Securing Embedded Systems

**Updated 3/26/09 with preface

[The following article is authored by one of the Windows Embedded MVPs (Most Valuable Professionals). Our MVPs have a heavy background in Embedded systems and are a great repository of information on Windows Embedded products. We’re providing this space on our team blog as a service to our readers by allowing MVPs to share some of their knowledge with the rest of the community.]  

Devices built with Windows Embedded Standard 2009 are able to offer sophisticated security mechanisms that integrate well in Enterprise scenarios, depending on the components that are included in the image. But, as always, more functionality means higher image footprint and so it is good to treat security considerations not as an afterthought, but as an important item on the requirements list, when designing the device architecture.

MinLogon versus WinLogon

There are two fundamentally different ways to log onto a Windows Embedded Standard system. MinLogon starts the operating system in the context of the System user account and does not provide any further user management possibilities. This can be good or bad. Because the System user account has unlimited privileges on the machine, a lot of damage can be done if the account is compromised. On the other hand, MinLogon essential to achieve small image sizes and fast boot times. This does not mean that such an image is insecure, per se, but OS developers should take additional measures to lock down such systems to avoid abuse. There are more considerations on this available in David Reed’s interesting article on MSDN.

WinLogon is the standard Windows Logon procedure, which brings in user management as well as Domain Participation for an embedded image. This is great functionality, which often is required to connect Windows Embedded devices to a corporate network. It comes with the penalty of about 70 MB additional footprint in the OS image. In contrast to MinLogon, the well known Windows user concept is provided and users are required to log in, if automatic logon is not configured ( by setting a registry key).

Active Directory Security

Using WinLogon enables all Active Directory security aspects for a Windows Embedded Standard image. This is not limited to a central user management system, but provides a granular and powerful mechanism called group policies to configure system settings on a machine, group or user level.

image

The great benefit of this approach is that existing infrastructure for Windows desktop systems can easily be reused, applying the same tools and processes.

Windows Firewall

The Windows Firewall / Internet Connection sharing component enables firewall functionality in an embedded image.

image

The firewall settings are either preconfigured in Target Designer or set manually at a later stage using the control panel applet, group policies or scripts. The firewall is very important for devices located out in field. These systems naturally have a special need to be locked down, to avoid tampering.

If embedded devices are part of a corporate network, the firewall quite often is turned off. This is because mechanisms such as virus / malware scanners and health analyzers are deployed in a corporation and offer sophisticated means to establish security at network level.

NTFS versus FAT

When thinking about security, NTFS is an easy choice. The only occasion where FAT is an option, is when using Compact Flash as storage in combination with the Enhanced Write Filter (EWF). In this case the journal for an NTFS partition resides outside of the partition itself. This means that EWF will not be able to redirect writes to the journal into an overlay because it protects the partition only. Therefore these journal writes hit the flash storage. The good thing is that modern flash devices use techniques such as wear-leveling to significantly increase the impact of write cycles for this storage and make failures related to journal writes very unlikely. Devices using FAT file system in this scenario do not have a problem, because it does not write a journal at all.

Securing Internet Information Server (IIS)

IIS is one of the prominent targets for hackers of all kinds. As a countermeasure Microsoft provides the IISLockdown tool for download. This tool helps to disable IIS functionalities not required on the device and scans URLs based on preconfigured rules with the help of an ISAPI filter. If IIS is part of the image IISLockdown should be used to secure it, according to the project requirements.

Checking image security

How to find proof that the Windows Embedded image is secure?
In all cases there should be testing to show that the built-in functionality works. In addition, it is a best practice to scan the new image with the help of security scanners such as Microsoft Baseline Security Analyzer (MBSA) or GFI LanGuard. These enterprise tools update themselves with the newest configuration recommendations and report all missing or weak settings.
Some of the results (e.g. recommended patches for Microsoft Office) may not be applicable for embedded devices in all scenarios, but the overall feedback that these tools provide is very valuable.

Advanced embedded security techniques

One of the great advantages of Windows Embedded is its componentization. This means that functionality not required can be left out and therefore does not need to be secured. Additionally, the overall attack surface is reduced. It means also that newly connected PnP peripherals cannot be installed (by not including device drivers) or even detected (by leaving out their related class installers). Windows Embedded Standard in this case works with just the drivers included and, thus, provides granular control over the hardware to the OEM.

EWF can also be regarded as a security feature, especially when running in RAM overlay mode. This guarantees that viruses, even after they made their way onto the system are removed using a simple reboot of the device.

- Alexander

Alexander Wechsler

Wechsler Consulting

www.wechsler-consulting.de