LASS Security
A version of this page is also available for
4/8/2010
LASS supports application-independent and authentication mechanism-independent user authentication, while LAPs enable application-independent user authentication to devices. Therefore, compromising the security of either the LASS or a LAP will have a direct effect on the security of your sensitive resources.
This section provides security considerations for working with LASS and LAPs. As you do when working with any Windows Embedded CE functionality, you should always use secure coding and authentication techniques. For more information about Windows Embedded CE security services, see
Best Practices for LASS
Use a two-tier trust model to enhance security
LASS is dependent on a trust model. Without the trust model, LASS can be disabled by any running application. To enhance the security that you get from LASS, you must use a two-tier trust model, or make sure that you do not allow applications, created by application developers, to run on your operating system.
Best Practices for a LAP
Understand the enrollment behavior of the LAP before having the application call VerifyUser for the first time
The password LAP that is available in Windows Embedded CE is currently configured to return TRUE on application calls to VerifyUser until an enrollment has completed. Since this behavior can potentially compromise your device, the application must always enroll with the LAP before the first call to VerifyUser.
Implement the LASS Exponential Backoff mechanism
If your LAP is vulnerable to brute force attacks, it is good practice to have the LAP implement the LASS Exponential Backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive application attempts to call VerifyUser.
Default Registry Settings
When working with LASS and LAPs, you should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation. For LASS-related registry information, see LASS Registry Settings.
Ports
No specific ports are used for LASS.