Solved

Security on Windows Embedded Standard

Posted on 2014-04-01
3
700 Views
Last Modified: 2014-04-02
We have a number of Wyse C90's with Windows Embedded Standard (sp 3), and we need to harden the OS; specifically to reject any traffic FROM an external IP address How can this be accomplished? The Windows firewall doesn't seem to be very dynamic.
0
Comment
Question by:MRH-ITS
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39971975
You want to use the IPSEC rules: http://www.upenn.edu/computing/security/IPSEC.pdf
You can use those rules to block inbound and outbound traffic if you want, there are some predefined rules on all windows XP clients, use secpol.msc to access the MMC plugin that shows the predefined rules, and you can modify them.
There is one caveat to these rules, binding to port 88 or port 500 as the source port is one way ipsec filters can be bypassed. Most programs however do not give you the ability to bind or even pick your source port. The IPSEC rules can use DNS names as opposed to IP only like the standard firewall.
http://support.microsoft.com/kb/811832
-rich
0
 
LVL 62

Expert Comment

by:btan
ID: 39972094
MS site (based on Embedded 2009) suggest it can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. Understand that C90 is Embedded 7 but I taking the steps to explore the FW still to have inbound rule deny all. If you see this article, it states

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule.

If that works rightfully, it should be contained to only rule you add to allow, maybe good to check further. I also see there is the best practice fro embedded in general and particularly the below on the network security aspect to

Disable File and Print Sharing
Disable Open Network Ports
Disable Unnecessary Services
Internet Protocol Security (IPSec) Support
Null Session Vulnerability
Remote Registry Access
RPC Interface Restriction
Wireless Networking Encryption

Hope it helps
0
 

Author Closing Comment

by:MRH-ITS
ID: 39972711
Perfect! I rolled out a GP to an OU for the Wyse clients. Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question