Security Considerations for Windows XP Embedded Developers
Microsoft Corporation
March 2002
Applies to:
Microsoft® Windows® XP Embedded
Summary: Microsoft Windows XP Embedded offers developers a componentized version of the Windows XP operating system. Developers can pick and choose exactly those components required to fulfill their design requirements, resulting in a reduced footprint that is specifically tailored for their design. This article presents a technical overview of security considerations in the componentized environment offered by Windows XP Embedded. (15 printed pages)
Contents
Introduction
Unique Security and Reliability Benefits
Security Considerations for Baseline Configurations
Embedded Device Threats and Vulnerabilities
Mapping Security Features to Components
Security Review Checklist
For More Information
About the Authors
Introduction
Microsoft® Windows® XP Embedded is the successor to Microsoft Windows NT® Embedded version 4.0. Based on the same binary files as Windows XP Professional, Windows XP Embedded enables you to rapidly develop reliable and full-featured, connected devices.
The Windows XP Embedded component database includes approximately 10,000 components. You can build Windows XP Embedded run-time images that range from basic kernel-only configurations with minimal security requirements, to full-featured devices that contain networking, multimedia, security, and other features typically found in a computer with Windows XP Professional installed.
Unique Security and Reliability Benefits
Windows XP Embedded inherits all the security features available in Windows XP Professional.
In addition, Windows XP Embedded offers the following benefits:
- Less code — You can omit components that are not required by your product, reducing operating system (OS) complexity and increasing reliability.
- Less hardware — You can include only the hardware you need in your design to increase reliability. This also translates to a more secure system because there are fewer hardware access points.
- Total control of access points — You control the input and output devices exposed to the user, allowing you to specify exactly which devices are supported. The embedded device can be configured as a closed system and devices can be selectively supported. For example, you can prevent the support of externally accessible devices such as USB devices, mouse, keyboard, game controllers, floppy disk drive, and networking through careful selection of device driver components.
- Single purpose configuration — You can configure your device to serve a single purpose. You control which applications run on the device and whether third-party applications can be installed, reducing the possibility of application compatibility problems or security attacks.
- Reduced network vulnerability — You can reduce your security vulnerability by selecting only those components you require for your target device. For example, unless it is required for maintenance purposes, you can remove network Telnet functionality, which might otherwise offer an attacker an entry point.
- Prevent modifications to system data or applications — You can use the Enhanced Write Filter (EWF) component to make a read-only storage volume appear to the OS as a read/write device. This is accomplished by redirecting disk write activity to an alternate, writable storage location such as system memory, or to a special disk overlay partition. For example, the El Torito CD-ROM boot component, when used with EWF configured to redirect disk write activity to system memory, allows you to boot from a read-only CD-ROM media.
- Prevent installation of rogue applications — Enhanced Write Filter (EWF) can be used to prevent installation of rogue applications, and prevent other permanent configuration changes. If the design contains no read/write storage device, the design is considered stateless between boots because the system is guaranteed to boot the same way each time. Any changes made to the OS between boots are maintained only in system memory and lost when the system restarts. For example, this technique is used in gambling gaming devices, which are required by law in certain states to retain no information between system boots.
- Backup and restore benefits — The following two benefits allow you to create a more secure backup and restore environment:
- Faster system backup and restore. Backup and restore are typically faster and more reliable because of your device's reduced storage footprint.
- Default restore. When used, the stateless El Torito CD-ROM system automatically causes the system to restore to its original state when the system is rebooted or power cycled. This eliminates special backup or restore procedures and the corresponding security concerns associated with backup and restore.
- Does not require moving parts — You can make your design more rugged by using storage devices that do not have hard drives, such as Disk On Chip, Flash devices, and other silicon-based storage devices.
- Simplified design test and validation — A reduced footprint design reduces system testing, allowing you to concentrate more testing effort on your embedded application.
Security Considerations for Baseline Configurations
You can use Target Designer to build your base design configuration using one of the following baseline configurations:
Kernel-only — The Kernel-only configuration does not support the Microsoft Win32® application programming interface (API) and contains no built-in security features or tools.
