ЕГАИС - increase of information security of workplaces
Information security is a systemic issue and the EGAIS hardware and software system is no exception. Considering that in the current conditions, the cashier’s workplace (and this is a whole complex: a cashier, a universal transport module, etc.) gets Internet access, it is obviously necessary to take a set of measures to increase the security of each element of this complex.
Consider one of the elements of the system - a software platform, as part of the operating system and specialized software EGAIS. As an operating system, we use the retail-oriented (in other words, retail) Microsoft Windows Embedded POSReady 7 (which we wrote about in a separate article ) in which we activate the built-in protection systems.
Described further, for experienced users and administrators of operating systems and application software will certainly seem obvious, however, some practical aspects of using the capabilities of operating systems will be of interest to them.
')
Let's start with the obvious:
- different users must be created - conditionally “User” and “Administrator” - users who have fundamentally different rights to control the operating system. “Administrator” may make changes to the list of application software and system settings. "User" - must interact with a predetermined list of programs;
- it is very convenient to use AppLocker - a simple and flexible mechanism that allows system administrators to customize the list of applications approved for use within this workstation;
- even if you do not install antivirus software - pay attention to the fact that the operating system has a built-in "Windows Defender" which provides protection from at least Trojans;
- Of course, you need to configure "Windows Firewall".
Let's start with it.
Windows firewall
As written in the description of this component - it helps prevent unauthorized access to this computer. No matter how you relate to the built-in Firewall - its use will significantly increase the reliability of work, if properly configured. We assume that the EGAIS hardware and software system will not work in the corporate network, where the administrators have already taken a number of measures to prevent external threats, but in the so-called “Public Network”. Therefore, you need to carefully configure the Firewall:
Fig. one
It is clear that for the Public network we have blocked all incoming connections. In addition, you can configure individual rules for inbound and outbound connections. For example: it is known that for sending data from the computer to the EGAIS server, the outgoing port of TCP 443 must be open. This can be easily configured in the refinement mode:
Fig. 2
These manipulations can also be performed for other components of the software part of the EGAIS complex or the customer’s subsystem — for example, for a cash register solution.
Now let's tell in more detail about the specific features of the operating system itself.
Dialog filter
Often, the user has a desire to start an application that is not intended for daily work. For example, Windows Media Player, RDP, etc. One of the ways to block the possibility of using this kind of applications is a dialog box filter. Its main function is to turn off any notifications displayed on the screen of a running system, but you can also use it in another capacity.
This filter is an optional package and is easily installed into the system using the DISM utility (note: hereinafter one of the many ways to use the utilities and built-in features is considered):
DISM / Online / Add-Package / PackagePath: E: \ DS \ winemb-dialog-filter.cab
Moreover, this can be done directly on a running system (parameter: / Online). Then we start Windows Media and from the command line we launch the DialogFilterEditor.exe dialog box editor:
Fig. 3
We find the application, for example, Windows Media, double click on it and define the rules of action with this application - “Close”:
Fig. four
Save the configuration of the edited dialog box filter, close all the applications we have opened, which we have blocked running. Add the launch of the dialog filter in the Autostart.
To do this, edit the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run - we add DialogFilter.exe to the list of programs that are started at boot for all users.
Keyboard filter
One of the ways to protect against accidental or deliberate user influences on the system and the applications running in it is to use the built-in keyboard filter. This filter is also an optional package that needs to be downloaded to the system. This is done in the same way as loading a dialog box filter, but using E: \ DS \ winemb-keyboard-filter.cab. After downloading, on the command line, with administrator rights, open the group policy editor Gpedit.msc.
Next, we need to go to the Computer Configuration \ Administrative Templates \ System \ Keyboard Filter section. For example, select the Security Keys section and block each user action in it (Fig. 6)
Fig. five
Fig. 6
The state “Enable” indicates that this key combination is blocked.
Thus, we have significantly limited the user's ability to manipulate the system. It is clear that the key lock can and continue.
Security updates
The standard phenomenon is that users forget that the operating system is a developing organism. Usually, after the installation of the system, no work on updating the system is performed. This is a serious mistake! Especially when it comes to systems such as the EGAIS complex - in this case, special attention should be paid to updates related to the detected vulnerabilities of the operating system and applications.
Usually this process is not performed automatically - only under the control of the administrator. This is due to the fact that updates may affect the functionality of the application software being used. To exclude such a possibility - you can reserve the right to put only those updates that relate to security (from context analysis):
Fig. 7
Within the framework of this article, we do not pretend to disclose the whole variety of approaches to improving the sustainability and reliability of the EGAIS software and hardware system. However, the above recommendations can significantly simplify the first steps towards a reliably operating system. And yet - all of the above was done using Microsoft’s regular tools that are part of the Microsoft Windows Embedded POSReady 7 operating system.
