File System Security Best Practices (Windows Embedded CE 6.0)
1/6/2010
The file system and data store for Windows Embedded CE provides persistent storage for applications and their related data even when the main power supply is lost. However, there are potential security risks to consider when developing the file system and data store for your Windows Embedded CE-based device.
Use the following best practices to enhance the security and reliability of the file system and data store.
Best Practices
- Mark a database that contains a system database as a system database.
If a database volume contains a database that is marked as a system database, mark the containing database volume as a system database by adding the CEDB_SYSTEMDB flag to the dwFlags parameter for CeCreateDatabaseEx (CEDB) or CeCreateDatabaseEx2 (CEDB). - Do not place critical system files on a storage device that can be accessed by a means other than the Windows Embedded CE operating system.
Critical system files include the registry hive and the root file system. For example, do not place critical system files on removable storage media or on storage media that is exposed using USB mass storage function. - Be cautious when exposing removable media.
Because device enumeration is non-deterministic, be cautious when exposing removable media. This could lead to devices having incorrect names. - Verify that removable media controller drivers are loaded after non-removable media drivers.
Because device enumeration is non-deterministic, verify that removable media controller drivers are loaded after non-removable media drivers. - Verify that the load order for your Windows Embedded CE -based device is fixed.
Exposure of storage devices through USB mass storage functions is dependent on enumeration order. To ensure that you expose the proper storage device, verify that the load order for your Windows Embedded CE-based device is fixed. - Mark each DLL file in the Windows root directory as system.
To prevent the malicious replacement of a DLL file in the Windows root directory, mark each DLL file in the Windows root directory as a system DLL. - Set the MountSystem registry flag value in the Storage Manager profile, as appropriate.
If you want the entire contents of a volume to be inaccessible to applications that do not have appropriate privileges, set the MountSystem registry flag value in the Storage Manager profile for that volume. - Verify that EvGen runs early enough in the file system load order.
If the file system load order at boot time is configurable through a setting and that setting is configurable by an attacker, an attacker can force EvGen to load later in the file system load order. Until EvGen initializes successfully, all other modules are implicitly loaded as trusted.
Other Security-related Considerations
In addition to the best practices listed above, the following information is related to security and should be taken into consideration to enhance the security and reliability of the file system and data store:
- The operating system protects files and directories that have the FILE_ATTRIBUTE_SYSTEM attribute from being inappropriately manipulated. This prevents an untrusted application from running the following functions on a system file:
- CreateFile
- DeleteFile
- SetFileAttributes
- MoveFile
- DeleteAndRenameFile
- CopyFile
- RemoveDirectory
In addition, an application without correct trust credentials cannot replace a system file in the RAM file system or in ROM with a file of the same name, and cannot set the FILE_ATTRIBUTE_SYSTEM attribute on a file or directory.
For more information about Windows Embedded CE security, see Enhancing the Security of a Device.