LASS Registry Settings

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.

Exponential Backoff Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUser call to a LAP.

The time delay or lockout time is calculated by using the following expression:

(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty)

The following table shows the named values.

Name Type Description

InitialPenalty

REG_DWORD

Time, in seconds, for the initial penalty.

Default value is 0.

Threshold

REG_DWORD

The number of failures before the exponential backoff mechanism is activated.

Default value is 0. This indicates that exponential backoff is disabled.

IncrementalPenalty

REG_DWORD

Time, in seconds, of the multiplier for the exponent.

Default value is 0, indicating that there is no delay beyond the value set for InitialPenalty.

LAP Codeword and Device Wipe Registry Settings

The HKEY_LOCAL_MACHINE\Comm\Security\LASSD registry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes. After a number of failed password attempts, defined by the CodeWordFrequency setting, the device completely locks up and prompts the user to enter a displayed codeword to unlock it again. The purpose of the codeword prompt is to be sure that the incorrect password attempts are not the result of accidental key presses. After entering the displayed codeword, the user is then able to make more password attempts. Once the device wipe threshold is reached, the device wipes the memory, including all data and certificates.

Note

Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device.

The following table shows the named values.

Name Type Description

CodeWordFrequency

REG_DWORD

The number of times an incorrect password can be entered before a displayed codeword must be entered to continue. This is to prevent accidental password entry resulting in a local device wipe.

If the registry key either does not exist or is set to 4294967295 (0xFFFFFFFF), this policy is not enforced.

CodeWord

REG_SZ

Codeword that the user will be requested to type.

DeviceWipeThreshold

REG_DWORD

The number of authentication failures before the device will be wiped. A value of 0 disables device wipe functionality.

LAP Installation Registry Settings

To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key that specifies the user-defined name for the new LAP. Use the Dll value for the subkey to specify the location for the LAP.

In the following example, lap_scard is the user-defined name for the new LAP, and the Dll value indicates the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard]
   "Dll"="lap_smartcard.dll"

The following table shows the named values.

Name Type Description

Dll

REG_SZ

The name of the DLL for a LAP that you want to install.

LAP Activation Registry Settings

Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLap value under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP registry key.

In the following example, ActiveLap is set to lap_scard, which is the subkey that specifies the name of the LAP DLL.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "ActiveLap"="lap_scard"

The following table shows the named values.

Name Type Description

ActiveLap

REG_SZ

A key in the LAP tree. The value of the DLL in the LAP tree specifies the DLL that LASS will load.

LAP Password Settings

The length and type of a password can be enforced on the Microsoft Default LAP using the MinimumPasswordLength and PasswordComplexity settings under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw registry key. These settings will only be enforced if PasswordNotRequired is set to zero (0).

In the following example, the minimum length of the password is set to 9 characters and the complexity is set so that a strong password is required.

[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP]
   "MinimumPasswordLength"="9"
   "PasswordComplexity"="0"

The following table shows the settings and values.

Name Type Description

MinimumPasswordLength

REG_DWORD

Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLength results in the default setting of 1.

> [!NOTE] > Using Wireless Access Protocol (WAP) allows for password lengths from 1 to 256 characters. However, setting this parameter with the Exchange Security Manager limits you to a minimum of 4 and a maximum of 18 characters.

This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLength is ignored.

PasswordComplexity

REG_DWORD

Sets the complexity of the Device Password.

The following list shows the possible values:

  • Zero (0) indicates that a strong password is required
  • 1 indicates that a numeric pin is required
  • Any other value indicates that a numeric or alphanumeric password can be used

Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager.

AE Registry Settings

To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AE registry key. For examples, see Installing an AE.

The following table shows the named values.

Name Type Description

FriendlyName

REG_SZ

String that indicates to the user what the AE represents.

DisplayText

REG_SZ

String that indicates the name of the application that is verifying the user in a call to VerifyUser.

AEFrequencyType

REG_DWORD

Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValue is interpreted differently based on each value:

  • 0: User authentication occurs at the frequency specified by AEFrequencyValue.
  • 2: AEFrequencyValue represents the number of minutes since any AE returned from VerifyUser successfully.
  • 3: AEFrequencyValue represents the number of minutes since the specified AE returned from VerifyUser sucessfully

AEFrequencyValue

REG_DWORD

Value indicating how often user authentication will occur. The interpretation of AEFrequencyValue depends on the value of AEFrequencyType. For more information about how AEFrequencyType and AEFrequencyValue are related, see Setting an AE Policy.

