Windows XP Embedded Technical Articles
Security Considerations for Windows XP Embedded Developers
 

Microsoft Corporation

March 2002

Applies to:
    Microsoft® Windows® XP Embedded

Summary: Microsoft Windows XP Embedded offers developers a componentized version of the Windows XP operating system. Developers can pick and choose exactly those components required to fulfill their design requirements, resulting in a reduced footprint that is specifically tailored for their design. This article presents a technical overview of security considerations in the componentized environment offered by Windows XP Embedded. (15 printed pages)

Contents

Introduction
Unique Security and Reliability Benefits
Security Considerations for Baseline Configurations
Embedded Device Threats and Vulnerabilities
Mapping Security Features to Components
Security Review Checklist
For More Information
About the Authors

Introduction

Microsoft® Windows® XP Embedded is the successor to Microsoft Windows NT® Embedded version 4.0. Based on the same binary files as Windows XP Professional, Windows XP Embedded enables you to rapidly develop reliable and full-featured, connected devices.

The Windows XP Embedded component database includes approximately 10,000 components. You can build Windows XP Embedded run-time images that range from basic kernel-only configurations with minimal security requirements, to full-featured devices that contain networking, multimedia, security, and other features typically found in a computer with Windows XP Professional installed.

Unique Security and Reliability Benefits

Windows XP Embedded inherits all the security features available in Windows XP Professional.

In addition, Windows XP Embedded offers the following benefits:

  1. Less code — You can omit components that are not required by your product, reducing operating system (OS) complexity and increasing reliability.
  2. Less hardware — You can include only the hardware you need in your design to increase reliability. This also translates to a more secure system because there are fewer hardware access points.
  3. Total control of access points — You control the input and output devices exposed to the user, allowing you to specify exactly which devices are supported. The embedded device can be configured as a closed system and devices can be selectively supported. For example, you can prevent the support of externally accessible devices such as USB devices, mouse, keyboard, game controllers, floppy disk drive, and networking through careful selection of device driver components.
  4. Single purpose configuration — You can configure your device to serve a single purpose. You control which applications run on the device and whether third-party applications can be installed, reducing the possibility of application compatibility problems or security attacks.
  5. Reduced network vulnerability — You can reduce your security vulnerability by selecting only those components you require for your target device. For example, unless it is required for maintenance purposes, you can remove network Telnet functionality, which might otherwise offer an attacker an entry point.
  6. Prevent modifications to system data or applications — You can use the Enhanced Write Filter (EWF) component to make a read-only storage volume appear to the OS as a read/write device. This is accomplished by redirecting disk write activity to an alternate, writable storage location such as system memory, or to a special disk overlay partition. For example, the El Torito CD-ROM boot component, when used with EWF configured to redirect disk write activity to system memory, allows you to boot from a read-only CD-ROM media.
  7. Prevent installation of rogue applications — Enhanced Write Filter (EWF) can be used to prevent installation of rogue applications, and prevent other permanent configuration changes. If the design contains no read/write storage device, the design is considered stateless between boots because the system is guaranteed to boot the same way each time. Any changes made to the OS between boots are maintained only in system memory and lost when the system restarts. For example, this technique is used in gambling gaming devices, which are required by law in certain states to retain no information between system boots.
  8. Backup and restore benefits — The following two benefits allow you to create a more secure backup and restore environment:
    1. Faster system backup and restore. Backup and restore are typically faster and more reliable because of your device's reduced storage footprint.
    2. Default restore. When used, the stateless El Torito CD-ROM system automatically causes the system to restore to its original state when the system is rebooted or power cycled. This eliminates special backup or restore procedures and the corresponding security concerns associated with backup and restore.
  9. Does not require moving parts — You can make your design more rugged by using storage devices that do not have hard drives, such as Disk On Chip, Flash devices, and other silicon-based storage devices.
  10. Simplified design test and validation — A reduced footprint design reduces system testing, allowing you to concentrate more testing effort on your embedded application.

