Solved

Security on Windows Embedded Standard

Posted on 2014-04-01
3
676 Views
Last Modified: 2014-04-02
We have a number of Wyse C90's with Windows Embedded Standard (sp 3), and we need to harden the OS; specifically to reject any traffic FROM an external IP address How can this be accomplished? The Windows firewall doesn't seem to be very dynamic.
0
Comment
Question by:MRH-ITS
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39971975
You want to use the IPSEC rules: http://www.upenn.edu/computing/security/IPSEC.pdf
You can use those rules to block inbound and outbound traffic if you want, there are some predefined rules on all windows XP clients, use secpol.msc to access the MMC plugin that shows the predefined rules, and you can modify them.
There is one caveat to these rules, binding to port 88 or port 500 as the source port is one way ipsec filters can be bypassed. Most programs however do not give you the ability to bind or even pick your source port. The IPSEC rules can use DNS names as opposed to IP only like the standard firewall.
http://support.microsoft.com/kb/811832
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 39972094
MS site (based on Embedded 2009) suggest it can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. Understand that C90 is Embedded 7 but I taking the steps to explore the FW still to have inbound rule deny all. If you see this article, it states

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule.

If that works rightfully, it should be contained to only rule you add to allow, maybe good to check further. I also see there is the best practice fro embedded in general and particularly the below on the network security aspect to

Disable File and Print Sharing
Disable Open Network Ports
Disable Unnecessary Services
Internet Protocol Security (IPSec) Support
Null Session Vulnerability
Remote Registry Access
RPC Interface Restriction
Wireless Networking Encryption

Hope it helps
0
 

Author Closing Comment

by:MRH-ITS
ID: 39972711
Perfect! I rolled out a GP to an OU for the Wyse clients. Thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
laptop problem 21 97
SSH over http/https 8 111
Does enabling / running  "Net logon" service in Win 2008 / 2012 pose any security impact 5 52
Windows USB 4TB Backup Drive 7 38
Several part series to implement Internet Explorer 11 Enterprise Mode
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now