Share via


File Server Security (Windows Embedded CE 6.0)

1/6/2010

File Server functionality has potential security risks because it supports the transfer of unencrypted, clear-text files over a network. The Windows Embedded CE File Server does not support Signing or Sealing that exposes the file server device to man-in-the-middle types of attacks.

The File Server does not support encryption of any kind. Although the actual files themselves may be encrypted, the File Server will not encrypt or decrypt the files. Any unencrypted files will be sent through the network in clear text. File and directory names will always be in clear text as well.

Due to these security risks, File Server is not designed to be used on a public network, and Microsoft strongly recommends that you use this functionality only on a private network. Microsoft also recommends that you do not share sensitive directories on your file server device.

Best Practices

Do not share sensitive directories on your file server device

Any client of the File Server is considered privileged on a system that uses the trust model. That user can modify system files, such as hidden files. You should be careful never to share sensitive directories, such '\' and '\Windows'.

Enable a firewall on your network device

For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.

For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.

For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.

Use authentication

Use NTLM version 2 authentication to limit access to known users only.

For information about NTLM, see NTLM Security Support Provider.

Create an exclusion list for sensitive folders and directories

In the ExcludePaths registry key, specify a list of folders that cannot be shared. Setting this key prevents the configuration functions from creating the specified shares, so that they cannot be accessed by an normal application. For more information, see File Server Registry Settings.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For File Server registry information, see File Server Registry Settings.

Ports

The following table shows the ports that the File Server and Print Server listen to.

Port number Description

137

TCP/ UDP (name service)

138

UDP (for communication through a mailslot)

139

NetBIOS over TCP/IP (NetBT)

445

TCP

See Also

Concepts

File Server Registry Settings

Other Resources

File Server
Enhancing the Security of a Device