Minlogon — The Minlogon configuration uses a less robust logon process compared to Winlogon. Minlogon by default does not include Local Security Authentication Subsystem process (LSASS).
Make sure that you not require LSASS user authentication before choosing Minlogon.
Without LSASS, Minlogon lacks the interactive logon and authentication features that are present in standard Windows XP Professional, and always logs on the user as the system user.
Target Designer may include LSASS in your run-time image even though you selected the Minlogon component. This will happen if other components that you included express a dependency on LSASS, or if you manually added the Local Security Authority Subsystem component.
The LSASS component has a low display visibility setting so you will need to reduce the visibility level to see it displayed in Target Designer. For more information, see the Windows XP Embedded Help documentation.
Winlogon — The Winlogon configuration uses the standard Windows logon process that ships with Windows XP Professional.
In Windows XP Professional, Session Manager, Smss.exe, is the first user-mode process created in the system. Session Manager in turn launches the Windows subsystem process and the standard Windows logon process. The standard Windows logon process requires Local Security Authentication Subsystem process (LSASS).
LSASS is a user-mode process that is responsible for the following areas:
- The local system security policy, such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings.
- User authentication.
- Sending security audit messages to the event log.
Certain components that you add to your design may require the Winlogon baseline configuration, even if you originally specified the kernel-only or Minlogon configuration. These components express their requirement as a component dependency on Winlogon, which will result in the Winlogon component being automatically added to your design when you run a Target Designer dependency check.
Note The default user password is blank and should be changed to a strong password to ensure proper authentication security.
The following table shows the available design templates and whether they support Minlogon or Winlogon.
| Design template | Minlogon | Winlogon |
|---|---|---|
| Windows-based Terminal Professional | X | |
| Information Appliance | X | |
| Basic Set-Top Box | X | X |
| Digital Set-Top Box | X | X |
| Advanced Set-Top Box | X | |
| Kiosk/Gaming Console | X | X |
| Home Gateway | X | |
| Retail Point-of-Sale Terminal | X | |
| Network Attached Storage | X |
When choosing your design template, you should consider the following questions:
- Who is the target user, and what level of access security is required?
- If the device contains sensitive data, how is the data being secured or protected from being corrupted or compromised?
- What security measures are in place with respect to any additional device(s) or user(s) that it communicates with?
- In what ways could a malicious entity have physical access to the device? Is it adequately secured?
For more information, see the Windows XP Embedded Help documentation.
Embedded Device Threats and Vulnerabilities
The book Writing Secure Code, authored by Michael Howard and David LeBlanc, offers practical information about secure design, secure coding, and testing techniques.
The mitigation techniques list Windows XP security features that must be mapped to components described in Mapping Security Features to Components.
Using the STRIDE model described in Writing Secure Code, the following table shows the major security threats and the corresponding Windows XP Professional security features that can be used to mitigate risk.
| Threat | Description | Mitigation techniques |
|---|---|---|
| Spoofing identity | Illegally accessing a system either locally or remotely. | Authentication Support security features: Digest authentication; Passport authentication; Kerberos authentication, X.509 certificate authentication, and so on. |
| Tampering with data | Malicious modification of data. | Authorization Support and Tamper-resistance security features: Access control lists (ACLs), Privileges, Encrypted File System (EFS), IPSec, Digital signatures, and so on. |
| Repudiation | Users denying an action without another party having a way to prove otherwise. | Authentication Support, Authorization Support, and Security Support security features: Auditing, IPSec, Digital signatures, and so on. |
| Information disclosure | Exposing information to individuals who should not have access. | Authorization and Tamper-resistance security features: Authorization, Privacy-enhanced protocols, Encryption, and so on. |
| Denial of service | Denying service to valid users. | Internet Connection Security Support and API security features: Firewall, Authentication, Authorization, Filtering, Throttling, and so on. |
| Elevation of privilege | An unprivileged user gaining privileged access in order to compromise or destroy a system. | Authentication, Authorization and Security management security features: Group policy, software/system restrictions, and so on. |
Mapping Security Features to Components
Windows XP Embedded supports the same configurable security options as Windows XP Professional. Default security settings are defined in Defltwk.inf. To see how custom security settings can be applied to an embedded device, see Security in the System Design guide.
