Authentication Services Security (Windows CE 5.0)
The following security support providers are supported by Windows CE:
- Kerberos Security Support Provider
- NTLM Security Support Provider
- Schannel Security Support Provider
- Negotiate Security Support Provider
It is important always to use secure coding techniques while you work with the authentication services functionality in Windows CE.
For more information about Windows CE security services, see Enhancing the Security of a Device.
Use mutual authentication
Use Kerberos security support provider (SSP) to provide mutual authentication between entities. Kerberos allows the server to verify client identity and allows the client to verify the server identity. Note that NTLM SSP does not provide mutual authentication.
Avoid storing user credentials on the device
Operating system developers can prevent users from saving passwords on the device through the Credential Manager. You can set the registry value DisallowSavedNetworkPasswords to 1. This helps to prevent hackers from extracting the network credentials from the device in case the device is stolen. For more information, see Authentication Services Registry Settings.
Avoid using plaintext passwords
Plaintext password credentials are used when Credential Manager caches the actual password. Plaintext passwords are major security risks and should be avoided whenever possible. For more information on credential types, see Credential Types.
Use smart cards to store credentials
You can add a layer of security by storing authentication information on a smart card instead of on the device. This prevents hackers from extracting the network credentials from the device in case the device is stolen.
Use pass-through authentication
If a domain controller is available, use pass-through authentication instead of using the local database of user names and passwords. This practice avoids storing the user names and passwords on the device. Microsoft® Windows® CE Web server, Redirector, and Distributed COM components can use pass-through authentication.
Use a strong authentication protocol
When using NTLM SSP, you can specify the authentication protocols for the client and the server separately. To prevent NTLM SSP from using the weaker authentication protocol, set the LmCompatibilityLevelClient value in the registry to 3. This specifies that the client will only use NTLM v2 for authentication. However, authentication will fail if the server is not capable of NTLM v2 protocol. You can also set the LmCompatibilityLevelServer value to 2 or to 3. Both of these specify that the server will only use NTLM v2. Authentication will fail if the client is not capable of NTLM v2 protocol. For more information, see Authentication Services Registry Settings.
NTLM v2 authentication protocol is only available in Windows CE .NET 4.1 and later. Servers running Microsoft Windows 2000 and later support NTLM v2.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For registry information, see Authentication Services Registry Settings.
No specific ports are used for authentication services.
Send Feedback on this topic to the authors