When AEFrequencyType is set to 0, AEFrequencyValue has the following special cases:

  • 0: Call LAP every time VerifyUser is called.
  • 0xFFFFFFFF : Never call into LAP.
  • N: Call into LAP every N-1 time(s) that VerifyUser is called.

Authentication Reset Settings

The Authentication Reset Settings determine whether a device can be reset by RemoteWipe. The messages displayed to users can be customized for authentication reset in the default Local Authentication Plug-in (LAP). All keys listed in the table are located in the path HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset.

Name Type Description

AuthenticationReset

REG_DWORD

Specifies whether or not to allow authentication reset on the device. If this setting is enabled, the Reset Password option appears in the password menu.

  • 0: Authentication Reset is disabled.
  • 1: Authentication Reset is enabled.

RequestMessage

REG_SZ

This message is displayed to the user before the reset process begins. If no message is specified, a default message is displayed.

RequestSuccessMessage

REG_SZ

This message is displayed if the reset process completes successfully. If no message is specified, a default message is displayed.

RequestFailureMessage

REG_SZ

This message is displayed if the reset process fails. If no message is specified, a default message is displayed.

RecoveryMessage

REG_SZ

This message is displayed in the Recovery PIN entry dialog. If no message is specified, a default message is displayed.

RecoveryPhone

REG_SZ

This is a secondary string to be displayed following the recovery message.

LAP Password Hash Registry Settings

These registry settings identify the algorithm used by LAP, as well as the provider type and provider name. All keys listed in the table are located in the path HKLM\Comm\Security\Policy\LASSD\LAP\lap_pw or

HKLM\Comm\Security\LASSD\LAP\lap_pw

Name Type Description

LAPHashAlgorithm

REG_DWORD

The identifier of the algorithm the LAP uses to hash the device password and admin key. OEMs can update this if new algorithms are installed on the device. The value used when creating a new password hash is stored in the registry with the password.

The LAP uses 0x800C (CALG_SHA_256) if this value is not set. By default the value is not set.

Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the ALG_CLASS_HASH bit set and may not include the following hash types:

ALG_SID_MD2,

ALG_SID_MD4,

ALG_SID_MD5,

ALG_SID_SHA,

ALG_SID_SHA1,

ALG_SID_MAC,

ALG_SID_RIPEMD,

ALG_SID_RIPEMD160,

ALG_SID_SSL3SHAMD5,

ALG_SID_HMAC,

ALG_SID_TLS1PRF,

ALG_SID_HASH_REPLACE_OWF

If any of the disallowed hash types are specified, the default value is used.

LAPProviderType

REG_DWORD

The dword specifying which encrypt provider type the LAP will specify when calling CryptAcquireContext() for all of its cryptographic functions. OEMs can update this as needed. The value used when creating a new password hash is stored in the registry with the password.

The LAP uses 24 (PROV_RSA_AES) if this value is not set. By default the value is not set.

Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified.

LAPProviderName

REG_SZ

The name of a cryptographic services provider that supports the hash algorithm specified in the LAPHashAlgorithm registry value. OEMs can update this if new providers are installed on the device. The value used when creating a new password hash is stored in the registry with the password.

The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext). By default the value is not set.

The specified provider must be the type of provider specified in the LAPProviderType registry value, or the default type if none exists. It must support the algorithm specified in the LAPHashAlgorithm registry value or the default hash algorithm if none is specified.

Calling Customer Care for Device Unlock Settings

On the Device Unlock dialog box, you can set up a customer care number for customers to dial who have forgotten their unlock key. To set up this option, use the following two registry values.

For the first value, the key is [HKEY_Local_Machine\Security\ResOver] and the value characteristics are:

Name Type Description

101

REG_SZ

Message to display about the customer care call. The default is a blank message.

For the second value, the key is HKEY_Local_Machine\Security\LASSD\LAP\lap_pw] and the value characteristics are:

Name Type Description

CustomerServiceNumber

REG_SZ

The number to store on the device and dial when Call Customer Service is selected from the device unlock dialog box.

See Also

Other Resources

Local Authentication Subsystem (LASS)
LASS Application Development
LASS OS Design Development