miha1
Posts: 22
Joined: Mon Feb 22, 2016 12:56 pm

Windows IoT security

Mon Mar 14, 2016 5:15 pm

Hello,

I could not find any easy guides or info about securing Windows IoT devices, so I did some checking.
As it turned out, you should never directly connect to internet fresh install of Windows IoT.
(tested both on 10.0.10556 and on 10.0.14279)

There are 4 important services running on it out of the box and exposed to internet:
  • FTP server on port 21
  • SSH server on port 22
  • Windows remote management (used for powershell) on port 5985
  • Web management on port 8080
First and most important, FTP server allows anonymous read and write access to your entire file system (partition c:)
SSH, Windows remote management and web management have default password, that you should change. If you don't it's allmost as bad as FTP is.
This information have been out for months, to be more prcise from atleast 3.6.2015 (https://www.raspberrypi.org/blog/window ... nt-1230527)

So how to fix this:
If you don't need ftp, it's best to disable it. For other services I would limit them to local subnet. To fix this, connect to Windows IoT device from powershell as explained here: http://ms-iot.github.io/content/en-US/w ... rShell.htm

To disable FTP:

Code: Select all

schtasks /change /disable /tn "\Microsoft\Windows\IoT\StartFtpd"
schtasks /end /tn "\Microsoft\Windows\IoT\StartFtpd"

This will disable scheduled task to start FTP server at startup and kill ftp server process.

To change firewall for SSH, Windows remote management and Web management (Warning, these commands assume that Windows IoT device and your computer are on same subnet, if they are not, you can lock yourself out. Proceed on your own responsibility):

Code: Select all

Get-NetFirewallRule Ssh-Server-Service | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule WebManagement-4 | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule WINRM-HTTP-In-TCP | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule WINRM-HTTP-In-TCP-PUBLIC | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule -displayname WinRM-HTTP-Port | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
WINRM-HTTP is listed three times, since there are multiple rules in firewall, one for private and domain, one for public profiles, one for compatibility port and one for port itself.
This will limit access to those services to local subnet. You can replace "LocalSubnet" with any ip, just be carefull you don't lock yourself out.

If you do not need SSH, you can disable it, by using follwing commands:

Code: Select all

Set-Service -name SshSvc -startupType Manual
Stop-Service -name SshSvc
This will change ssh service to manual and stop it. This way it is easy to start it again later, if you want.

If anyone have any other suggestions, please post them.


With kind regards,

------
Miha

Edit:
4 more rules for firewall, To limit access to AllJoin and Sirep-Server (Warning, these commands assume that Windows IoT device and your computer are on same subnet, if they are not, you can lock yourself out. Proceed on your own responsibility):

Code: Select all

Get-NetFirewallRule AllJoyn-Router-In-TCP | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule Sirep-Server-Service | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule Sirep-Server-Ping | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Get-NetFirewallRule Sirep-Server-Protocol2 | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress @("LocalSubnet")
Last edited by miha1 on Tue Mar 15, 2016 12:45 pm, edited 1 time in total.

mar332
Posts: 26
Joined: Tue Dec 22, 2015 5:46 pm

Re: Windows IoT security

Tue Mar 15, 2016 11:48 am

How disable the uploading from visual studio 2015 to Raspberry PI 2 for other people besides me?

miha1
Posts: 22
Joined: Mon Feb 22, 2016 12:56 pm

Re: Windows IoT security

Tue Mar 15, 2016 1:27 pm

mar332 wrote:How disable the uploading from visual studio 2015 to Raspberry PI 2 for other people besides me?
It's limited to local subnet anyway. Do you have static ip or dynamic ip on your computer?
Not shure if you can limit it to specific username, but you can limit to IP if you want.

Warning, with this command you can lock yourself out. Proceed on your own responsibility.

