Security and Windows XP Embedded
Posted October 28, 2003
Chat Date: September 30, 2003
Chat Participants:
- Jon Fincher, XPE Program Manager, XPE QFE Lead
- Ravi Gopal, Product Manager for Windows XP Embedded
- Dan Simpson, Windows XP Embedded Documentation
- Anil Ingle, Development Manager for Windows Embedded
- Lynda Allen, Component Integration Test Team
- Hazel Lloyd, Software Design Engineer
- Nandini Shenoy, Embedded Enabling Features Team
Moderator: mikefos (Microsoft)
Welcome to today's Chat. Our topic is Security and Windows XP Embedded. Questions, comments, and suggestions are welcome.
Moderator: mikefos (Microsoft)
Let’s introduce our hosts for today.
Host: Jon (Microsoft)
Jon Fincher, XPE Program Manager, XPE QFE Lead
Host: Ravi (Microsoft)
Ravi Gopal, Product Manager.
Host: dansimp (Microsoft)
Dan Simpson: XP Embedded Documentation
Host: Anil (Microsoft)
Anil - Development Manager for Windows Embedded
Host: Lynda (Microsoft)
Lynda Allen - Component Integration Test Team
Host: hazell (Microsoft)
Hazel Lloyd Dev in Test lead
Host: Nandinis (Microsoft)
Nandini Shenoy - Embedded Enabling Features Team
Moderator: mikefos (Microsoft)
Welcome everyone, let’s get started!
Host: Ravi (Microsoft)
Q: So what are your comments regarding the slammer virus? Do you guys have a whitepaper on that or anything?
A: Assuming you mean Blaster, not Slammer, which was more recent. Blaster took advantage recently of an RPC flaw, Slammer of a flaw about six months back in MSDE. Regarding Blaster, we have not only posted patches for XPe w/SP1 & NTe w/SP6a, but also posted processes on how to patch XPe RTM & NTe SP5/SP6 devices
Host: Ravi (Microsoft)
Q: This might be too general, but, what impact did Blaster have on the way you think about security for Windows XP Embedded?
A: It made a substantial impact throughout the company. From an XPe perspective, we are working on a # of processes to more quickly deliver patches to you, to make it easier for you to locate the patches you need, and to help OEMs build more secure devices in the first place
Host: Ravi (Microsoft)
Q: Will Microsoft provide field deployable Service Packs for XPe?
A: For XPE, the answer is no -- this is b/c primarily of componentization -- currently we can't tell which components are in which runtimes since all runtimes are unique so as a result this is currently an unsupported scenario. Also due to EWF this is another issue.
Host: hazell (Microsoft)
Q: What do you suggest be the recovery process for virus infected systems using EWF?
A: You can reboot and whatever infected the system will be gone. For servicing, you would have to disable the filter, update the device, then re-enable the filter.
Host: hazell (Microsoft)
Q: This is not the default for disk overlays. Do you have suggestions on what is best for customers using disk overlays
A: This is true, in this case, you should be able to set the level back to the previous level or same level discarding the changes.
Host: hazell (Microsoft)
Q: Recovery from virus for EWF disk overlay? I guess I'm looking for a best practice from MS on how to erase the disk overlay on every reboot to protect from virii.
A: EWF really cannot be used to prevent virus infection, however, to achieve your end, you would need to discard changes on each reboot.
Host: hazell (Microsoft)
Q: Any ideas on how to automate discarding of the disk overlay on reboot? So it always happens unless user does something else?
A: ewfmgr -setlevel <level - 1> will reset the level. If you want this to happen on shutdown each time.
Host: hazell (Microsoft)
A: (cont): Apologies, that is ewfmgr volume setlevel level -1 or ewfmgr volume -restore achieves the same end. To have this happen each time, add it to the run key since the changes are not applied until reboot.
Host: Ravi (Microsoft)
Q: What are the best practices for rolling out security patches to already deployed devices? Will this become easier in the future?
A: Yes, we are making this easier. Some of the things we'll be doing are making critical QFEs more easily discoverable on our website, providing regular CD updates to OEMs who are building devices, getting our customers security bulletins (as the client does), and providng more cohesive documentation around DUA & our upcoming SMS 2003 client
Host: Ravi (Microsoft)
Q: We have concerns that it is not possible for customers to load their own virus protection to our embedded systems? Any suggestions on a policy to help get antivirus software onto a deployed embedded system
A: We are planning to discuss w/antivirus vendors the potential to create a component for XPe customers and also an API that allows your customers to have a console from which to manage this. These discussions are just now beginning. We will apprise you of updates in the near future.
Host: Jon (Microsoft)
Q: In the tutorial on applying the QFE for IE it implies that the QFW.exe can be installed just by executing it whereas other articles and info on the NG say that DLLs etc. have to be installed individually. Does the install depend on the QFE?
A: Not sure which tutorial you're referring to, but later QFE's can be installed directly on runtimes, with certain limitations. We'll be making those limitations and the support necessary public shortly.