Security Considerations for Baseline Configurations

You can use Target Designer to build your base design configuration using one of the following baseline configurations:

  1. Kernel-only — The Kernel-only configuration does not support the Microsoft Win32® application programming interface (API) and contains no built-in security features or tools.
  2. Minlogon — The Minlogon configuration uses a less robust logon process compared to Winlogon. Minlogon by default does not include Local Security Authentication Subsystem process (LSASS).

    Make sure that you not require LSASS user authentication before choosing Minlogon.

    Without LSASS, Minlogon lacks the interactive logon and authentication features that are present in standard Windows XP Professional, and always logs on the user as the system user.

    Target Designer may include LSASS in your run-time image even though you selected the Minlogon component. This will happen if other components that you included express a dependency on LSASS, or if you manually added the Local Security Authority Subsystem component.

    The LSASS component has a low display visibility setting so you will need to reduce the visibility level to see it displayed in Target Designer. For more information, see the Windows XP Embedded Help documentation.

  3. Winlogon — The Winlogon configuration uses the standard Windows logon process that ships with Windows XP Professional.

    In Windows XP Professional, Session Manager, Smss.exe, is the first user-mode process created in the system. Session Manager in turn launches the Windows subsystem process and the standard Windows logon process. The standard Windows logon process requires Local Security Authentication Subsystem process (LSASS).

    LSASS is a user-mode process that is responsible for the following areas:

    1. The local system security policy, such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings.
    2. User authentication.
    3. Sending security audit messages to the event log.

    Certain components that you add to your design may require the Winlogon baseline configuration, even if you originally specified the kernel-only or Minlogon configuration. These components express their requirement as a component dependency on Winlogon, which will result in the Winlogon component being automatically added to your design when you run a Target Designer dependency check.

    Note   The default user password is blank and should be changed to a strong password to ensure proper authentication security.

The following table shows the available design templates and whether they support Minlogon or Winlogon.

Design template Minlogon Winlogon
Windows-based Terminal Professional   X
Information Appliance   X
Basic Set-Top Box X X
Digital Set-Top Box X X
Advanced Set-Top Box   X
Kiosk/Gaming Console X X
Home Gateway   X
Retail Point-of-Sale Terminal   X
Network Attached Storage   X

When choosing your design template, you should consider the following questions:

  1. Who is the target user, and what level of access security is required?
  2. If the device contains sensitive data, how is the data being secured or protected from being corrupted or compromised?
  3. What security measures are in place with respect to any additional device(s) or user(s) that it communicates with?
  4. In what ways could a malicious entity have physical access to the device? Is it adequately secured?

For more information, see the Windows XP Embedded Help documentation.

Embedded Device Threats and Vulnerabilities

The book Writing Secure Code, authored by Michael Howard and David LeBlanc, offers practical information about secure design, secure coding, and testing techniques.

The mitigation techniques list Windows XP security features that must be mapped to components described in Mapping Security Features to Components.

Using the STRIDE model described in Writing Secure Code, the following table shows the major security threats and the corresponding Windows XP Professional security features that can be used to mitigate risk.

Threat Description Mitigation techniques
Spoofing identity Illegally accessing a system either locally or remotely. Authentication Support security features: Digest authentication; Passport authentication; Kerberos authentication, X.509 certificate authentication, and so on.
Tampering with data Malicious modification of data. Authorization Support and Tamper-resistance security features: Access control lists (ACLs), Privileges, Encrypted File System (EFS), IPSec, Digital signatures, and so on.
Repudiation Users denying an action without another party having a way to prove otherwise. Authentication Support, Authorization Support, and Security Support security features: Auditing, IPSec, Digital signatures, and so on.
Information disclosure Exposing information to individuals who should not have access. Authorization and Tamper-resistance security features: Authorization, Privacy-enhanced protocols, Encryption, and so on.
Denial of service Denying service to valid users. Internet Connection Security Support and API security features: Firewall, Authentication, Authorization, Filtering, Throttling, and so on.
Elevation of privilege An unprivileged user gaining privileged access in order to compromise or destroy a system. Authentication, Authorization and Security management security features: Group policy, software/system restrictions, and so on.

