Compartilhar via


Authentication Protocols (Windows Embedded CE 6.0)

1/6/2010

You can control access to the device and services only to authorized users by implementing authentication protocols available in Windows Embedded CE. Some are built into the Catalog items and others require you to add Catalog items to your operating system. For example, if you want to use NTLM SSP and/or Kerberos SSP, you need to add these Catalog items to your operating system. NTLM and Kerberos are implemented through the Security Support Provider Interface (SSPI).

SSPI is available through the Secur32.dll module, which is a well-defined, commonly used, API for obtaining integrated security services for authentication, message integrity, and message privacy. It provides an abstraction layer between application-level protocols and security protocols. Because different applications require different ways of identifying or authenticating users and different ways of encrypting data as it travels across a network, SSPI provides a way to access dynamic-link libraries (DLLs) containing different authentication and cryptographic data schemes. These DLLs are called Security Support Providers (SSPs).

The following illustration shows the relationship of the SSP DLLs to the SSPI Secur32.dll, Winsock, and WinInet.

Ee497919.cf2a9cdd-3324-4a73-ae70-7c6fbb765712(en-US,WinEmbedded.60).gif

Windows Embedded CE provides the following security support providers (SSPs):

Some schemes are more secure than others. Basic authentication is much weaker than any other authentication protocol, therefore you should keep this in mind when determining which scheme best fits the needs of the application.

The following list summarizes a few authentication best practices:

  • Use the StartUI component to password-protect a device. Without password protection, anyone can use the device and potentially gain access to resources on a network.
  • Enable device locking capabilities to require a password to access a device while it is powered on.
  • If you need to keep user credentials on the device, save user credentials in the registry. For best protection, do not store user credentials on the device. This prevents hackers from extracting the network credentials from the device if the device is stolen.
    If you want to allow users to save authentication information on a device, use Credential Manager. However, you can increase the level of protection if you do not save user credentials on the device itself. If the application is using the Credential Manager, you can set the DisallowSavedNetworkPasswords registry value to 1. This prevents hackers from extracting the network credentials from the device in case the device is stolen.

See Also

Concepts

Authentication Services Security

Other Resources

Enhancing the Security of a Device
Authentication Services
LDAP Application Development
Smart Card
Credential Manager