windows Security Configuration Editor Engine



Windows Security Configuration Editor Client Engine



Security Accounts Manager Client



Security Accounts Manager Server Library



Security Settings Editor



Security Configuration Engine Command-Line Utility

IP Security Management

Ipsecsnp.dll; Ipsmsnap.dll

IP Security Tools and User Interface

Group Policy Management


Group Policy Core Administration MMC Snap-In

Local Users and Groups Management


Users Control Panel

Credential Management


Credential Management User Interface



Key Manager

Software Restriction Policies

Provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability, which ultimately lowers the cost of owning a computer.



Local security policy snap-in

Windows Security Center

Windows Security Center provides a central location for viewing security status, changing security settings, and learning more about security issues.





Security Center

Windows Update Agent

Windows Update Agent helps keep your computer up-to-date and secure by downloading and installing the latest security and feature updates from Microsoft. Windows Update Agent determines which updates apply to your computer.

Client component needed for basic access to Windows Update, Microsoft Update, and Windows Update Services servers. Includes all the functionality and UI needed for Automatic Updates and for API callers.

Note   Full Windows Update Agent functionality is not available on Windows Embedded Standard, because direct updates from Windows Update are not supported.














Windows Update Agent3.0

Windows Firewall

Windows Firewall drops incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic), or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.

alg.exe (Application-level proxy handling application specific protocols through NAT);


hnetcfg.mof (Home networking managed object format description file);

ip6fw.sys (system driver for IPv6 firewall);

netfw.inf (installation and setup information for firewall)

firewall.cpl (Windows Firewall Control Panel)

Windows Firewall/Internet Connection Sharing (ICS)

Windows Firewall Control Panel

Microsoft Management Console (MMC) 3.0

MMC 3.0 is a framework that unifies and simplifies day-to-day system management tasks in Windows by providing common navigation, menus, toolbars, and workflow across diverse tools.







Microsoft Management Console (MMC)


MSXML6 provides better reliability, security, and conforms with the XML 1.0 and XML Schema 1.0 W3C recommendations. It also provides compatibility with System.XML 2.0.




Microsoft Windows Installer 3.1 v2 (3.1.4000.2435)

Microsoft Windows Installer 3.1 is a minor update to Microsoft Windows Installer 3.0, which Microsoft released in September 2004. Microsoft Windows Installer 3.1 contains new and enhanced functionality. Additionally, Microsoft Windows Installer 3.1 addresses some issues that Microsoft found in the 3.0 release.

msiexec.exe (msi service and custom action server);

msihnd.dll (msi ui handler);

msimsg.dll (msi message dll);

msisip.dll (msi digital signature SIP handler);

Windows Installer Service

For more information, see the Windows Embedded Standard 2009 Help documentation.

You can use the following list to help you address security issues relevant to your Windows Embedded Standard 2009 device and its applications:

  1. As you develop the specification and applications for your run-time image, use the security resources noted in this article.
  2. Read about the latest Microsoft security and Quick Fix Engineering (QFE) updates at this Microsoft Web site.
  3. Read the security information in the Windows Embedded Standard 2009 online Help.
  4. Include only those driver components and applications required by your embedded device.
  5. Include Windows Security Center and Windows Firewall.
  6. Reduce the network port usage in your design. Remove all network interfaces that might serve as a security threat. For example, if they are not required, remove the Telnet and Simple Network Management Protocol (SNMP) components.
  7. Ensure there are no other physical hardware interfaces that might serve as an access point for a malicious attack.
  8. Consider using NTFS file system (NTFS), which offers secure access control lists (ACLs) for your data files. Use the Encrypted File System (EFS) feature for local encryption of data files. Use WebDAV/Web Folders if you need EFS-protected files to be securely encrypted over a network.
  9. Use Internet Connection Firewall (ICF) to protect against unsafe or unauthorized network traffic.
  10. Review privileges required by principals.
  11. Use Software Restriction Policies. For more information, see Using Software Restriction Policies to Protect Against Unauthorized Software.
  12. Read the Internet Explorer hardening document: Internet Explorer Desktop Security Guide.
  13. Read the Windows XP Service hardening guide: Services and Service Accounts Security Planning Guide.

What you have learned

By using the components and techniques outlined in this article, you can create reduced-footprint devices that have enhanced security.

For more information about network security, see Writing Secure Code, by Michael Howard and David Leblanc, Microsoft Press, 2002, and Programming Windows Security, by Keith Brown, Addison Wesley Longman, Inc., 2000.

The following Web sites might offer additional security information:

  1. For general information about security, see this Microsoft Web site.
  2. For information about the Windows Embedded product, see this Microsoft Web site.
  3. For information about developer issues, see the MSDN Library.
  4. For information about Windows XP, see this Microsoft Web site.
  5. For more information about Windows Embedded Standard 2009 security, see Security in the product documentation.

Contributors to this paper include, but are not limited to, the Windows Embedded, Security, and Componentization teams.

© 2015 Microsoft