Share via

LASS Registry Settings (Windows Embedded CE 6.0)

  • Article

1/6/2010

The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.

Exponential Backoff Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUser call to a LAP.

The time delay or lockout time is calculated by using the following expression:

(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty)

The following table shows the named values.

Value : type Description

InitialPenalty : REG_DWORD

Time, in seconds, for the initial penalty.

Default value is 0.

Threshold : REG_DWORD

The number of failures before the exponential backoff mechanism is activated.

Default value is 0. This indicates that exponential backoff is disabled.

IncrementalPenalty : REG_DWORD

Time, in seconds, of the multiplier for the exponent.

Default value is 0, indicating that there is no delay beyond the value set for InitialPenalty.

LAP Codeword and Device Wipe Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes. After a number of failed password attempts, defined by the CodeWordFrequency setting, the device completely locks up and prompts the user to enter a displayed codeword to unlock it again. The purpose of the codeword prompt is to be sure that the incorrect password attempts are not the result of accidental key presses. After entering the displayed codeword, the user is then able to make more password attempts. Once the device wipe threshold is reached, the device wipes the memory, including all data and certificates.

Note

Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device.

The following table shows the named values.

Value : type Description

CodeWordFrequency : REG_DWORD

The number of times an incorrect password can be entered before a displayed codeword must be entered to continue. This is to prevent accidental password entry resulting in a local device wipe.

If the registry key either does not exist or is set to 4294967295 (0xFFFFFFFF), this policy is not enforced.

CodeWord : REG_SZ

Codeword that the user will be requested to type.

DeviceWipeThreshold : REG_DWORD

The number of authentication failures before the device will be wiped. A value of 0 disables device wipe functionality.

LAP Installation Registry Settings

To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key that specifies the user-defined name for the new LAP. Use the Dll value for the subkey to specify the location for the LAP.

In the following example, lap_scard is the user-defined name for the new LAP, and the Dll value indicates the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard]
   "Dll"="lap_smartcard.dll"

The following table shows the named values.

Value : type Description

Dll : REG_SZ

The name of the DLL for a LAP that you want to install.

LAP Activation Registry Settings

Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLap value under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key.

In the following example, ActiveLap is set to lap_scard, which is the subkey that specifies the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "ActiveLap"="lap_scard"

The following table shows the named values.

Value : type Description

ActiveLap : REG_SZ

A key in the LAP tree. The value of the DLL in the LAP tree specifies the DLL that LASS will load.

LAP Password Settings

The length and type of a password can be enforced on the Microsoft Default LAP using the MinimumPasswordLength and PasswordComplexity settings under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw registry key. These settings will only be enforced if PasswordNotRequired is set to zero (0)

In the following example, the minimum length of the password is set to 9 characters and the complexity is set so that a strong password is required.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "MinimumPasswordLength"="9"
   "PasswordComplexity"="0"

The following table shows the settings and values:

Value : type Description

MinimumPasswordLength : REG_DWORD

Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLength results in the default setting of 1.

Ee498787.note(en-US,WinEmbedded.60).gifNote:
Using Wireless Access Protocol (WAP) allows for password lengths from 1 to 256 characters. However, setting this parameter with the Exchange Security Manager limits you to a minimum of 4 and a maximum of 18 characters.

This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLength is ignored.

PasswordComplexity : REG_DWORD

Sets the complexity of the Device Password.

The following list shows the possible values:

  • Zero (0) indicates that a strong password is required
  • 1 indicates that a numeric pin is required
  • Any other value indicates that a numeric or alphanumeric password can be used

Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager.

AE Registry Settings

To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AE registry key. For examples, see Installing an AE.

The following table shows the named values.

Value : type Description

FriendlyName : REG_SZ

String that indicates to the user what the AE represents.

DisplayText : REG_SZ

String that indicates the name of the application that is verifying the user in a call to VerifyUser.

