Thin Client Security (Windows Embedded CE 6.0)
1/5/2010
This topic provides information on how to make a Windows Embedded CE powered thin client more secure.
CredUI Overview
For Windows Embedded CE 6.0 R2, Credential User Interface (CredUI) is a new feature that prompts the user to enter their username and password, or their Smart Card PIN. After the user clicks Connect on the Windows Embedded CE Terminal Services Client (CETSC) user interface (UI), The RDP client calls the CredUI dialog box and displays it to the user. With CredUI, the user must enter credential information that will be passed to the remote server and validated during the authentication process.
CredUI also provides a Save my password check box that enables a user to request that the credentials be stored on the thin client. Therefore, the next time that the user connects to a server, the authentication process can start immediately, without having to retype credentials. The encrypted credentials are stored in the Credential Manager for use on later connections.
After the user provides credential information, CredUI extracts the domain and user account name from a fully qualified user name. The following list shows the supported formats:
<MarshalledCredentialReference>
Contains a user name string. This string is a user credential that was previously marshaled from stored credentials. The User parameter is set to this string. The Domain parameter is set to an empty string.
<DomainName>\<UserName>
The User parameter is set to <UserName> and the Domain parameter is set to <DomainName>.
<UserName>@<DNSDomainName>
The User parameter is set to the whole string. The Domain parameter is set to an empty string.
The following list shows the characteristics required by a user name obtained by using CredUI:
- Maximum length of 104 characters
- ASCII characters
- Cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >
- Can contain all other special characters. This includes spaces, periods, dashes, and underscores
The following list shows the characteristics required by a password obtained by using CredUI:
- Maximum length of 104 characters
- ASCII characters
- All characters are acceptable
CredUI is automatically included when you add the Remote Desktop Protocol (RDP) Catalog item to a thin client OS design.
Be aware that persisting credentials on a thin client device may present a security risk. In Windows Embedded CE 6.0 R2 Update KB945975, the ability to save passwords on the Remote Desktop client is disabled by default. To enable the Save my password check box, you can change one of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
Key | Value |
---|---|
DisablePasswordSaving |
Nonzero value indicates that password saving is disabled. This setting is disabled by default. |
Note
The Remote Desktop Connection client will first check the registry value in HKEY_LOCAL_MACHINE, and then it will check the registry value in HKEY_CURRENT_USER.
Note
To ensure that password saving remains disabled across a cold boot of the operating system, Windows Embedded CE 6.0 R2 must support a persistent registry. The hive-based registry stores data inside files, or hives, which can be kept on any file system. This removes the need to perform backup and restore of registry data during shutdown or startup
Thin Client Security Issues
The following table provides more information about security issues that can affect a thin client OS design.
Topic | Description |
---|---|
Provides information on authentication services that can be used by developers to authenticate clients. |
|
Provides information about services, components, and tools that enable software developers to add cryptographic security to their applications. This includes CryptoAPI 2.0, Cryptographic Service Providers (CSP), CryptoAPI Tools, CAPICOM, WinTrust, issuing and managing certificates, and developing customizable public key infrastructures. |
|
Provides information and best practices about how to improve security in Internet Explorer 6. |
|
Describes best practices on how to improve security features for Remote Desktop Protocol (RDP). |
|
Describes best practices on how to reduce security risks when you are running Simple Network Management Protocol (SNMP) to support Device Management. |
|
Provides information and best practices on how to reduce security risks when you use Windows Messenger. |
|
Describes how Secure Sockets Layer (SSL) improves the security of network communication for features such as RDP. |
Default Registry Settings
Notice that the registry settings affect security. If a value has security implications, you will find a Security Note in the registry settings documentation.
For more information about registry settings, see Thin Client Registry Settings.
See Also
Other Resources
Customizing a Thin Client
Enhancing the Security of a Device
RDP Security