Learn Windows XP in 15 Minutes a Week: User Logon and Authentication, Part 1

by Jason Zandri

Jason Zandri provides an initial overview of the user logon and authentication process in Windows XP.

Welcome to the 25th installment of "Learn Windows XP Professional in 15 Minutes a Week." This article offers an initial look at the user logon and authentication process in Windows XP.

The Windows XP Professional operating system enables different system users or the different users within the networked environment to log on and gain access to either the local machine, the available network resources, or a combination. How users log in for this access depends on the system configuration and whether the system is in a stand-alone configuration or if it has been configured as a member of a domain.

[NOTES FROM THE FIELD] - The next article, "User Logon and Authentication in Windows XP, Part 2," will explain the differences in the two system configurations and the available logon types in greater detail.

Note that, by default, a stand-alone Windows XP system (i.e., a system that is not a member of a domain) will present the "Welcome" screen in most cases instead of the "Log On to Windows" dialog box presented when a user selects the CTRL+ALT+DEL keys in a domain configuration.

The Welcome screen hosts all of the available users on the local system on the desktop. In this situation, the username is available for someone to walk up and select. (He will not need to enter it into the username field, and this field is not provided in this configuration.) Only the password to the selected account is required for login.

This type of configuration is controlled on stand-alone systems via the Control Panel under User Accounts. On the User Accounts screen you would be able to "Pick a task" and "Change the way users log on or off." By default, the "Use the Welcome Screen" checkbox is selected and provides the end user with the Welcome Screen. Removing this check mark configures the system to use the "standard" Log On to Windows dialog box at start up and for each subsequent logon.

Stand-alone configurations using the Log On to Windows dialog box do not require the CTRL+ALT+DEL key combination to log on, as the Interactive logon setting is configured to "do not require CRTL+ALT+DEL/Not defined" by default.

To enable this on a local system, go to the Local Security Policy of the system and open the security settings. Then go to Security Options under Local Policies. In the pane view, double-click Interactive logon: Do not require CTRL+ALT+DEL to bring up the properties page. To enable the "Not defined" setting, change the setting from "Not defined" to "Disabled," as you would want the CTRL+ALT+DEL function to be required.

One way to do this is to go to the Administrative Tools on the Start Menu and find the Local Security Policy MMC. Right-click it to bring up the RUN AS option. (This scenario assumes the user is logged on with a standard user account making these steps necessary; a user logged in with an account with administrative-level rights to the local system would not need to perform these steps.)

Once the secondary logon service starts, the RUN AS dialog box appears, allowing the user to enter the necessary credentials to open the Local Security Policy MMC with the appropriate rights on the local system. He can thus make the desired changes.

[NOTES FROM THE FIELD] - You can also start up a custom MMC from RUN on the Start Menu by entering RUNAS /user: MMC; where is the name of the user account with administrative access to the system. This will open a command window for the user to supply the required credentials, and the session text would look similar to this:

C:\%SYSTEMROOT%>runas /user: mmc

Enter the password for : (enter the password here)

Once the password is entered, the next line in the command window reads

Attempting to start mmc as user "\" ...

As long as the correct username and password combination is entered, the default MMC console should appear and be running in an administrative context for the local system.

Remember that to set the system to require the CTRL+ALT+DEL keys to be used log on you must to DISABLE the default setting of "Not defined" for the policy that reads "Interactive logon: Do not require CTRL+ALT+DEL."

In configurations where the system is a domain member or where a stand-alone system has been configured to not use the Welcome screen, users must provide a username (which the admin must know) to the client system's logon security dialog box (often called the "logon screen" or the "CTRL+ALT+DELETE screen") to identify themselves. The user must then provide the password (which the admin must also know) associated with the user account supplied to authenticate the user credential she supplied.

[NOTES FROM THE FIELD] - Windows XP Professional systems can be configured to not require individual usernames and passwords in a stand-alone configuration. The system can also be configured to assume the same user always logs on the box (or that a number of different users that log on are going to use the same user account), and it will automatically log in that single account every time the system starts.

A password is not necessary for this setup to work. Account passwords are entered once and remembered for each autologon event when the system is started. The account can also be configured without a password.

Both of these configurations are insecure and thus not recommended in most environments, where anyone can simply walk up to the system and use it.

In an enterprise environment, where autologon is used in conjunction with a domain user account, this may allow an unauthorized individual access to the network at large in some capacity by simply walking up to an active console.

Domain-level accounts can also be configured without a password, but this action is even more discouraged than an automatic local logon.

For most systems, supplying a correct corresponding password for the account entered is enough to prove to the system that a user is whom she says she is, and she will be provided access. This is called single factor authentication, as a single username/password combination has been provided, and access was allowed based on the correct entry of both.

In certain high-security environments and in particular situations, end users may be required to supply additional information above and beyond just identifying themselves by entering a username and validating that entry with a password.

They may, for example, be required to insert a smart card into the computer's card reader before starting a logon session. This is really no different from the steps taken at an ATM machine.

When you walk into a bank to get money from the ATM you take out your ATM card (something you have) and swipe it or insert it into the ATM's card reader. You then must enter in your personal identification number (PIN) for the ATM card (something you know). Once this is done, you can immediately access your account. This, all by itself, is a form of single factor authentication.

Let's step away from the ATM and repeat these steps at a secured computer console. Again, you would take your smartcard and swipe it or insert it into the card reader for the computer. Again, you enter your PIN. Once you have done this, you will be able to access the console and hit CTRL+ALT+DEL to bring up the logon window. From here, you supply a valid username and corresponding password combination (something you know) to log on to either the local system or access the domain. (Access would be determined based on the credentials supplied and depend on whether they were for a local or a domain account.)

A logon that requires both a smartcard and PIN combination as well as a username and password combination is an example of two-factor authentication. This type of logon is much more secure, as both identifiers are required for a successful logon to this configuration.

That wraps up this installment of "Learn Windows XP Professional in 15 Minutes a Week." As always, if you have any questions, comments, or even constructive criticism, feel free to drop me a note. I want to write solid technical articles that appeal to a wide range of readers and skill levels, and it is only through your feedback that I can be sure I am doing that.

Until next time, remember:

"Winners never quit and quitters never win so quit while you're ahead."

This article was originally published on Tuesday Aug 26th 2003
Mobile Site | Full Site