Consider one of the elements of the system - a software platform, as part of the operating system and specialized software EGAIS. As an operating system, we use the retail-oriented (in other words, retail) Microsoft Windows Embedded POSReady 7 (which we wrote about in a separate article ) in which we activate the built-in protection systems.
Described further, for experienced users and administrators of operating systems and application software will certainly seem obvious, however, some practical aspects of using the capabilities of operating systems will be of interest to them.
')
Let's start with the obvious:
- different users must be created - conditionally “User” and “Administrator” - users who have fundamentally different rights to control the operating system. “Administrator” may make changes to the list of application software and system settings. "User" - must interact with a predetermined list of programs;
- it is very convenient to use AppLocker - a simple and flexible mechanism that allows system administrators to customize the list of applications approved for use within this workstation;
- even if you do not install antivirus software - pay attention to the fact that the operating system has a built-in "Windows Defender" which provides protection from at least Trojans;
- Of course, you need to configure "Windows Firewall".
Let's start with it.
Windows firewall
As written in the description of this component - it helps prevent unauthorized access to this computer. No matter how you relate to the built-in Firewall - its use will significantly increase the reliability of work, if properly configured. We assume that the EGAIS hardware and software system will not work in the corporate network, where the administrators have already taken a number of measures to prevent external threats, but in the so-called “Public Network”. Therefore, you need to carefully configure the Firewall:
Fig. one
It is clear that for the Public network we have blocked all incoming connections. In addition, you can configure individual rules for inbound and outbound connections. For example: it is known that for sending data from the computer to the EGAIS server, the outgoing port of TCP 443 must be open. This can be easily configured in the refinement mode:
Fig. 2
These manipulations can also be performed for other components of the software part of the EGAIS complex or the customer’s subsystem — for example, for a cash register solution.
Now let's tell in more detail about the specific features of the operating system itself.
Dialog filter
Often, the user has a desire to start an application that is not intended for daily work. For example, Windows Media Player, RDP, etc. One of the ways to block the possibility of using this kind of applications is a dialog box filter. Its main function is to turn off any notifications displayed on the screen of a running system, but you can also use it in another capacity.
This filter is an optional package and is easily installed into the system using the DISM utility (note: hereinafter one of the many ways to use the utilities and built-in features is considered):
DISM / Online / Add-Package / PackagePath: E: \ DS \ winemb-dialog-filter.cab
Moreover, this can be done directly on a running system (parameter: / Online). Then we start Windows Media and from the command line we launch the DialogFilterEditor.exe dialog box editor:
Fig. 3
We find the application, for example, Windows Media, double click on it and define the rules of action with this application - “Close”:
Fig. four
Save the configuration of the edited dialog box filter, close all the applications we have opened, which we have blocked running. Add the launch of the dialog filter in the Autostart.
To do this, edit the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run - we add DialogFilter.exe to the list of programs that are started at boot for all users.
Keyboard filter
One of the ways to protect against accidental or deliberate user influences on the system and the applications running in it is to use the built-in keyboard filter. This filter is also an optional package that needs to be downloaded to the system. This is done in the same way as loading a dialog box filter, but using E: \ DS \ winemb-keyboard-filter.cab. After downloading, on the command line, with administrator rights, open the group policy editor Gpedit.msc.
Next, we need to go to the Computer Configuration \ Administrative Templates \ System \ Keyboard Filter section. For example, select the Security Keys section and block each user action in it (Fig. 6)
Fig. five
Fig. 6
The state “Enable” indicates that this key combination is blocked.
Thus, we have significantly limited the user's ability to manipulate the system. It is clear that the key lock can and continue.
Security updates
The standard phenomenon is that users forget that the operating system is a developing organism. Usually, after the installation of the system, no work on updating the system is performed. This is a serious mistake! Especially when it comes to systems such as the EGAIS complex - in this case, special attention should be paid to updates related to the detected vulnerabilities of the operating system and applications.
Usually this process is not performed automatically - only under the control of the administrator. This is due to the fact that updates may affect the functionality of the application software being used. To exclude such a possibility - you can reserve the right to put only those updates that relate to security (from context analysis):
Fig. 7
Within the framework of this article, we do not pretend to disclose the whole variety of approaches to improving the sustainability and reliability of the EGAIS software and hardware system. However, the above recommendations can significantly simplify the first steps towards a reliably operating system. And yet - all of the above was done using Microsoft’s regular tools that are part of the Microsoft Windows Embedded POSReady 7 operating system.
Source: https://habr.com/ru/post/274907/
All Articles