Solved

Security on Windows Embedded Standard

Posted on 2014-04-01
3
652 Views
Last Modified: 2014-04-02
We have a number of Wyse C90's with Windows Embedded Standard (sp 3), and we need to harden the OS; specifically to reject any traffic FROM an external IP address How can this be accomplished? The Windows firewall doesn't seem to be very dynamic.
0
Comment
Question by:MRH-ITS
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39971975
You want to use the IPSEC rules: http://www.upenn.edu/computing/security/IPSEC.pdf
You can use those rules to block inbound and outbound traffic if you want, there are some predefined rules on all windows XP clients, use secpol.msc to access the MMC plugin that shows the predefined rules, and you can modify them.
There is one caveat to these rules, binding to port 88 or port 500 as the source port is one way ipsec filters can be bypassed. Most programs however do not give you the ability to bind or even pick your source port. The IPSEC rules can use DNS names as opposed to IP only like the standard firewall.
http://support.microsoft.com/kb/811832
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39972094
MS site (based on Embedded 2009) suggest it can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. Understand that C90 is Embedded 7 but I taking the steps to explore the FW still to have inbound rule deny all. If you see this article, it states

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule.

If that works rightfully, it should be contained to only rule you add to allow, maybe good to check further. I also see there is the best practice fro embedded in general and particularly the below on the network security aspect to

Disable File and Print Sharing
Disable Open Network Ports
Disable Unnecessary Services
Internet Protocol Security (IPSec) Support
Null Session Vulnerability
Remote Registry Access
RPC Interface Restriction
Wireless Networking Encryption

Hope it helps
0
 

Author Closing Comment

by:MRH-ITS
ID: 39972711
Perfect! I rolled out a GP to an OU for the Wyse clients. Thanks!
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now