Hardening, Windows ce – BECKHOFF IPC-Security User Manual

5.2. Hardening

This chapter explains some common strategies that can be deployed to actively secure components that
are part of the scenario. Because the operating system architecture of Windows CE differs from Windows
XP, Windows 7 or Windows Embedded, each operating system family is represented by an own chapter.

5.2.1. Windows CE

5.2.1.1. Remote dial in

On a Windows CE device, you can configure a remote dial in connection either via an attached modem
(using the COM-Port) or via a network connection (using VPN). The following chapter gives an overview
about the general settings of the Windows CE RAS Server, before moving on to the necessary configuration
settings for each setup (modem or VPN).

Each Beckhoff Windows CE device is being deployed with a build-in RAS Server. This background service
manages all incoming dial in connections, which arrive either via an attached modem or via the network
(VPN). The following picture shows a typical example for this setup.

The Windows CE RAS Server supports two main scenarios: You can either use an attached modem to
configure an incoming dialin connection via a telephone line or you can use the corporate network to dial in
via VPN. This flexibility enables you to easily establish a dialin connection to your Windows CE device and
to integrate this setup in your IT environment.

5.2.1.2. Remote maintenance

Windows CE provides the possibility to remotely connect to the device and perform maintenance tasks on
a desktop level via the tool Cerhost. Because Windows CE only provides one local user account for system
access, this user account is also used for the remote Cerhost connection.

Please consult chapter A.4.2.3 to see how to change the password for the system user. We highly recom-
mend you to set a password immediately because otherwise remote users can access the device unau-
thenticated via Cerhost.

IPC Security

29