Share via


LASS Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

LASS supports application-independent and authentication mechanism-independent user authentication, while LAPs enable application-independent user authentication to devices. Therefore, compromising the security of either the LASS or a LAP will have a direct effect on the security of your sensitive resources.

This section provides security considerations for working with LASS and LAPs. As you do when working with any Windows Embedded CE functionality, you should always use secure coding and authentication techniques. For more information about Windows Embedded CE security services, see

Best Practices for LASS

Use a two-tier trust model to enhance security

LASS is dependent on a trust model. Without the trust model, LASS can be disabled by any running application. To enhance the security that you get from LASS, you must use a two-tier trust model, or make sure that you do not allow applications, created by application developers, to run on your operating system.

Best Practices for a LAP

Understand the enrollment behavior of the LAP before having the application call VerifyUser for the first time

The password LAP that is available in Windows Embedded CE is currently configured to return TRUE on application calls to VerifyUser until an enrollment has completed. Since this behavior can potentially compromise your device, the application must always enroll with the LAP before the first call to VerifyUser.

Implement the LASS Exponential Backoff mechanism

If your LAP is vulnerable to brute force attacks, it is good practice to have the LAP implement the LASS Exponential Backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive application attempts to call VerifyUser.

Default Registry Settings

When working with LASS and LAPs, you should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation. For LASS-related registry information, see LASS Registry Settings.

Ports

No specific ports are used for LASS.

See Also

Reference

LASS Registry Settings

Other Resources

Local Authentication Subsystem (LASS)