Web Server Security (Windows Embedded CE 6.0)
1/6/2010
The Web Server is designed to run over a network and function as an extensible network server. This topic covers the security risks and best practices for configuring the web server.
The Web Server has the following potential security risks:
- The Web Server is designed to run over a network. If the device is run over a public network, such as the Internet, and the security of the device is compromised, it could expose the device or the local network to the public network.
- The Web Server is designed to function as a network server. If the security of the Web Server is compromised, it could expose the device or local network to multiple remote clients.
- The Web Server is extensible. If the extensions do not use proper security and authentication procedures, they could compromise the security of the device or the local network.
Note
If your Web Server includes WebDAV functionality, see WebDAV Security for additional information.
Best Practices
Limit deployment to ten connections simultaneously
A typical deployment uses a Web Server in a private network to provide a remote user interface to configure a headless device. The registry defines the number of connections and when the MaxConnections registry value is not set, the registry limits the number to 10.
Do not use the Web Server to perform critical operations
A typical deployment uses the Web Server to display status information or to host a family or community Web site. You should not use the Web Server to perform critical operations, such as machine control or financial processing.
Use authentication
Use the NTLM or Basic authentication mechanism to limit access to known users only. You can set the option in the HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.
Use Secure Sockets Layer (SSL)
The SSL protocol helps to protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support.
Use user access lists
Carefully choose your virtual roots and limit access to the appropriate files by providing appropriate user access lists. Anonymous users with access to the virtual root may be able to access files and directories within that virtual root. You can set the options in HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS registry key. For specific security information, see Setting Virtual Paths. See also Web Server Authentication and Permissions.
Default Web Server Registry Settings
You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.
For Web Server registry information, see:
Web Server Security
Web Server Ports
The following table shows the ports that the Web Server uses, for details see Web Server Registry Settings.
Port number | Registry values |
---|---|
80 |
Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD |
443 |
Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD\SSL |
In addition to the practices above, the following best practices are recommended for Windows Embedded CE:
Remove or disable sample ISAPIs and other development tools when you create the release image.
Some sample ISAPIs that you include in your device may allow unauthorized users to access your system resources or protected data. Many of the samples provided are for development and debugging purposes only and pose a significant security risk if deployed on a public network.
Enable a firewall on your network device
For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.**
See Also
Concepts
Web Server Registry Settings
WebDAV Security
Web Server Registry Settings