Mapping Security Features to Components

Windows XP Embedded supports the same configurable security options as Windows XP Professional. Default security settings are defined in Defltwk.inf. To see how custom security settings can be applied to an embedded device, see Security in the System Design guide.

The following tables contain information associated with Windows XP security features and how they relate to components. A feature requires a component that owns the key binary file as well as the component's dependencies.

Some of the listed components may not be visible and you will need to reduce the visibility in Target Designer in order to see them.

This section discusses these topics:

Authentication Support
Authorization Support
API Support
Tamper-Resistance and Data-Privacy Features on the Storage Media
Tamper-Resistance and Data-Privacy Features on the Network
Wireless Security Support
Internet Connection Security Support
Security Management Support

Authentication Support

Authentication is a process where one user or device proves his or her identity to another principal, a user, or a device. The following table shows how authentication features are mapped to components.

Feature Key binary file Component
Common binaries
(apply to each Authentication feature)
Lsass.exe, Lsasrv.dll Local Security Authority Subsystem (LSASS)
  Secur32.dll Primitive: Secur32
  Crypt32.dll Primitive: Crypt32
  Cryptdll.dll Primitive: Cryptdll
  Netapi32.dll Primitive: Netapi32
  Netlogon.dll Netlogon/NetJoin
Basic
The native authentication mechanism that is built into HTTP. If used, you should require an SSL-encrypted link with strong server-side authentication to secure the connection.
Advapi32.dll Win32 API - Advanced
Digest
A simple Challenge and Response protocol. Intended to replace Basic authentication.
Wdigest.dll Digest Authentication Security Package
NTLM
Windows NT LAN Manager. The native authentication protocol on Windows NT version 4.0. Includes cross-domain authentication. Supported in Windows XP for backward compatibility.
Msv1_0.dll Local Security Authority Subsystem (LSASS)
Kerberos
Provides secure industry-standard authentication.
Kerberos.dll Local Security Authority Subsystem (LSASS)
Passport
Online user authentication service that enables a user to create a single user name and password for easy, secure access to all Passport accounts.
Wininet.dll Wininet Library
Credential Manager
Secured storage for password information. It allows users to input user names and passwords once so the system can automatically supply that information for subsequent visits.
Credui.dll Credential Management User Interface
  Keymgr.dll Key Manager
  Advapi32.dll Win32 API - Advanced
Secure Channel (X.509 certificates)
Supports multiple levels of a certification authority hierarchy using digitally-signed certificates.
Schannel.dll Local Security Authority Subsystem (LSASS)
  Cryptnet.dll Cryptographic Network Services
Smart Card
Windows XP Embedded integrates smart card capabilities into the OS, including support for smart card logon to Terminal Services sessions.
Scardsvr.exe; Scardssp.dll Smart Card Subsystem
  Winscard.dll Primitive: Winscard

Authorization Support

Once a principal, a user, or a machine has been authenticated, the authorization process establishes what that principal is allowed to do. The following table shows how authorization support features are mapped to components.

Feature Key binary files Component
Access control lists (ACLs), Principals, Privileges
A mechanism to protect system objects. For example, a folder or file share can be configured to either accept the default ACL settings or you can implement custom ACL settings to restrict access to the object.
Ntdll.dll Primitive: Ntdll
  Lsass.exe; Lsasrv.dll Local Security Authority Subsystem (LSASS)
  Authz.dll Primitive: AuthZ
GPO, Restrictions (Software, Computer)
Group Policy Object management and control. Use Group Policy to define policy settings that are applied to computers or users.
Gptext.dll Group Policy Client Core
  Profmap Primitive: Profmap
Local, Roaming profiles Userenv.dll Local Profile Core
    Roaming Profile
Auditing Ntdll.dll Primitive: Ntdll
  Lsass.exe, Lsasrv.dll Local Security Authority Subsystem (LSASS)
  Msaudite.dll Auditing Resource DLLs
  Eventlog.dll Event Log

API Support

You can leverage the full-featured security API support built into Windows XP. The following table shows how API support features are mapped to components.