Replace YOUR_IP with static ip address of your computer (or any other ip you need, you can define multiple ip addresses):

Code: Select all

Get-NetFirewallRule -name VisualStudio-MSVSMON* | Where-Object Direction -eq Inbound | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -remoteaddress @("YOUR_IP")

mar332
Posts: 26
Joined: Tue Dec 22, 2015 5:46 pm

Re: Windows IoT security

Wed Mar 16, 2016 7:50 am

miha1 wrote: To disable FTP:

Code: Select all

schtasks /change /disable /tn "\Microsoft\Windows\IoT\StartFtpd"
schtasks /end /tn "\Microsoft\Windows\IoT\StartFtpd"
This code don't work. Maybe I should kill process FTP when I run raspberry pi ?
password when opening FTP ??

miha1
Posts: 22
Joined: Mon Feb 22, 2016 12:56 pm

Re: Windows IoT security

Wed Mar 16, 2016 9:12 am

mar332 wrote: This code don't work. Maybe I should kill process FTP when I run raspberry pi ?
password when opening FTP ??
It should work, what is error message you get? Messages you get when you type those two commands in should look something like this:

Code: Select all

[pi2]: PS C:\Data\Users\Administrator\Documents> schtasks /change /disable /tn "\Microsoft\Windows\IoT\StartFtpd"
SUCCESS: The parameters of scheduled task "\Microsoft\Windows\IoT\StartFtpd" have been changed.
[pi2]: PS C:\Data\Users\Administrator\Documents> schtasks /end /tn "\Microsoft\Windows\IoT\StartFtpd"
SUCCESS: The scheduled task "\Microsoft\Windows\IoT\StartFtpd" has been terminated successfully.
What is result of these three commands?
  • schtasks /query | Select-String ftp
  • schtasks /query /fo list | Select-String ftp
  • Get-Process -name ftp*

mar332
Posts: 26
Joined: Tue Dec 22, 2015 5:46 pm

Re: Windows IoT security

Wed Mar 16, 2016 9:55 am

miha1 wrote:
To disable FTP:

Code: Select all

schtasks /change /disable /tn "\Microsoft\Windows\IoT\StartFtpd"
schtasks /end /tn "\Microsoft\Windows\IoT\StartFtpd"
It works. I changed code. Thanks a lot :)

mar332
Posts: 26
Joined: Tue Dec 22, 2015 5:46 pm

Re: Windows IoT security

Wed Mar 30, 2016 9:47 am

Hi, once again.

Is there any chance to deploy from others applications then Visual Studio 2015 ??
I'm blocked SSH, FTH.

miha1
Posts: 22
Joined: Mon Feb 22, 2016 12:56 pm

Re: Windows IoT security

Wed Mar 30, 2016 10:36 am

mar332 wrote:Hi, once again.

Is there any chance to deploy from others applications then Visual Studio 2015 ??
I'm blocked SSH, FTH.
Hello,

You can deploy over web management app or over REST api exosed by web management app. You can see REST documentation by typing http://your-pi:8080/RESTDOCUMENTATION.HTM
You can read more about deploying here: http://www.cardinalsolutions.com/blog/2 ... deployment

If you ment running apps, you can allso run them from powershell, that is over WINRM.

With kind regards,

------
Miha

mar332
Posts: 26
Joined: Tue Dec 22, 2015 5:46 pm

Re: Windows IoT security

Wed May 04, 2016 7:40 am

Hello Miha,

Do you know how disable updates in OS 10.0.10586.218 - RPI 2 ?? or block updates in firewall ??

MarinaMT
Posts: 11
Joined: Thu Apr 07, 2016 4:25 pm

Re: Windows IoT security

Wed May 04, 2016 8:40 pm

miha1 wrote:
mar332 wrote:Hi, once again.

Is there any chance to deploy from others applications then Visual Studio 2015 ??
I'm blocked SSH, FTH.
Hello,

You can deploy over web management app or over REST api exosed by web management app. You can see REST documentation by typing http://your-pi:8080/RESTDOCUMENTATION.HTM
You can read more about deploying here: http://www.cardinalsolutions.com/blog/2 ... deployment

If you ment running apps, you can allso run them from powershell, that is over WINRM.

With kind regards,

------
Miha
This is very interesting.
Thanks a lot for all this info!!!

Return to “Windows 10 for IoT”