Database Security (Windows Embedded CE 6.0)
1/6/2010
Windows Embedded CE allows privileged applications to mark a system flag on databases to deny access to normal callers. Normal applications cannot open, read, or modify databases that are marked with the system flag. Privileged callers can set the CEDB_SYSTEMDB flag inside the CEDBASEINFOEX structure passed to CeCreateDatabaseEx2 or CeSetDatabaseInfoEx2 to protect a database.
This functionality protects a single database, not an entire database volume. Setting FILE_ATTRIBUTE_SYSTEM on the volume file protects database volumes. System databases cannot be created inside database volumes that do not have FILE_ATTRIBUTE_SYSTEM set to block normal applications from accessing and/or deleting a file containing a system database using the Microsoft Win32® file APIs. Because an normal application cannot access any file with the system file attribute set, adding the system flag to a database inside a database volume does not give it any additional security. Therefore, this functionality is most useful in databases that are stored within the object store. Removing the system file attribute from a database volume that contains a system database will expose that database to access by normal applications and is not recommended.