LASS Registry Settings (Windows Embedded CE 6.0)
1/6/2010
The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.
Exponential Backoff Registry Settings
The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUser call to a LAP.
The time delay or lockout time is calculated by using the following expression:
(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty)
The following table shows the named values.
Value : type | Description |
---|---|
InitialPenalty : REG_DWORD |
Time, in seconds, for the initial penalty. Default value is 0. |
Threshold : REG_DWORD |
The number of failures before the exponential backoff mechanism is activated. Default value is 0. This indicates that exponential backoff is disabled. |
IncrementalPenalty : REG_DWORD |
Time, in seconds, of the multiplier for the exponent. Default value is 0, indicating that there is no delay beyond the value set for InitialPenalty. |
LAP Codeword and Device Wipe Registry Settings
The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes. After a number of failed password attempts, defined by the CodeWordFrequency setting, the device completely locks up and prompts the user to enter a displayed codeword to unlock it again. The purpose of the codeword prompt is to be sure that the incorrect password attempts are not the result of accidental key presses. After entering the displayed codeword, the user is then able to make more password attempts. Once the device wipe threshold is reached, the device wipes the memory, including all data and certificates.
Note
Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device.
The following table shows the named values.
Value : type | Description |
---|---|
CodeWordFrequency : REG_DWORD |
The number of times an incorrect password can be entered before a displayed codeword must be entered to continue. This is to prevent accidental password entry resulting in a local device wipe. If the registry key either does not exist or is set to 4294967295 (0xFFFFFFFF), this policy is not enforced. |
CodeWord : REG_SZ |
Codeword that the user will be requested to type. |
DeviceWipeThreshold : REG_DWORD |
The number of authentication failures before the device will be wiped. A value of 0 disables device wipe functionality. |
LAP Installation Registry Settings
To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key that specifies the user-defined name for the new LAP. Use the Dll value for the subkey to specify the location for the LAP.
In the following example, lap_scard is the user-defined name for the new LAP, and the Dll value indicates the name of the LAP DLL.
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard]
"Dll"="lap_smartcard.dll"
The following table shows the named values.
Value : type | Description |
---|---|
Dll : REG_SZ |
The name of the DLL for a LAP that you want to install. |
LAP Activation Registry Settings
Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLap value under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key.
In the following example, ActiveLap is set to lap_scard, which is the subkey that specifies the name of the LAP DLL.
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
"ActiveLap"="lap_scard"
The following table shows the named values.
Value : type | Description |
---|---|
ActiveLap : REG_SZ |
A key in the LAP tree. The value of the DLL in the LAP tree specifies the DLL that LASS will load. |
LAP Password Settings
The length and type of a password can be enforced on the Microsoft Default LAP using the MinimumPasswordLength and PasswordComplexity settings under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw registry key. These settings will only be enforced if PasswordNotRequired is set to zero (0)
In the following example, the minimum length of the password is set to 9 characters and the complexity is set so that a strong password is required.
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
"MinimumPasswordLength"="9"
"PasswordComplexity"="0"
The following table shows the settings and values:
Value : type | Description |
---|---|
MinimumPasswordLength : REG_DWORD |
Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLength results in the default setting of 1.
Note:
Using Wireless Access Protocol (WAP) allows for password lengths from 1 to 256 characters. However, setting this parameter with the Exchange Security Manager limits you to a minimum of 4 and a maximum of 18 characters.
This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLength is ignored. |
PasswordComplexity : REG_DWORD |
Sets the complexity of the Device Password. The following list shows the possible values:
Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager. |
AE Registry Settings
To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AE registry key. For examples, see Installing an AE.
The following table shows the named values.
Value : type | Description |
---|---|
FriendlyName : REG_SZ |
String that indicates to the user what the AE represents. |
DisplayText : REG_SZ |
String that indicates the name of the application that is verifying the user in a call to VerifyUser. |
AEFrequencyType : REG_DWORD |
Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValue is interpreted differently based on each value:
|
AEFrequencyValue : REG_DWORD |
Value indicating how often user authentication will occur. The interpretation of AEFrequencyValue depends on the value of AEFrequencyType. For more information about how AEFrequencyType and AEFrequencyValue are related, see Setting an AE Policy. When AEFrequencyType is set to 0, AEFrequencyValue has the following special cases:
|
Authentication Reset Settings
The Authentication Reset Settings determine whether a device can be reset by RemoteWipe. The messages displayed to users can be customized for authentication reset in the default Local Authentication Plug-in (LAP). All keys listed in the table are located in the path HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset.
Value : type | Description |
---|---|
AuthenticationReset : REG_DWORD |
Specifies whether or not to allow authentication reset on the device. If this setting is enabled, the Reset Password option appears in the password menu.
|
RequestMessage : REG_SZ |
This message is displayed to the user before the reset process begins. If no message is specified, a default message is displayed. |
RequestSuccessMessage : REG_SZ |
This message is displayed if the reset process completes successfully. If no message is specified, a default message is displayed. |
RequestFailureMessage : REG_SZ |
This message is displayed if the reset process fails. If no message is specified, a default message is displayed. |
RecoveryMessage : REG_SZ |
This message is displayed in the Recovery PIN entry dialog. If no message is specified, a default message is displayed. |
RecoveryPhone : REG_SZ |
This is a secondary string to be displayed following the recovery message. |
LAP Hash Algorithm
Registry Name |
LAPHashAlgorithm |
Description |
The identifier of the algorithm the LAP uses to hash the device password and admin key. OEMs can update this if new algorithms are installed on the device. The value used when creating a new password hash is stored in the registry with the password. The default LAP uses 0x800C (CALG_SHA_256) if this value is not set. |
Registry Location |
HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPHashAlgorithm] HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPHashAlgorithm] |
Type |
REG_DWORD |
Default Value |
<None> |
Values |
Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the the ALG_CLASS_HASH bit set and may not include the following hash types: ALG_SID_MD2, ALG_SID_MD4, ALG_SID_MD5, ALG_SID_SHA, ALG_SID_SHA1, ALG_SID_MAC, ALG_SID_RIPEMD, ALG_SID_RIPEMD160, ALG_SID_SSL3SHAMD5, ALG_SID_HMAC, ALG_SID_TLS1PRF, ALG_SID_HASH_REPLACE_OWF If any of the disallowed hash types are specified, the default value is used. |
LAP Provider Type
Registry Name |
LAPProviderType |
Description |
The dword specifying which encrypt provider type the LAP will specify when calling CryptAcquireContext() for all of its cryptographic functions. OEMs can update this as needed. The value used when creating a new password hash is stored in the registry with the password. The default LAP uses 24 (PROV_RSA_AES) if this value is not set. |
Registry Location |
HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPProviderType] HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPProviderType] |
Type |
REG_DWORD |
Default Value |
<None> |
Values |
Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified. |
LAP Provider Name
Registry Name |
LAPProviderName |
Description |
The name of a cryptographic services provider that supports the hash algorithm specified in the LAPHashAlgorithm registry value. OEMs can update this if new providers are installed on the device. The value used when creating a new password hash is stored in the registry with the password. The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext). |
Registry Location |
HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPProviderName] HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPProviderName] |
Type |
REG_SZ |
Default Value |
<None> |
Values |
The specified provider must be the type of provider specified in the LAPProviderType registry value, or the default type if none exists. It must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified. |
See Also
Other Resources
Local Authentication Subsystem (LASS)
LASS Application Development
LASS OS Design Development