Previous posts
Controlling the Logon and Authentication ProcessWindows Built-In Security Groups
Security Groups
Windows Built-In User Accounts
Windows What Are User Accounts?
Windows Local vs. Domain Accounts
Workgroups vs. Domains
Managing Sessions and Open Files
Creating a New Share Although the easiest way to s...
Managing Administrative Shares
Friends
mercredi 30 janvier 2008
How Interactive Logons Work
In an interactive logon, a complex sequence of events occurs:
As the last step of the boot process, Winlogon.exe starts.
Winlogon calls the Microsoft Graphical Identification and Authentication dynamic-link library (Msgina.dll), which obtains your user name and password using one of the following two techniques:
If you're using the Welcome screen in Windows XP (also known as the secure desktop), a list of available user accounts appears. Click a user name to display an input dialog box and enter your password.
On a computer running Windows 2000 (or Windows XP with the classic logon option), press Ctrl+Alt+Delete to display the Log On To Windows dialog box and enter your user name and password.
Winlogon passes the user name and password to the LSA, which then determines whether the logon is to be authenticated on the local computer or over the network. (This depends on the choice you make in the Log On To box.)
For local logons, the LSA consults the SAM, a protected database that manages user and group account information.
If the user name and password are valid, the SAM returns to the LSA the user's SID and the SIDs for all groups to which the user belongs.
The LSA uses this information to create an access token, an identifier that accompanies the user throughout the session. An access token is a sort of "badge" that the LSA flashes on behalf of the user whenever the user requests access to a protected resource.
Winlogon starts the Windows shell with the user's token attached.
A secure logon process—one that prevents unauthorized users with physical access to your computer from logging on—requires disabling some of the convenience features available in Windows. Specifically, you might want to consider eliminating the following convenience features, each of which represents a potential security vulnerability; you'll find step-by-step instructions in the checklist at the end of this chapter:
Replace the Welcome screen with the classic logon dialog box. Available only in Windows XP and only when the computer is not joined to a domain, the Welcome screen, shown in Figure 2-2, presents a friendly face and lets you log on with a simple click (and entry of a password, if your account requires one). The Welcome screen exposes the user names of all users to anyone who walks by. In addition, password hints for all users are available with a couple of clicks. Knowing the user name and a password hint, an attacker is well on the way to an authenticated logon.
In an interactive logon, a complex sequence of events occurs:
As the last step of the boot process, Winlogon.exe starts.
Winlogon calls the Microsoft Graphical Identification and Authentication dynamic-link library (Msgina.dll), which obtains your user name and password using one of the following two techniques:
If you're using the Welcome screen in Windows XP (also known as the secure desktop), a list of available user accounts appears. Click a user name to display an input dialog box and enter your password.
On a computer running Windows 2000 (or Windows XP with the classic logon option), press Ctrl+Alt+Delete to display the Log On To Windows dialog box and enter your user name and password.
Winlogon passes the user name and password to the LSA, which then determines whether the logon is to be authenticated on the local computer or over the network. (This depends on the choice you make in the Log On To box.)
For local logons, the LSA consults the SAM, a protected database that manages user and group account information.
If the user name and password are valid, the SAM returns to the LSA the user's SID and the SIDs for all groups to which the user belongs.
The LSA uses this information to create an access token, an identifier that accompanies the user throughout the session. An access token is a sort of "badge" that the LSA flashes on behalf of the user whenever the user requests access to a protected resource.
Winlogon starts the Windows shell with the user's token attached.
A secure logon process—one that prevents unauthorized users with physical access to your computer from logging on—requires disabling some of the convenience features available in Windows. Specifically, you might want to consider eliminating the following convenience features, each of which represents a potential security vulnerability; you'll find step-by-step instructions in the checklist at the end of this chapter:
Replace the Welcome screen with the classic logon dialog box. Available only in Windows XP and only when the computer is not joined to a domain, the Welcome screen, shown in Figure 2-2, presents a friendly face and lets you log on with a simple click (and entry of a password, if your account requires one). The Welcome screen exposes the user names of all users to anyone who walks by. In addition, password hints for all users are available with a couple of clicks. Knowing the user name and a password hint, an attacker is well on the way to an authenticated logon.
Libellés : Interactive, Logons, Work
0 Comments:
Funny Blogs
Blogger Roll
Free Software
