TCP/IP Security (Windows Embedded CE 6.0)

1/6/2010

The TCP/IP stack for Windows Embedded CE has been implemented to avoid the most common security attacks, but some security risks remain. TCP/IP has the following potential security risks:

  • TCP/IP is designed to run over a public network, such as the Internet. If the security of TCP/IP is compromised, it could expose the device or local network to attacks originating from the public network.
  • Use extreme caution when using the Internet Protocol Helper application programming interfaces (IP Helper API). It exposes functions that enable programmatic network administration of the local computer. Using the IP Helper API, applications can view and modify network settings that are vital to a device's communication with the network. These settings include Address Resolution Protocol (ARP), ICMP, route, and local addressing information. Similar to Winsock, the IP Helper is implemented in two parts: a statically linked library (iphlpapi.lib) and a DLL (iphlpapi.dll). Iphlpapi.lib contains the headers to make the calls to the DLL. The IP Helper API is located in the calling process space, and interacts with the TCP/IPv4 and TCP/IPv6 stacks. This allows you to view and change the local network configuration.

To further protect your device from security attacks, you should follow the security recommendations provided in the subsequent sections.

Best Practices

Ee493237.collapse(en-US,WinEmbedded.60).gifMake sure that unused services are not running

Make sure that services are not running unless they are required.

Ee493237.collapse(en-US,WinEmbedded.60).gifMake sure to use encryption and authentication protocols

TCP/IP does not provide any level of encryption. Therefore, it is particularly important to use encryption and authentication protocols when appropriate.

Ee493237.collapse(en-US,WinEmbedded.60).gifEnable a firewall on your network device

For enterprise environments, Microsoft recommends a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.

** Windows CE .NET 4.2 and later support the IP firewall for both IPv4 and IPv6. You can enable and configure this firewall by using APIs (programming elements) and registry settings. For more information about the IP firewall, see Windows Embedded CE topic IP Firewall OS Design Development and IP Firewall Security.**

Windows Embedded CE also supports a legacy packet filter built into the NAT driver that can be used as a simple firewall for devices that include NAT but do not include IP firewall. The packet filter is disabled by default if the IP firewall is included.

Ee493237.collapse(en-US,WinEmbedded.60).gifClear sensitive data when it is no longer needed

Functions should clear sensitive data when it is no longer needed. For example, hContext in Secure Dynamic DNS might contain a user password, name, and domain information. Therefore, calling functions should clear hContext when data is no longer needed.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For TCP/IP registry information, see TCP/IP Registry Settings.

See Also

Concepts

IP Firewall OS Design Development
IP Firewall Security
Default IP Firewall Rules
TCP/IP Best Practices

Other Resources

TCP/IP
Enhancing the Security of a Device