TECHNOLOGY IN SYSTEMS
Making Embedded Systems More Secure with Windows Embedded Standard 7
Security mechanisms built into the new Windows 7 can also be used to secure remote and even unattended embedded systems and devices.
JOHN LISHERNESS, AVNET TECHNOLOGY SOLUTIONS
Page 1 of 1
Microsoft’s Windows Embedded Business supplies OEMs with platforms and technologies for embedded systems. Released in the spring of 2010, Windows Embedded Standard 7 delivers the power, familiarity and reliability of the Windows 7 operating system in a highly customizable and componentized form. Windows Embedded Standard 7 is available in three versions: “C”, “E” and “P”. The “C” version is targeted at the consumer entertainment set-top box market. The “E” version has features most users of Windows are familiar with such as Internet Explorer, Windows Media Player and Remote Desktop Protocol. Windows Embedded Standard 7’s “P” version adds many features, including Multi-touch support, BranchCache, Windows Media Center, AppLocker, BitLocker and DirectAccess. The focus here is on BitLocker and DirectAccess and how they can be used to enhance the security of embedded systems.
If the used copiers in the accompanying news story had an operating system with BitLocker enabled, the hard drives removed from them would have been unreadable. BitLocker was introduced with Windows Vista and is included in the Ultimate and Enterprise versions of Windows 7. Windows Embedded Standard 7 has BitLocker available as well.
With BitLocker turned on, all the data stored on the computer’s protected volumes are automatically encrypted. If a hard drive is removed from the system, its protected contents are unreadable. There are several ways a system can be set up so that the entire drive or a volume on a drive can be locked and then unlocked. For the entire drive to be locked, the system needs to be equipped with a Trusted Platform Module (TPM 1.2) chip. Since 2006, TPMs have been commonly designed into many motherboards and even laptops. Since the TPM is part of the hardware, its presence is transparent to embedded application software and the end user. When the system starts, BitLocker automatically knows to retrieve the key stored in the TPM and unlocks the protected drive.
If there isn’t a TPM, it is necessary to have an unprotected boot volume that can be given a passcode by the system’s user to unlock the protected volume. The BitLocker Wizard is a utility that creates a non-encrypted system partition on the hard drive that has the files necessary to start the computer. This partition does not show up in the computer folder and has no letter assignment. The rest of the drive, which can include the operating system, applications and data, is encrypted and cannot be read if removed from the system.
One simple way to automatically unlock a protected volume is to set it up to unlock when a specific user logs onto the system. In this way, the user’s log-on acts as the key. Another way a user can unlock a volume is to assign a password or use a smartcard. Systems with multiple drives can have some drives encrypted and others not encrypted and files moved back and forth between drives are stored as encrypted or not, according to how the drive is set up. Some embedded scenarios come to mind that could use BitLocker. Imagine a digital video surveillance recorder. The video data could be stored on a protected drive (Figure 1).
Security components that can be used when implementing BitLocker scenarios.
For USB flash drives and external attached drives, there is “BitLocker to Go.” Systems using BitLocker to Go can make it so that USB thumb drives and other removable storage devices (Figure 2) have the data on them encrypted and readable on another machine only with the use of a passphrase. If the embedded system is connected to and is part of an enterprise network, IT administrators can set a policy controlling the required passphrase length and complexity. IT administrators can also require users to apply BitLocker protection to removable drives before being able to write to them.
Even small, removable devices can be secured with BitLocker.
It isn’t hard to imagine the types of systems that could take advantage of BitLocker. Medical devices can use BitLocker to allow the transport of medical records via USB connected storage without fear of the contents being accessed by someone inadvertently getting physical access to the storage device. Another example would be to use BitLocker to secure security video recordings or recorded legal proceedings.
For years, companies have relied on Virtual Private Networks (VPNs ) to ensure secure connections between remote laptop users connecting to sensitive data on the enterprise. Remote laptop users requiring VPNs are familiar with having to launch the VPN software and enter a code produced by a VPN key in order to gain a secure connection with the company’s intranet. VPN users are also familiar with lost connections, slow or restricted Internet access, lost keys and firewall problems. Embedded systems need secure, reliable connections, but can’t rely on an attendant with a VPN key. Quite often, the embedded system can have no attendant at all or even be headless, without keyboard, video or mouse. The solution to this situation is DirectAccess.
DirectAccess can replace VPNs and supply a secure connection between client systems and the company server without many of the downsides associated with VPNs. There is no electronic key to read, or the need for someone to initiate the VPN session. The secure connection is automatically created by virtue of the server and client both being on the Internet and able to connect. When an embedded system client with DirectAccess connects to the Internet, it uses IPv6-over-IPsec to connect to the corporate DirectAccess server. Unlike using a VPN, DirectAccess is always on.
One interesting aspect of DirectAccess is its ability to actually reduce traffic between the client and the server. With a VPN, all of the client’s Internet requests go through the server. This includes streaming media and non-sensitive Internet browsing. With DirectAccess, IT administrators can enable remote client devices to directly access websites outside of the intranet without having to access the Web via the server. This can dramatically reduce the amount of data flowing through the company’s servers (Figure 3). Imagine a remote kiosk in a retail setting being able to handle financial transactions and serve intranet content that’s also able to provide streaming media and Web browsing without burdening the dedicated, securely connected servers. Conversely, imagine streaming real-time video being securely sent to a server.
With Direct Access, users can access the wider Internet normally while only using corporate resources for the access that needs to be secure.
Another huge upside to DirectAccess is that IT departments can easily update and service remotely connected embedded systems. With the secure connection being “always on,” setting Group Policy and distributing software updates can be done at any time, with the embedded client system unattended.
OEMs eager to adopt Windows Embedded Standard 7 “P” to utilize DirectAccess on their clients need to be aware that it will require one or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one connected directly to the Internet, and a second connected to the intranet. Additionally, the cost of the Windows Embedded Standard 7 “P” version is approximately 50 percent more than the “E” version.
The cost of Windows Embedded is still far less than the non-embedded “OEM System Builder” version of the operating systems. There are other advantages of Windows Embedded, as well. All Windows Embedded products are available for fifteen years from their release date. This means that Windows Embedded Standard 7 is guaranteed available until 2025. For those OEMs who are unable to migrate from Windows XP Embedded to Windows Embedded Standard 7, Windows Embedded Standard 2009 is available until 2024.
Beyond the cost and extended availability advantages, there are features unique to Windows Embedded Standard 2009 and Windows Embedded Standard 7. These operating systems do not require that an activation key be entered for each system, both can be configured to consistently boot quickly using Hibernate Once Resume Many (HORM), and valuable data can be protected from accidental corruption using Enhanced Write Filtering (EWF) and File Based Write Filter (FBWF). EWF and FBWF protect data on the storage media from corruption or tampering by using a RAM overlay to be written to instead of the hard drive.
With EWF in place, the system can experience an abrupt loss of power and, because the system is writing to RAM instead of the volume that contains the OS, the OS is protected from a hard-drive power-down corruption. Systems using EWF can also use HORM. HORM allows the system to boot at a fraction of the normal boot time using the EWF protected volume and a hyberfile. The system not only boots faster, but the boot time never changes. More information on Windows Embedded can be found at the Microsoft Embedded website: www.microsoft.com/embedded and the Windows Embedded News Center for updates: http://www.microsoft.com/presspass/presskits/embedded/. More technical information can be found on the Embedded section of MSDN: http://msdn.microsoft.com/en-us/windowsembedded.
Avnet Technology Solutions