Security Options for Devices
There are several different methods of helping to secure devices running Windows Embedded operating systems. This section discusses the advantages and limitations of the following common methods:
- Enabling write filters
- Using Forefront Endpoint Protection 2010
- Using Windows Embedded Device Manager 2011 to enable write filters and use Forefront Endpoint Protection 2010
Security and Write Filters
Write filters help protect devices from security threats by preventing unauthorized writes to the storage media. When you enable write filters (Enhanced Write Filter or File-Based Write Filter), the device stores changes in RAM, and all uncommitted writes to the device are lost when the device restarts.
However, devices are still at risk even with their write filters enabled. During regular device operation, a virus or other malicious software might infect the cache and operate from RAM until the device restarts. If this occurs, the malware can interfere with the device’s regular operation, expose any sensitive data on the device, and propagate to other connected devices. Also, if the write filter only protects part of the storage media, malware can write to the unprotected sectors. In this case, the malware can remain on the device even after it restarts.
Security and Forefront Endpoint Protection 2010
To help protect their networks, thousands of administrators rely on Microsoft Forefront Endpoint Protection 2010 because of its highly accurate detection of both known and unknown security threats. Together with Microsoft System Center Configuration Manager 2007, Endpoint Protection helps provide security and anti-malware management for desktops, portable computers, and servers.
On July 28, 2011, Forefront Endpoint Protection 2010 SP1 added support for devices running Windows Embedded Standard 7 SP1, Windows Embedded POSReady 7, and Windows Thin PC. For more information, see What's New in FEP 2010 Update Rollup 1.
Forefront Endpoint Protection 2010 can scan devices when their write filters are enabled. However, any Endpoint Protection engine updates or definition updates are lost when devices with write filters enabled restart, exposing these devices to some risk.
To run Endpoint Protection updates on a device, you must manually disable the device’s write filters. After Endpoint Protection completes its necessary engine updates and definition updates, you can manually re-enable the write filters. If your network contains a large number of devices, you might find this process prohibitively time-consuming. It is also possible to accidently leave write filters disabled or for an unauthorized user to tamper with the device while it is being updated.
Security and Windows Embedded Device Manager 2011
Windows Embedded Device Manager 2011 lets you seamlessly combine write filters and Forefront Endpoint Protection 2010 to help protect your devices. The write filter handling feature of Device Manager 2011 can automatically disable the write filter, run Endpoint Protection updates, and re-enable the write filter.
With Device Manager 2011, you can do the following:
- Reduce the time that the write filter is disabled, limiting how long the device is at risk.
- Eliminate the possibility that you will forget to re-enable the write filters.
- Automatically lock the UI while the device is being serviced.
- Perform other tasks, instead of watching each device update so that you can enable the write filter as soon as the Endpoint Protection tasks are finished.
- Include running Endpoint Protection tasks in regular maintenance updates.