Feature Key binary files Component
CryptoAPI
CryptoAPI provides services that enable application developers to add security to applications. Includes functionality for encoding to and decoding from ASN.1, encrypting and decrypting data, and for authentication using digital certificates.
Crypt32.dll Primitive: Crypt32
  Cryptnet.dll Cryptographic Network Services
SSPI (Security Support Provider Interface)
APIs for credential management, context management, message support, and package management.
Secur32.dll Primitive: Secur32
  Ksecdd.sys Primitive: Ksecdd
  Lsasrv.dll Local Security Authority Subsystem (LSASS)

Tamper-Resistance and Data-Privacy Features on the Storage Media

The level of file system security in your embedded runtime configuration is largely established by the file system components you choose. The following table shows how tamper-resistance and data-privacy features on the storage media are mapped to components.

Feature Key binary files Component
EFS
Encrypted File System (EFS) with multi-user support is part of NTFS file system (NTFS). EFS encrypts each file with a randomly generated key that is transparent to the user.
Efsadu.dll User Interface Core
  Ntfs.sys NTFS
  Crypt32.dll Primitive: Crypt32
  Lsasrv.dll Local Security Authority Subsystem (LSASS)
NTFS
Windows NT File System supports Access Control List (ACL) to protect file system objects.
Ntfs.sys NTFS
Driver Rollback
Part of the Windows XP System Restore feature. Driver Rollback can be used to replace a device driver with a previously installed version.
Newdev.dll Add Hardware Control Panel
  Setupapi.dll Primitive: Setupapi
System Restore
A subsystem that creates periodic system snapshots, allowing you to restore the OS to a previous state.
Sr.sys; Srrstr.dll; Srsvc.dll; Srclient.dll System Restore Core
Volume Shadow Copy Service
Manages and implements volume shadow copies used for backups and other purposes.
Volsnap.sys Volume Shadow Copy Service
  Srv.sys File Sharing

Tamper-Resistance and Data-Privacy Features on the Network

The level of network security in your embedded run-time image is largely established by the network components you choose. The following table shows how tamper-resistance and data-privacy features on the network are mapped to components.

Feature Key binary files Component
IPSec Internet Protocol (IP) Security.
Uses cryptographic security services to enable organizations to transmit data securely over a virtual private network (VPN).
Ipsec.sys; Ipsecsvc.dll; Winipsec.dll IP Security Services
SSL/TLS
Secure Sockets Layer. HTTPS is the name of the URL scheme used with the SSL port 443.
Schannel.dll Local Security Authority Subsystem (LSASS)
  Cryptnet.dll Cryptographic Network Services
  Secur32.dll Primitive: Secur32
  Crypt32.dll Primitive: Crypt32
  Cryptdll.dll Primitive: Cryptdll
  Netapi32.dll Primitive: Netapi32
  Netlogon.dll Netlogon/NetJoin
Secure RPCs
MSRPC applies Windows security to COM+, DCOM, and RPC.
Rpcrt4.dll RPC Local Support
  Secur32.dll Primitive: Secur32
  Authz.dll Primitive: AuthZ
    Secure RPC over Kerberos
    Secure RPC over Negotiate
    Secure RPC over NTLM
    Secure RPC over SSL

Wireless Security Support

Wireless networking offers a new set of security issues to consider. The following table shows how 802.11 / Wireless security support features are mapped to components.

Feature Key binary files Component
Wired Equivalent Privacy (WEP) Wzcsvc.dll Primitive: Wzcsvc
  Wzcsapi.dll Wireless Zero Configuration

Internet Connection Security Support

You can leverage full-featured Internet connection security support. The following table shows how Internet connection security support features are mapped to components.

