Authentication Protocols
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
11/18/2009
You can control access to the device and services only to authorized users by implementing authentication protocols available in Windows Embedded CE. Some are built into the Catalog items and others require you to add Catalog items to your operating system. For example, if you want to use NTLM SSP and/or Kerberos SSP, you need to add these Catalog items to your operating system. NTLM and Kerberos are implemented through the Security Support Provider Interface (SSPI).
SSPI is available through the Secur32.dll module, which is a well-defined, commonly used, API for obtaining integrated security services for authentication, message integrity, and message privacy. It provides an abstraction layer between application-level protocols and security protocols. Because different applications require different ways of identifying or authenticating users and different ways of encrypting data as it travels across a network, SSPI provides a way to access dynamic-link libraries (DLLs) containing different authentication and cryptographic data schemes. These DLLs are called Security Support Providers (SSPs).
The following illustration shows the relationship of the SSP DLLs to the SSPI Secur32.dll, Winsock, and WinInet.
.gif "Aa924294.cf2a9cdd-3324-4a73-ae70-7c6fbb765712(en-us,MSDN.10).gif")
Windows Embedded CE provides the following security support providers (SSPs):
- Kerberos Security Support Provider
- NTLM Security Support Provider
- Schannel Security Support Provider
- Negotiate Security Support Provider
Some schemes are more secure than others. Basic authentication is much weaker than any other authentication protocol, therefore you should keep this in mind when determining which scheme best fits the needs of the application.
The following list summarizes a few authentication best practices:
- Use the StartUI component to password-protect a device. Without password protection, anyone can use the device and potentially gain access to resources on a network.
- Enable device locking capabilities to require a password to access a device while it is powered on.
- If you need to keep user credentials on the device, save user credentials in the registry. For best protection, do not store user credentials on the device. This prevents hackers from extracting the network credentials from the device if the device is stolen.
If you want to allow users to save authentication information on a device, use Credential Manager. However, you can increase the level of protection if you do not save user credentials on the device itself. If the application is using the Credential Manager, you can set the DisallowSavedNetworkPasswords registry value to 1. This prevents hackers from extracting the network credentials from the device in case the device is stolen.
See Also
Concepts
Authentication Services Security
Other Resources
Enhancing the Security of a Device
Authentication Services
LDAP Application Development
Smart Card
Credential Manager