Windows Networking API/Redirector Security

The redirector is a system-supplied (network) file system driver that provides access to files on remote computers. Applications can use Windows networking functions to establish and terminate network connections and to retrieve current configuration data for the Microsoft Network. Windows CE provides applications that allow the user to directly connect to, and retrieve data from, remote file shares.

For more information about the Redirector, see Windows Networking API/Redirector.

Because the Server Message Block (SMB) is susceptible to hacker attacks, and data is transmitted in readable form, the Redirector feature poses some security risks. However, you can use some techniques to lower the risk to both your client and your server.

Best Practices

Use credentials

You can protect redirector shares with credentials, such as restrictions that allow only certain users to connect.

When using credentials, keep in mind that credential caching in the Windows CE redirector works the following way. When the Windows CE redirector first connects to a server, it authenticates using the credentials supplied by the user or an application (if the WNetAddConnection3 function is being called). The session established is kept connected for a period of time, during which other applications may access files over this connection, with the same level of access as the original logon. Once all files open on the server have been closed, the redirector will shut down the session to the server, requiring subsequent accesses to reauthenticate. The period of time between when the last file is closed and the OS shuts down the session is controlled by the ResourceExpiryInt registry setting. For more information, see Redirector Registry Settings.

An application can use the WNetEnumResource and WNetCancelConnection2 functions to force all files that are open on a particular server to be closed. This may be a good practice if an application needs to support multiple users, so that the current user cannot leverage connections established by the previous users.

Use SMB signing

To help protect the privacy between the client and server, you can enable SMB signing if the server supports it. This helps prevent a third party from altering requests and responses in the network during transport.

Default Registry Settings

You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.

For Redirector registry information, see Redirector Registry Settings.

See Also

Windows Networking API/Redirector | Accessing Remote File Systems | Managing Network Connections with WNet | Redirector Registry Settings | Windows Networking API/Redirector Functions | Windows Networking API/Redirector Structures

 Last updated on Saturday, April 10, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.