LASS Security (Windows CE 5.0)
LASS supports application-independent and authentication mechanism-independent user authentication, while LAPs enable application-independent user authentication to devices. Therefore, compromising the security of either the LASS or a LAP will have a direct effect on the security of your sensitive resources.
This section provides security considerations for working with LASS and LAPs. As you do when working with any Windows CE functionality, you should always use secure coding and authentication techniques. For more information about Windows CE security services, see Enhancing the Security of a Device.
Best Practices for LASS
Use a two-tier trust model to enhance security
LASS is dependent on a trust model. Without the trust model, LASS can be disabled by any running application. To enhance the security that you get from LASS, you must use a two-tier trust model, or make sure that you do not allow any ISV applications to run on your OS. For more information about creating a trusted environment, see Trusted Environment Creation.
Best Practices for a LAP
Use discretion when you assign trust levels to third-party applications
Understand the enrollment behavior of the LAP before having the application call VerifyUser for the first time
The password LAP that is available in Windows CE is currently configured to return TRUE on application calls to VerifyUser until an enrollment has completed. Since this behavior can potentially compromise your device, the application must always enroll with the LAP before the first call to VerifyUser.
Implement the LASS Exponential Backoff mechanism
If your LAP is vulnerable to brute force attacks, it is good practice to have the LAP implement the LASS Exponential Backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive application attempts to call VerifyUser. For more information about the exponential backoff mechanism, see LASS Exponential Backoff.
Default Registry Settings
When working with LASS and LAPs, you should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation. For LASS-related registry information, see LASS Registry Settings.
No specific ports are used for LASS.
Send Feedback on this topic to the authors