Поделиться через


LASS Registry Settings (Windows CE 5.0)

Send Feedback

The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.

Note   The default registry values vary depending on which Catalog items are included in your OS design. For more information, see Default Registry Settings.

Exponential Backoff Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD\Lockout registry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUser call to a LAP. For more information about exponential backoff, see LASS Exponential Backoff.

The time delay or lockout time is calculated by using the following expression:

(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty)

The following table shows the named values.

Value : type Description
InitialPenalty : REG_DWORD Time, in seconds, for the initial penalty.

Default value is 0.

Threshold : REG_DWORD The number of failures before the exponential backoff mechanism is activated.

Default value is 0. This indicates that exponential backoff is disabled.

IncrementalPenalty : REG_DWORD Time, in seconds, of the multiplier for the exponent.

Default value is 0, indicating that there is no delay beyond the value set for InitialPenalty.

LAP Codeword and Device Wipe Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD\Lockout registry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes.

Note   Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device.

The following table shows the named values.

Value : type Description
CodeWordFrequency : REG_DWORD Determines the frequency for displaying code word confirmation during the LAP authentication process. Setting this value to 0 disables codeword functionality.
CodeWord : REG_SZ Codeword that the user will be requested to type.
DeviceWipeThreshold : REG_DWORD The number of authentication failures before the device will be wiped. A value of 0 disables device wipe functionality.

LAP Installation Registry Settings

To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key that specifies the user-defined name for the new LAP. Use the Dll value for the subkey to specify the location for the LAP.

In the following example, lap_scard is the user-defined name for the new LAP, and the Dll value indicates the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard]
   "Dll"="lap_smartcard.dll"

The following table shows the named values.

Value : type Description
Dll : REG_SZ The name of the DLL for a LAP that you want to install.

LAP Activation Registry Settings

Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLap value under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key.

In the following example, ActiveLap is set to lap_scard, which is the subkey that specifies the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "ActiveLap"="lap_scard"

The following table shows the named values.

Value : type Description
ActiveLap : REG_SZ A key in the LAP tree. The value of the DLL in the LAP tree specifies the DLL that LASS will load.

AE Registry Settings

To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AE registry key. For examples, see Installing an AE.

The following table shows the named values.

Value : type Description
FriendlyName : REG_SZ String that indicates to the user what the AE represents.
DisplayText : REG_SZ String that indicates the name of the application that is verifying the user in a call to VerifyUser.
AEFrequencyType : REG_DWORD Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValue is interpreted differently based on each value:
  • 0: User authentication occurs at the frequency specified by AEFrequencyValue.
  • 2: AEFrequencyValue represents the number of minutes since any AE returned from VerifyUser successfully.
  • 3: AEFrequencyValue represents the number of minutes since the specified AE returned from VerifyUser sucessfully
AEFrequencyValue : REG_DWORD Value indicating how often user authentication will occur. The interpretation of AEFrequencyValue depends on the value of AEFrequencyType. For more information about how AEFrequencyType and AEFrequencyValue are related, see Setting an AE Policy.

When AEFrequencyType is set to 0, AEFrequencyValue has the following special cases:

  • 0: Call LAP every time VerifyUser is called.
  • 0xFFFFFFFF : Never call into LAP.
  • N: Call into LAP every N-1 time(s) that VerifyUser is called.

See Also

Local Authentication Subsystem (LASS) | LASS Application Development | LASS OS Design Development

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.