See Also
 Important: |
|---|
| This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
The redirector is a system-supplied (network) file system driver that provides access to files on remote computers. Applications can use Windows networking functions to establish and terminate network connections and to retrieve current configuration data for the Microsoft Network. Windows Embedded CE provides applications that allow the user to directly connect to, and retrieve data from, remote file shares.
For more information about the Redirector, see Windows Networking API/Redirector.
Because the Server Message Block (SMB) is susceptible to attacks by unauthorized users, and data is transmitted in readable form, Redirector poses some security risks. However, you can use some techniques to lower the risk to both your client and your server.
Best Practices
Use credentials
You can protect redirector shares with credentials, such as restrictions that allow only certain users to connect.
When using credentials, keep in mind that credential caching in the Windows Embedded CE redirector works the following way. When the Windows Embedded CE redirector first connects to a server, it authenticates using the credentials supplied by the user or an application (if the WNetAddConnection3function is being called). The session established is kept connected for a period of time, during which other applications may access files over this connection, with the same level of access as the original logon. Once all files open on the server have been closed, the redirector will shut down the session to the server, requiring subsequent accesses to reauthenticate. The period of time between when the last file is closed and the OS shuts down the session is controlled by the ResourceExpiryIntregistry setting. For more information, see Windows Networking API/Redirector Registry Settings.
An application can use the WNetEnumResourceand WNetCancelConnection2functions to force all files that are open on a particular server to be closed. This may be a good practice if an application needs to support multiple users, so that the current user cannot leverage connections established by the previous users.
Use SMB signing
To help protect the privacy between the client and server, you can enable SMB signing if the server supports it. This helps prevent a third party from altering requests and responses in the network during transport.
 Note: |
|---|
| While Redirector supports SMB Signing, it does not apply to Passthrough Authentication. |
Applications should not allow users to directly run an executable on a network share
Directly opening an exectuable on a network share can expose the device to potential threats. The code can be changed on the server, which may allow malicious code to run on the device.
Default Registry Settings
You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Notefor those values with security implications.
For Redirector registry information, see Windows Networking API/Redirector Registry Settings.