File Systems and Data Store Security (Windows CE 5.0)
The file system and data store for Microsoft® Windows® CE provides persistent storage for applications and their related data even when the main power supply is lost. However, there are potential security risks to consider when developing the file system and data store for your Windows CE-based device. Use the following best practices to enhance the security and reliability of the file system and data store.
Best Practices
Mark databases that contain a system database as a system database
If a database volume contains a database that is marked as a system database, mark the containing database volume as a system database. Do this by adding the CEDB_SYSTEMDB flag to the dwFlags parameter for CeCreateDatabaseEx (CEDB) or CeCreateDatabaseEx2 (CEDB).
Do not place critical system files on a storage device that can be accessed by a means other than the Windows CE OS
Critical system files include the registry hive and the root file system. For example, do not place critical system files on removable storage media or on storage media that is exposed using USB mass storage function.
Be cautious when exposing removable media
Because device enumeration is nondeterministic, be cautious when exposing removable media. This could lead to devices having incorrect names.
Verify that removable media controller drivers are loaded after non-removable media drivers
Because device enumeration is nondeterministic, verify that removable media controller drivers are loaded after non-removable media drivers.
Verify that the load order for your Windows CE-based device is fixed
Exposure of storage devices through USB mass storage function is dependent upon enumeration order. To ensure that you expose the proper storage device, verify that the load order for your Windows CE-based device is fixed.
Mark each DLL file in the Windows root direcroty as system
To prevent the malicious replacement of a DLL file in the Windows root directory, mark each DLL file in the Windows root directory as a system DLL.
Set the MountSystem registry flag value in the Storage Manager profile, as appropriate
If you want the entire contents of a volume to be inaccessable to untrusted applications, set the MountSystem registry flag value in the Storage Manager profile for that volume.
Verify that EvGen runs early enough in the file system load order
If the file system load order at boot time is configurable through a setting and that setting is configurable by an attacker, then an attacker can force EvGen to load later in the file system load order. Until EvGen initializes successfully, all other modules are implicitly loaded as trusted.
Other Security-related Considerations
In addition to the best practices listed above, the following information is related to security and should be taken into consideration to enhance the security and reliability of the file system and data store:
The operating system (OS) protects files and directories that have the FILE_ATTRIBUTE_SYSTEM attribute from being manipulated by an untrusted application. This prevents an untrusted application from executing the following APIs on a system file:
In addition, an untrusted application cannot replace a system file in the RAM file system or in ROM with a file of the same name.
An untrusted application also cannot set the FILE_ATTRIBUTE_SYSTEM attribute on a file or directory.
For more information about Windows CE security services, see Enhancing the Security of a Device.
See Also
Send Feedback on this topic to the authors