LASS Security (Windows CE 5.0)

Windows CE 5.0
Send Feedback

LASS supports application-independent and authentication mechanism-independent user authentication, while LAPs enable application-independent user authentication to devices. Therefore, compromising the security of either the LASS or a LAP will have a direct effect on the security of your sensitive resources.

This section provides security considerations for working with LASS and LAPs. As you do when working with any Windows CE functionality, you should always use secure coding and authentication techniques. For more information about Windows CE security services, see Enhancing the Security of a Device.

Best Practices for LASS

Use a two-tier trust model to enhance security

LASS is dependent on a trust model. Without the trust model, LASS can be disabled by any running application. To enhance the security that you get from LASS, you must use a two-tier trust model, or make sure that you do not allow any ISV applications to run on your OS. For more information about creating a trusted environment, see Trusted Environment Creation.

Best Practices for a LAP

Use discretion when you assign trust levels to third-party applications

The password LAP that is available in Windows CE uses the SetPassword and GetPasswordActive functions, and therefore can be interfered by a trusted application.

Understand the enrollment behavior of the LAP before having the application call VerifyUser for the first time

The password LAP that is available in Windows CE is currently configured to return TRUE on application calls to VerifyUser until an enrollment has completed. Since this behavior can potentially compromise your device, the application must always enroll with the LAP before the first call to VerifyUser.

Implement the LASS Exponential Backoff mechanism

If your LAP is vulnerable to brute force attacks, it is good practice to have the LAP implement the LASS Exponential Backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive application attempts to call VerifyUser. For more information about the exponential backoff mechanism, see LASS Exponential Backoff.

Default Registry Settings

When working with LASS and LAPs, you should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation. For LASS-related registry information, see LASS Registry Settings.


No specific ports are used for LASS.

See Also

Local Authentication Subsystem (LASS) | Enhancing the Security of a Device | Trusted Environment Creation.| LASS Exponential Backoff | LASS Registry Settings

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.