AEFrequencyType : REG_DWORD

Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValue is interpreted differently based on each value:

  • 0: User authentication occurs at the frequency specified by AEFrequencyValue.
  • 2: AEFrequencyValue represents the number of minutes since any AE returned from VerifyUser successfully.
  • 3: AEFrequencyValue represents the number of minutes since the specified AE returned from VerifyUser sucessfully

AEFrequencyValue : REG_DWORD

Value indicating how often user authentication will occur. The interpretation of AEFrequencyValue depends on the value of AEFrequencyType. For more information about how AEFrequencyType and AEFrequencyValue are related, see Setting an AE Policy.

When AEFrequencyType is set to 0, AEFrequencyValue has the following special cases:

  • 0: Call LAP every time VerifyUser is called.
  • 0xFFFFFFFF : Never call into LAP.
  • N: Call into LAP every N-1 time(s) that VerifyUser is called.

Authentication Reset Settings

The Authentication Reset Settings determine whether a device can be reset by RemoteWipe. The messages displayed to users can be customized for authentication reset in the default Local Authentication Plug-in (LAP). All keys listed in the table are located in the path HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset.

Value : type Description

AuthenticationReset : REG_DWORD

Specifies whether or not to allow authentication reset on the device. If this setting is enabled, the Reset Password option appears in the password menu.

  • 0: Authentication Reset is disabled.
  • 1: Authentication Reset is enabled.

RequestMessage : REG_SZ

This message is displayed to the user before the reset process begins. If no message is specified, a default message is displayed.

RequestSuccessMessage : REG_SZ

This message is displayed if the reset process completes successfully. If no message is specified, a default message is displayed.

RequestFailureMessage : REG_SZ

This message is displayed if the reset process fails. If no message is specified, a default message is displayed.

RecoveryMessage : REG_SZ

This message is displayed in the Recovery PIN entry dialog. If no message is specified, a default message is displayed.

RecoveryPhone : REG_SZ

This is a secondary string to be displayed following the recovery message.

LAP Hash Algorithm

Registry Name

LAPHashAlgorithm

Description

The identifier of the algorithm the LAP uses to hash the device password and admin key. OEMs can update this if new algorithms are installed on the device. The value used when creating a new password hash is stored in the registry with the password.

The default LAP uses 0x800C (CALG_SHA_256) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPHashAlgorithm]

HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPHashAlgorithm]

Type

REG_DWORD

Default Value

<None>

Values

Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the the ALG_CLASS_HASH bit set and may not include the following hash types:

ALG_SID_MD2,

ALG_SID_MD4,

ALG_SID_MD5,

ALG_SID_SHA,

ALG_SID_SHA1,

ALG_SID_MAC,

ALG_SID_RIPEMD,

ALG_SID_RIPEMD160,

ALG_SID_SSL3SHAMD5,

ALG_SID_HMAC,

ALG_SID_TLS1PRF,

ALG_SID_HASH_REPLACE_OWF

If any of the disallowed hash types are specified, the default value is used.

LAP Provider Type

Registry Name

LAPProviderType

Description

The dword specifying which encrypt provider type the LAP will specify when calling CryptAcquireContext() for all of its cryptographic functions. OEMs can update this as needed. The value used when creating a new password hash is stored in the registry with the password.

The default LAP uses 24 (PROV_RSA_AES) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPProviderType]

HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPProviderType]

Type

REG_DWORD

Default Value

<None>

Values

Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified.

LAP Provider Name

Registry Name

LAPProviderName

Description

The name of a cryptographic services provider that supports the hash algorithm specified in the LAPHashAlgorithm registry value. OEMs can update this if new providers are installed on the device. The value used when creating a new password hash is stored in the registry with the password.

The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext).

Registry Location

HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw [LAPProviderName]

HKLM\Comm\Security\LASSD\LAP\lap_pw [LAPProviderName]

Type

REG_SZ

Default Value

<None>

Values

The specified provider must be the type of provider specified in the LAPProviderType registry value, or the default type if none exists. It must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified.

See Also

Other Resources

Local Authentication Subsystem (LASS)
LASS Application Development
LASS OS Design Development