The following tables contain information associated with Windows XP security features and how they relate to components. A feature requires a component that owns the key binary file as well as the component's dependencies.
Some of the listed components may not be visible and you will need to reduce the visibility in Target Designer in order to see them.
This section discusses these topics:
Authentication Support
Authorization Support
API Support
Tamper-Resistance and Data-Privacy Features on the Storage Media
Tamper-Resistance and Data-Privacy Features on the Network
Wireless Security Support
Internet Connection Security Support
Security Management Support
Authentication Support
Authentication is a process where one user or device proves his or her identity to another principal, a user, or a device. The following table shows how authentication features are mapped to components.
| Feature | Key binary file | Component |
|---|---|---|
| Common binaries (apply to each Authentication feature) |
Lsass.exe, Lsasrv.dll | Local Security Authority Subsystem (LSASS) |
| Secur32.dll | Primitive: Secur32 | |
| Crypt32.dll | Primitive: Crypt32 | |
| Cryptdll.dll | Primitive: Cryptdll | |
| Netapi32.dll | Primitive: Netapi32 | |
| Netlogon.dll | Netlogon/NetJoin | |
| Basic The native authentication mechanism that is built into HTTP. If used, you should require an SSL-encrypted link with strong server-side authentication to secure the connection. |
Advapi32.dll | Win32 API - Advanced |
| Digest A simple Challenge and Response protocol. Intended to replace Basic authentication. |
Wdigest.dll | Digest Authentication Security Package |
| NTLM Windows NT LAN Manager. The native authentication protocol on Windows NT version 4.0. Includes cross-domain authentication. Supported in Windows XP for backward compatibility. |
Msv1_0.dll | Local Security Authority Subsystem (LSASS) |
| Kerberos Provides secure industry-standard authentication. |
Kerberos.dll | Local Security Authority Subsystem (LSASS) |
| Passport Online user authentication service that enables a user to create a single user name and password for easy, secure access to all Passport accounts. |
Wininet.dll | Wininet Library |
| Credential Manager Secured storage for password information. It allows users to input user names and passwords once so the system can automatically supply that information for subsequent visits. |
Credui.dll | Credential Management User Interface |
| Keymgr.dll | Key Manager | |
| Advapi32.dll | Win32 API - Advanced | |
| Secure Channel (X.509 certificates) Supports multiple levels of a certification authority hierarchy using digitally-signed certificates. |
Schannel.dll | Local Security Authority Subsystem (LSASS) |
| Cryptnet.dll | Cryptographic Network Services | |
| Smart Card Windows XP Embedded integrates smart card capabilities into the OS, including support for smart card logon to Terminal Services sessions. |
Scardsvr.exe; Scardssp.dll | Smart Card Subsystem |
| Winscard.dll | Primitive: Winscard |
Authorization Support
Once a principal, a user, or a machine has been authenticated, the authorization process establishes what that principal is allowed to do. The following table shows how authorization support features are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| Access control lists (ACLs), Principals, Privileges A mechanism to protect system objects. For example, a folder or file share can be configured to either accept the default ACL settings or you can implement custom ACL settings to restrict access to the object. |
Ntdll.dll | Primitive: Ntdll |
| Lsass.exe; Lsasrv.dll | Local Security Authority Subsystem (LSASS) | |
| Authz.dll | Primitive: AuthZ | |
| GPO, Restrictions (Software, Computer) Group Policy Object management and control. Use Group Policy to define policy settings that are applied to computers or users. |
Gptext.dll | Group Policy Client Core |
| Profmap | Primitive: Profmap | |
| Local, Roaming profiles | Userenv.dll | Local Profile Core |
| Roaming Profile | ||
| Auditing | Ntdll.dll | Primitive: Ntdll |
| Lsass.exe, Lsasrv.dll | Local Security Authority Subsystem (LSASS) | |
| Msaudite.dll | Auditing Resource DLLs | |
| Eventlog.dll | Event Log |
API Support
