Share via


Authentication Services Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The following security support providers are supported:

  • For Windows Mobile, Kerberos Security Support Provider
  • NTLM Security Support Provider
  • Schannel Security Support Provider
  • Negotiate Security Support Provider

It is important always to use secure coding techniques while you work with the authentication services functionality.

Best Practices

Use mutual authentication

Use Kerberos security support provider (SSP) to provide mutual authentication between entities. Kerberos allows the server to verify client identity and allows the client to verify the server identity. Note that NTLM SSP does not provide mutual authentication.

Avoid storing user credentials on the device

Operating system developers can prevent users from saving passwords on the device through the Credential Manager. You can set the registry value DisallowSavedNetworkPasswords to 1. This helps to prevent hackers from extracting the network credentials from the device in case the device is stolen. For more information, see Authentication Services Registry Settings.

Avoid using plaintext passwords

Plaintext password credentials are used when Credential Manager caches the actual password. Plaintext passwords are major security risks and should be avoided whenever possible.

Use smart cards to store credentials

You can add a layer of security by storing authentication information on a smart card instead of on the device. This prevents hackers from extracting the network credentials from the device in case the device is stolen.

Use pass-through authentication

If a domain controller is available, use pass-through authentication instead of using the local database of user names and passwords. This practice avoids storing the user names and passwords on the device. Windows Mobile Web server, Redirector, and Distributed COM components can use pass-through authentication.

Use a strong authentication protocol

When using NTLM SSP, you can specify the authentication protocols for the client and the server separately. To prevent NTLM SSP from using the weaker authentication protocol, set the LmCompatibilityLevelClient value in the registry to 3. This specifies that the client will only use NTLM v2 for authentication. However, authentication will fail if the server is not capable of NTLM v2 protocol. You can also set the LmCompatibilityLevelServer value to 2 or to 3. Both of these specify that the server will only use NTLM v2. Authentication will fail if the client is not capable of NTLM v2 protocol. For more information, see Authentication Services Registry Settings.

NTLM v2 authentication protocol is only available in Windows CE .NET 4.1 and later. Servers running Microsoft Windows 2000 and later support NTLM v2.

Call AcquireCredentialsHandle only once

When using any SSP, call the AcquireCredentialsHandle only one time and use the cached credential handled to re-authenticate. This way, the user does not have to re-enter the credentials.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For registry information, see Authentication Services Registry Settings.

Ports

No specific ports are used for authentication services.

See Also

Other Resources

Authentication Services