Feature Key binary files Component
Internet Connection Firewall (ICF)
Protects devices from common Internet attacks.
Hnetcfg.dll; Alg.exe Internet Connection Sharing and Firewall
S/MIME
Secure e-mail using encryption.
Mapi32.dll Mapi32 Libraries
  Cryptnet.dll Cryptographic Network Services
  Crypt32.dll Primitive: Crypt32
WebDAV/Web Folders
If you use Encrypted File System (EFS) to encrypt and decrypt files, and you want to keep the files encrypted when they are shared across the network, use Web Distributed Authoring and Versioning (WebDAV) and Web Folders.
Msonsext.dll Web Folders
HTTPS
The classic URL scheme, HTTP, used port 80 and incorporated no security. The HTTPS URL scheme uses port 443 and incorporates SSL/TLS encryption security.
Wininet.dll Wininet Library
  Schannel.dll Local Security Authority Subsystem (LSASS)
  Cryptnet.dll Cryptographic Network Services
  Secur32.dll Primitive: Secur32
  Crypt32.dll Primitive: Crypt32
  Cryptdll.dll Primitive: Cryptdll
  Netapi32.dll Primitive: Netapi32
  Netlogon.dll Netlogon/NetJoin
PPTP/L2TP
You can securely access a private network through the Internet or other public network by using a VPN connection with the Point-to-Point Tunneling Protocol (PPTP). Level 2 Tunneling Protocol (L2TP), which, when used with IPSec, offers data transfer which is as secure as within a single LAN at a corporate Web site.
Raspptp.sys; Rasl2tp.sys Dial-Up Networking Common Libraries

Security Management Support

In Windows XP Embedded, you can leverage the full set of management tools that are available in Windows XP Professional. The following table shows how security management support features are mapped to components.

Feature Key binary files Component
Certificate Management Certmgr.dll Certificate MMC Snap-In Tool
Security Configuration, Analysis Scesrv.dll Windows Security Configuration Editor Engine
  Scecli.dll Windows Security Configuration Editor Client Engine
  Samlib.dll Security Accounts Manager Client
  Samsrv.lib Security Accounts Manager Server Library
  Wsecedit.dll Security Settings Editor
  Secedit.exe Security Configuration Engine Command-Line Utility
IP Security Management Ipsecsnp.dll; Ipsmsnap.dll IP Security Tools and User Interface
Group Policy Management Gpedit.dll Group Policy Core Administration MMC Snap-In
Local Users and Groups Management Nusrmgr.cpl Users Control Panel
Credential Management Credui.dll Credential Management User Interface
  Keymgr.dll Key Manager

For more information, see the Windows XP Embedded Help documentation.

Security Review Checklist

The following list will help you address security issues relevant to your Windows XP Embedded device and its applications:

  1. As you develop the specification and applications for your run-time image, use the security resources noted in this article.
  2. Read about the latest Microsoft security and quick fix engineering (QFE) updates at this Microsoft Web site.
  3. Read the security information in the Windows XP Embedded online Help.
  4. Include only the driver components and applications that are required by your embedded device.
  5. Reduce the network port usage in your design. Remove all network interfaces that may serve as a security threat. For example, if they are not required, remove the Telnet and Simple Network Management Protocol (SNMP) components.
  6. Ensure there are no other physical hardware interfaces that might serve as an access point for a malicious attack.
  7. Consider using NTFS file system (NTFS), which offers secure access control lists (ACLs) for your data files. Use the Encrypted File System (EFS) feature of for local encryption of data files. Use WebDAV/Web Folders if you need EFS-protected files to be securely encrypted over a network.
  8. Use Internet Connection Firewall (ICF) to protect against unsafe or unauthorized network traffic.
  9. Review privileges required by principals.

For More Information

For more information about network security, see Writing Secure Code by Michael Howard and David Leblanc, Microsoft Press, 2002, and Programming Windows Security by Keith Brown, Addison Wesley Longman, Inc., 2000.

The following Web sites may offer additional security information:

  1. For general information about security, see this Microsoft Web site.
  2. For information about the Windows Embedded product, see this Microsoft Web site.
  3. For information about developer issues, see the MSDN Library.
  4. For information about Windows XP, see this Microsoft Web site.
  5. For more information about Windows XP Embedded security, see Security in the product documentation.

About the Authors

Contributors to this paper include, but are not limited to, the Windows Embedded, Security, and Componentization teams.