Host: Ravi (Microsoft)
Q: Are there any design wins that illustrate that enterprise customers are relying on XPEs security features?
A: If you go to our case study website: https://www.microsoft.com/windows/embedded/xp/evaluation/casestudies/casestudy.asp?CaseStudyID=12312, you can see customers like HP are building devices today taking advantage of IPSec support in XPe. Furthermore we are working on processes to make it easier for you to enable ICF (which ships w/Pro) in XPe devices as well
Host: Jon (Microsoft)
Q: When applying a QFE with DUA how do I know if the QFE can just be executed on the target or if I have to unpack the DLLs and install them with DUA commands?
A: QFE's released after July 6, 2003, can be installed on XPE runtimes. We'll be documenting the caveats, recommendations, and necessary dependencies very soon.
Host: Ravi (Microsoft)
Q: So what is the latest QFE, service pack and patch that I can safely be using?
A: You can find all the latest QFEs here: https://www.microsoft.com/downloads/search.aspx?displaylang=en and then search for "Windows XP Embedded". There is a link to this page here: https://www.microsoft.com/windows/Embedded/xp/downloads/updates/default.asp and here: https://msdn.microsoft.com/library/default.asp?url=/downloads/list/winxpembedded.asp
Latest QFE is Q824704 (QFE Rollup Summer 2003). Latest SP is SP1. Going forward as I mentioned we will make this process far easier for you to understand & manage.
Host: Ravi (Microsoft)
Q: Is Windows CE .NET vulnerable to Blaster and other related viruses?
A: CE.NET is not since it is not based on the Windows Client kernel as XP Embedded is.
Host: Jon (Microsoft)
Q: Are there any good articles out lately that discuss security and how it relates to Win XP Embedded?
A: Any articles on Security and Windows XP on https://www.microsoft.com/security will be applicable to Windows XP Embedded as well. We're in the process of concentrating that information with XPE specific content.
Host: Ravi (Microsoft)
Q: This might be a silly question and may shamefully reflect my ignorance ... is there anything akin to Windows Update for XPE?
A: No. This is a fundamental difference b/w XPe & XP Pro -- XP Pro is serviced completely by Microsoft through Windows Update. XPe on the other hand is serviced by the OEM who builds devices, who must work with us here at Microsoft on building servicing strategies into their devices.
Host: Ravi (Microsoft)
Q: But isn't there a way that Microsoft could build a Windows Update type service that OEMs could tap into?
A: No, b/c as I mentioned the componentized aspect of XPe means that servicing functions under a different model w/XPe than it does w/Pro. This means that all Pro OS'es are the same whereas all XPe systems are not, which substantially adds to the complexity in directly servicing. Hence this is why we are focusing our efforts on helping OEMs build more secure devices and integrate servicing into device development
Host: Anil (Microsoft)
A: RE: Windows Update: You can set up your own using DUA. It would be something that the OEM manages since they know the most about their image
Moderator: mikefos (Microsoft)
Q: What is the best way to provide your team feedback and ask questions after the webchat?
A: You can email feedback to edevfdbk@microsoft.com or post to the newsgroup with technical questions (microsoft.public.windowsxp.embedded)
Moderator: mikefos (Microsoft)
Hello. For those just joining the chat - Our topic is Security and Windows XP Embedded. Questions, comments and suggestions are welcome.
Moderator: mikefos (Microsoft)
Q: Any news on when the newsgroups will be back to normal?
A: We're working on it. Hopefully they'll be back to normal soon.
Host: Anil (Microsoft)
Q: With DUA, are there any security issues that I need to consider?
A: The usual. Make sure you use https:
Host: Anil (Microsoft)
Q: Thanks…I'll do some reading
A: Well I didn’t want to list all but since DUA contacts a web server, you want to start thinking about web server security and https how not to get spoofed etc. OR if you really want to be secure, you can have DUA look at a local file share & deliver your update scripts there using any other secure method you prefer (like sending out CD's and having the user copy over the update to the file share).
Host: Jon (Microsoft)
Q: Can an XPE device be secured to allow SmartCard access?
A: Yes, XPE does support Smart Card access.
Host: Ravi (Microsoft)
Q: Has anyone yet raised the issue that Norton and McAfee do not support the use of their antivirus software with XPE?
A: Yes, this has been raised earlier. To answer your question, we are in process of working w/a # of anti-virus software vendors to discern component availability for OEMs to include in their runtime. We are also looking to include an API that end-users can modify as well much as they do on the client. As we get more info on this topic we will update you.
Host: Ravi (Microsoft)
Thanks again for joining us today. To sum up, we understand all your concerns around XPe and Windows security. and we are working on a # of programs, processes & features to better enable you to build more secure devices and also to patch your devices much faster. Look out for these improvements over the next few weeks.
Moderator: mikefos (Microsoft)
Thanks for joining us today and thanks for the questions. It's time for us to go now.
For further information on this topic please visit the following:
Newsgroups: Mobile and embedded application development topics
Mobile and Embedded Transcripts: Read the archive
Website: Visit the Mobile & Embedded Developer Center
.gif)
Top of page