The cygwin /dev/random makes use of the underlying
CryptGenRandom from the Windows API. This draws from a number of entropy sources (though the code is not open source), such as process id, thread id, system clock, system time, a hash of the user environment block, and so on.
The cygwin /dev/urandom falls back to a pseudo random generator based on the linear congruence one described in Knuth (with a multiplier of 6364136223846793005 and shift of 21). Although it is a high quality random generator, it is not cryptographically strong, so if you really need more security than just writing zeros to the disk sectors (!), then /dev/urandom is perhaps not the best way to go.
If you are generating a significant amount of random data from /dev/urandom, don't forget to use block reads (so that the call overhead is minimized), or just implement the random generator yourself (it is only a few lines of code).