You can leverage the full-featured security API support built into Windows XP. The following table shows how API support features are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| CryptoAPI CryptoAPI provides services that enable application developers to add security to applications. Includes functionality for encoding to and decoding from ASN.1, encrypting and decrypting data, and for authentication using digital certificates. |
Crypt32.dll | Primitive: Crypt32 |
| Cryptnet.dll | Cryptographic Network Services | |
| SSPI (Security Support Provider Interface) APIs for credential management, context management, message support, and package management. |
Secur32.dll | Primitive: Secur32 |
| Ksecdd.sys | Primitive: Ksecdd | |
| Lsasrv.dll | Local Security Authority Subsystem (LSASS) |
Tamper-Resistance and Data-Privacy Features on the Storage Media
The level of file system security in your embedded runtime configuration is largely established by the file system components you choose. The following table shows how tamper-resistance and data-privacy features on the storage media are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| EFS Encrypted File System (EFS) with multi-user support is part of NTFS file system (NTFS). EFS encrypts each file with a randomly generated key that is transparent to the user. |
Efsadu.dll | User Interface Core |
| Ntfs.sys | NTFS | |
| Crypt32.dll | Primitive: Crypt32 | |
| Lsasrv.dll | Local Security Authority Subsystem (LSASS) | |
| NTFS Windows NT File System supports Access Control List (ACL) to protect file system objects. |
Ntfs.sys | NTFS |
| Driver Rollback Part of the Windows XP System Restore feature. Driver Rollback can be used to replace a device driver with a previously installed version. |
Newdev.dll | Add Hardware Control Panel |
| Setupapi.dll | Primitive: Setupapi | |
| System Restore A subsystem that creates periodic system snapshots, allowing you to restore the OS to a previous state. |
Sr.sys; Srrstr.dll; Srsvc.dll; Srclient.dll | System Restore Core |
| Volume Shadow Copy Service Manages and implements volume shadow copies used for backups and other purposes. |
Volsnap.sys | Volume Shadow Copy Service |
| Srv.sys | File Sharing |
Tamper-Resistance and Data-Privacy Features on the Network
The level of network security in your embedded run-time image is largely established by the network components you choose. The following table shows how tamper-resistance and data-privacy features on the network are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| IPSec Internet Protocol (IP) Security. Uses cryptographic security services to enable organizations to transmit data securely over a virtual private network (VPN). |
Ipsec.sys; Ipsecsvc.dll; Winipsec.dll | IP Security Services |
| SSL/TLS Secure Sockets Layer. HTTPS is the name of the URL scheme used with the SSL port 443. |
Schannel.dll | Local Security Authority Subsystem (LSASS) |
| Cryptnet.dll | Cryptographic Network Services | |
| Secur32.dll | Primitive: Secur32 | |
| Crypt32.dll | Primitive: Crypt32 | |
| Cryptdll.dll | Primitive: Cryptdll | |
| Netapi32.dll | Primitive: Netapi32 | |
| Netlogon.dll | Netlogon/NetJoin | |
| Secure RPCs MSRPC applies Windows security to COM+, DCOM, and RPC. |
Rpcrt4.dll | RPC Local Support |
| Secur32.dll | Primitive: Secur32 | |
| Authz.dll | Primitive: AuthZ | |
| Secure RPC over Kerberos | ||
| Secure RPC over Negotiate | ||
| Secure RPC over NTLM | ||
| Secure RPC over SSL |
Wireless Security Support
Wireless networking offers a new set of security issues to consider. The following table shows how 802.11 / Wireless security support features are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| Wired Equivalent Privacy (WEP) | Wzcsvc.dll | Primitive: Wzcsvc |
| Wzcsapi.dll | Wireless Zero Configuration |
Internet Connection Security Support
You can leverage full-featured Internet connection security support. The following table shows how Internet connection security support features are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| Internet Connection Firewall (ICF) Protects devices from common Internet attacks. |
Hnetcfg.dll; Alg.exe | Internet Connection Sharing and Firewall |
| S/MIME Secure e-mail using encryption. |
Mapi32.dll | Mapi32 Libraries |
| Cryptnet.dll | Cryptographic Network Services | |
| Crypt32.dll | Primitive: Crypt32 | |
| WebDAV/Web Folders If you use Encrypted File System (EFS) to encrypt and decrypt files, and you want to keep the files encrypted when they are shared across the network, use Web Distributed Authoring and Versioning (WebDAV) and Web Folders. |
