Solved

Security on Windows Embedded Standard

Posted on 2014-04-01
3
713 Views
Last Modified: 2014-04-02
We have a number of Wyse C90's with Windows Embedded Standard (sp 3), and we need to harden the OS; specifically to reject any traffic FROM an external IP address How can this be accomplished? The Windows firewall doesn't seem to be very dynamic.
0
Comment
Question by:MRH-ITS
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39971975
You want to use the IPSEC rules: http://www.upenn.edu/computing/security/IPSEC.pdf
You can use those rules to block inbound and outbound traffic if you want, there are some predefined rules on all windows XP clients, use secpol.msc to access the MMC plugin that shows the predefined rules, and you can modify them.
There is one caveat to these rules, binding to port 88 or port 500 as the source port is one way ipsec filters can be bypassed. Most programs however do not give you the ability to bind or even pick your source port. The IPSEC rules can use DNS names as opposed to IP only like the standard firewall.
http://support.microsoft.com/kb/811832
-rich
0
 
LVL 63

Expert Comment

by:btan
ID: 39972094
MS site (based on Embedded 2009) suggest it can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. Understand that C90 is Embedded 7 but I taking the steps to explore the FW still to have inbound rule deny all. If you see this article, it states

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule.

If that works rightfully, it should be contained to only rule you add to allow, maybe good to check further. I also see there is the best practice fro embedded in general and particularly the below on the network security aspect to

Disable File and Print Sharing
Disable Open Network Ports
Disable Unnecessary Services
Internet Protocol Security (IPSec) Support
Null Session Vulnerability
Remote Registry Access
RPC Interface Restriction
Wireless Networking Encryption

Hope it helps
0
 

Author Closing Comment

by:MRH-ITS
ID: 39972711
Perfect! I rolled out a GP to an OU for the Wyse clients. Thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question