Solved

Security on Windows Embedded Standard

Posted on 2014-04-01
3
734 Views
Last Modified: 2014-04-02
We have a number of Wyse C90's with Windows Embedded Standard (sp 3), and we need to harden the OS; specifically to reject any traffic FROM an external IP address How can this be accomplished? The Windows firewall doesn't seem to be very dynamic.
0
Comment
Question by:MRH-ITS
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39971975
You want to use the IPSEC rules: http://www.upenn.edu/computing/security/IPSEC.pdf
You can use those rules to block inbound and outbound traffic if you want, there are some predefined rules on all windows XP clients, use secpol.msc to access the MMC plugin that shows the predefined rules, and you can modify them.
There is one caveat to these rules, binding to port 88 or port 500 as the source port is one way ipsec filters can be bypassed. Most programs however do not give you the ability to bind or even pick your source port. The IPSEC rules can use DNS names as opposed to IP only like the standard firewall.
http://support.microsoft.com/kb/811832
-rich
0
 
LVL 63

Expert Comment

by:btan
ID: 39972094
MS site (based on Embedded 2009) suggest it can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. Understand that C90 is Embedded 7 but I taking the steps to explore the FW still to have inbound rule deny all. If you see this article, it states

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule.

If that works rightfully, it should be contained to only rule you add to allow, maybe good to check further. I also see there is the best practice fro embedded in general and particularly the below on the network security aspect to

Disable File and Print Sharing
Disable Open Network Ports
Disable Unnecessary Services
Internet Protocol Security (IPSec) Support
Null Session Vulnerability
Remote Registry Access
RPC Interface Restriction
Wireless Networking Encryption

Hope it helps
0
 

Author Closing Comment

by:MRH-ITS
ID: 39972711
Perfect! I rolled out a GP to an OU for the Wyse clients. Thanks!
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
An article on effective troubleshooting
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question