Msonsext.dll | Web Folders |
| HTTPS The classic URL scheme, HTTP, used port 80 and incorporated no security. The HTTPS URL scheme uses port 443 and incorporates SSL/TLS encryption security. |
Wininet.dll | Wininet Library |
| Schannel.dll | Local Security Authority Subsystem (LSASS) | |
| Cryptnet.dll | Cryptographic Network Services | |
| Secur32.dll | Primitive: Secur32 | |
| Crypt32.dll | Primitive: Crypt32 | |
| Cryptdll.dll | Primitive: Cryptdll | |
| Netapi32.dll | Primitive: Netapi32 | |
| Netlogon.dll | Netlogon/NetJoin | |
| PPTP/L2TP You can securely access a private network through the Internet or other public network by using a VPN connection with the Point-to-Point Tunneling Protocol (PPTP). Level 2 Tunneling Protocol (L2TP), which, when used with IPSec, offers data transfer which is as secure as within a single LAN at a corporate Web site. |
Raspptp.sys; Rasl2tp.sys | Dial-Up Networking Common Libraries |
Security Management Support
In Windows XP Embedded, you can leverage the full set of management tools that are available in Windows XP Professional. The following table shows how security management support features are mapped to components.
| Feature | Key binary files | Component |
|---|---|---|
| Certificate Management | Certmgr.dll | Certificate MMC Snap-In Tool |
| Security Configuration, Analysis | Scesrv.dll | Windows Security Configuration Editor Engine |
| Scecli.dll | Windows Security Configuration Editor Client Engine | |
| Samlib.dll | Security Accounts Manager Client | |
| Samsrv.lib | Security Accounts Manager Server Library | |
| Wsecedit.dll | Security Settings Editor | |
| Secedit.exe | Security Configuration Engine Command-Line Utility | |
| IP Security Management | Ipsecsnp.dll; Ipsmsnap.dll | IP Security Tools and User Interface |
| Group Policy Management | Gpedit.dll | Group Policy Core Administration MMC Snap-In |
| Local Users and Groups Management | Nusrmgr.cpl | Users Control Panel |
| Credential Management | Credui.dll | Credential Management User Interface |
| Keymgr.dll | Key Manager |
For more information, see the Windows XP Embedded Help documentation.
Security Review Checklist
The following list will help you address security issues relevant to your Windows XP Embedded device and its applications:
- As you develop the specification and applications for your run-time image, use the security resources noted in this article.
- Read about the latest Microsoft security and quick fix engineering (QFE) updates at this Microsoft Web site.
- Read the security information in the Windows XP Embedded online Help.
- Include only the driver components and applications that are required by your embedded device.
- Reduce the network port usage in your design. Remove all network interfaces that may serve as a security threat. For example, if they are not required, remove the Telnet and Simple Network Management Protocol (SNMP) components.
- Ensure there are no other physical hardware interfaces that might serve as an access point for a malicious attack.
- Consider using NTFS file system (NTFS), which offers secure access control lists (ACLs) for your data files. Use the Encrypted File System (EFS) feature of for local encryption of data files. Use WebDAV/Web Folders if you need EFS-protected files to be securely encrypted over a network.
- Use Internet Connection Firewall (ICF) to protect against unsafe or unauthorized network traffic.
- Review privileges required by principals.
For More Information
For more information about network security, see Writing Secure Code by Michael Howard and David Leblanc, Microsoft Press, 2002, and Programming Windows Security by Keith Brown, Addison Wesley Longman, Inc., 2000.
The following Web sites may offer additional security information:
- For general information about security, see this Microsoft Web site.
- For information about the Windows Embedded product, see this Microsoft Web site.
- For information about developer issues, see the MSDN Library.
- For information about Windows XP, see this Microsoft Web site.
- For more information about Windows XP Embedded security, see Security in the product documentation.
About the Authors
Contributors to this paper include, but are not limited to, the Windows Embedded, Security, and Componentization teams.