Partager via


LASS Exponential Backoff (Windows Embedded CE 6.0)

1/6/2010

LASS exponential backoff is a mechanism that can be optionally enabled if you have a LAP that is vulnerable to brute force attacks. By default, this mechanism is disabled, but you can enable it by using the registry settings defined in LASS Registry Settings.

When exponential backoff is configured in the LASS, LASS places exponentially growing time delays between consecutive failures of application calls to VerifyUser. A failure occurs when the application calls VerifyUser without setting VU_NO_UI, and VerifyUser returns FALSE with GetLastError not equal to ERROR_CANCELLED. The number of failures is reset when VerifyUser returns successfully.

When exponential backoff is activated, the application that is authenticating the user is suspended and will be unresponsive. LASS does not display user feedback during lockout. Depending on the registry settings, the time delays between consecutive failures can increase rapidly. If the number of consecutive failures is higher than the threshold limit that is specified in the registry, the time delay, or lockout time, is calculated using the follow expression, where the values of InitialPenalty, Threshold, and IncrementalPenalty are specified under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LockOut registry key.

(InitialPenalty + (2^(Number of failures above Threshold))*IncrementalPenalty)

If the threshold is set to zero, or if the number of failed attempts to authenticate the user is below the threshold, there is no time delay.

See Also

Other Resources

LASS OS Design Development