LASS Registry Settings (Compact 2013)

Article
08/12/2016

3/28/2014

The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.

Exponential Backoff Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUser call to a LAP.

The time delay or lockout time is calculated by using the following expression:

(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty)

The following table shows the named values.

Name	Type	Description	Default Value
InitialPenalty	REG_DWORD	Time, in seconds, for the initial penalty.	0
Threshold	REG_DWORD	The number of failures before the exponential backoff mechanism is activated.	0 (exponential backoff is disabled)
IncrementalPenalty	REG_DWORD	Time, in seconds, of the multiplier for the exponent.	0 (no delay beyond the value set for InitialPenalty)

LAP Codeword and Device Wipe Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes. After a number of failed password attempts, defined by the CodeWordFrequency setting, the device completely locks up and prompts the user to enter a displayed codeword to unlock it again. The purpose of the codeword prompt is to be sure that the incorrect password attempts are not the result of accidental key presses. After entering the displayed codeword, the user is then able to make more password attempts. Once the device wipe threshold is reached, the device wipes the memory, including all data and certificates.

Note

Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device.

The following table shows the named values.

Name	Type	Description
CodeWordFrequency	REG_DWORD	The number of times an incorrect password can be entered before a displayed codeword must be entered to continue. This is to prevent accidental password entry resulting in a local device wipe.
CodeWord	REG_SZ	Codeword that the user is requested to type.
DeviceWipeThreshold	REG_DWORD	The number of authentication failures before the device is wiped. A value of 0 disables device wipe functionality,

LAP Installation Registry Settings

To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key that specifies the user-defined name for the new LAP. Use the Dll value for the subkey to specify the location for the LAP.

In the following example, lap_scard is the user-defined name for the new LAP, and the Dll value indicates the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard]
   "Dll"="lap_smartcard.dll"

The following table shows the named values.

Value	Type	Description
Dll	REG_SZ	The name of the DLL for a LAP that you want to install.

LAP Activation Registry Settings

Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLap value under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key.

In the following example, ActiveLap is set to lap_scard, which is the subkey that specifies the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "ActiveLap"="lap_scard"

The following table shows the named values.

Value	Type	Description
ActiveLap	REG_SZ	A key in the LAP tree whose value determines the DLL that LASS loads.

LAP Password Settings

The length and type of a password can be enforced on the Microsoft Default LAP using the MinimumPasswordLength and PasswordComplexity settings under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw registry key. These settings will only be enforced if PasswordNotRequired is set to 0.

In the following example, the minimum length of the password is set to 9 characters and the complexity is set so that a strong password is required.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "MinimumPasswordLength"="9"
   "PasswordComplexity"="0"

The following table shows the settings and values:

Value	Type	Description
MinimumPasswordLength	REG_DWORD	Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLength results in the default setting of 1. Note: Using Wireless Access Protocol (WAP) allows for password lengths from 1 to 256 characters. However, setting this parameter with the Exchange Security Manager limits you to a minimum of 4 and a maximum of 18 characters. This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLength is ignored.
PasswordComplexity	REG_DWORD	Sets the complexity of the Device Password. The following list shows the possible values: Zero (0) indicates that a strong password is required 1 indicates that a numeric pin is required Any other value indicates that a numeric or alphanumeric password can be used Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager.

MinimumPasswordLength

REG_DWORD

Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLength results in the default setting of 1.

Note:

Using Wireless Access Protocol (WAP) allows for password lengths from 1 to 256 characters. However, setting this parameter with the Exchange Security Manager limits you to a minimum of 4 and a maximum of 18 characters.

This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLength is ignored.

PasswordComplexity

REG_DWORD

Sets the complexity of the Device Password.

The following list shows the possible values:

Zero (0) indicates that a strong password is required
1 indicates that a numeric pin is required
Any other value indicates that a numeric or alphanumeric password can be used

Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager.

AE Registry Settings

To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AE registry key.

The following table shows the named values.

Value	Type	Description
FriendlyName	REG_SZ	String that indicates to the user what the AE represents.
DisplayText	REG_SZ	String that indicates the name of the application that is verifying the user in a call to VerifyUser.
AEFrequencyType	REG_DWORD	Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValue is interpreted differently based on each value: 0: User authentication occurs at the frequency specified by AEFrequencyValue. 2: AEFrequencyValue represents the number of minutes since any AE returned from VerifyUser successfully. 3: AEFrequencyValue represents the number of minutes since the specified AE returned from VerifyUser sucessfully
AEFrequencyValue	REG_DWORD	Value indicating how often user authentication will occur. The interpretation of AEFrequencyValue depends on the value of AEFrequencyType. When AEFrequencyType is set to 0, AEFrequencyValue has the following special cases: 0: Call LAP every time VerifyUser is called. 0xFFFFFFFF : Never call into LAP. N: Call into LAP every N-1 time(s) that VerifyUser is called.

Authentication Reset Settings

The Authentication Reset Settings determine whether a device can be reset by RemoteWipe. The messages displayed to users can be customized for authentication reset in the default Local Authentication Plug-in (LAP). All keys listed in the table are located in the path HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset.

Value	Type	Description
AuthenticationReset	REG_DWORD	Determines whether or not authentication reset is allowed on the device. If this setting is enabled, the Reset Password option appears in the password menu. 0: Authentication reset is disabled. 1: Authentication reset is enabled.
RequestMessage	REG_SZ	This message is displayed to the user before the reset process begins. If no message is specified, a default message is displayed.
RequestSuccessMessage	REG_SZ	This message is displayed if the reset process completes successfully. If no message is specified, a default message is displayed.
RequestFailureMessage	REG_SZ	This message is displayed if the reset process fails. If no message is specified, a default message is displayed.
RecoveryMessage	REG_SZ	This message is displayed in the Recovery PIN entry dialog. If no message is specified, a default message is displayed.
RecoveryPhone	REG_SZ	This is a secondary string to be displayed following the recovery message.

Share via

LASS Registry Settings (Compact 2013)

Exponential Backoff Registry Settings

LAP Codeword and Device Wipe Registry Settings

LAP Installation Registry Settings

LAP Activation Registry Settings

LAP Password Settings

AE Registry Settings

Authentication Reset Settings

See Also

Reference

Other Resources

Additional resources