NullTerminator
asked on
Auto Logon And Lock Workstation
I have setup auto login for a user at a standalone server.
How do I then lock the workstation so unattended reboots are secure.
When the auto logon executes, the console is open for anyones use.
After five minutes the screen saver activates.
I think there should be some command I could add to the startup script
for the auto logon user
How do I then lock the workstation so unattended reboots are secure.
When the auto logon executes, the console is open for anyones use.
After five minutes the screen saver activates.
I think there should be some command I could add to the startup script
for the auto logon user
ASKER
Edited text of question
LOCAL MACHINE\SOFTWARE\Microsoft
What about setting the screen saver time interval to 0?
Null,
I asked the same question and the answer was you can't do it unless you have a dll rewritten for the very purpose. I had to settle for disabling Autologon to set the machine in Lock Workstation mode.
I asked the same question and the answer was you can't do it unless you have a dll rewritten for the very purpose. I had to settle for disabling Autologon to set the machine in Lock Workstation mode.
great idea jkr...then whenever you have a second of a pause the screen saver activates and you have to unlock the workstation.
this seems to be a very common question and the only way I have been able to answer it (and the only answers I've seen were enable autologon and then use the Run key in the registry (see Grim) to start some small and free screen saver launcher. This way you won't have to deal with the idle period anymore.
now when a reboot occurs, the computer goes into lock mode until it is unlocked at which point normal execution starts. Do not put the screen saver launcher into the StartUp group of the start menu as this can be stopped by holding the shift key during logon...
if you end up emplying this method, then please reopen this thread so that I can answer it.
this seems to be a very common question and the only way I have been able to answer it (and the only answers I've seen were enable autologon and then use the Run key in the registry (see Grim) to start some small and free screen saver launcher. This way you won't have to deal with the idle period anymore.
now when a reboot occurs, the computer goes into lock mode until it is unlocked at which point normal execution starts. Do not put the screen saver launcher into the StartUp group of the start menu as this can be stopped by holding the shift key during logon...
if you end up emplying this method, then please reopen this thread so that I can answer it.
Null,
Mad has a great idea about starting the screensaver instantly. However, i ain't much of a hacker, but i can think of 2 ways to bypass and hack through the cheesy screensaver password.
Mad has a great idea about starting the screensaver instantly. However, i ain't much of a hacker, but i can think of 2 ways to bypass and hack through the cheesy screensaver password.
even in NT? I know Windows 3.x/9x is a joke, but NT is quite good at locking!
ASKER
Our situation requires an autologon for now. I need to execute the user logon script to trigger other events, part which allows me to connect as a webserver to an as400.
I have no problem kicking the screen saver. I can do it from the startup script. But on mouse movement the console opens up unsecured until the timer expires. I had the timer set to 10 seconds. Maybe there are undocumentted command line switches for screen savers....
What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
I have no problem kicking the screen saver. I can do it from the startup script. But on mouse movement the console opens up unsecured until the timer expires. I had the timer set to 10 seconds. Maybe there are undocumentted command line switches for screen savers....
What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
ASKER
Our situation requires an autologon for now. I need to execute the user logon script to trigger other events, part which allows me to connect as a webserver to an as400.
I have no problem kicking the screen saver. I can do it from the startup script. But on mouse movement the console opens up unsecured until the timer expires. I had the timer set to 10 seconds. Maybe there are undocumentted command line switches for screen savers....
What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
I have no problem kicking the screen saver. I can do it from the startup script. But on mouse movement the console opens up unsecured until the timer expires. I had the timer set to 10 seconds. Maybe there are undocumentted command line switches for screen savers....
What I am looking for is an exe to trigger console locking, or an API I can use to write a utility to call from the script file.
I don't think you got my point: the screen saver is launched immediately and thus mouse movement will only cause it to disappear and show the locked ws box. I have yet to see an API you can use and this is about the 5th question of this kind that I have helped to answer...
ASKER
MaDdUCK,
I understood your point. I had already tried that. It works fine in Win 95, but in NT it reverts to the state of the console before the screen saver was invoked. If the normal timeout on the "console's" screen saver is one minute, and 55 seconds have elapsed since boot finished and the screen saver was invoked, and I move the mouse, the console reopens without a password and the timer resets. It does not show the Workstation Unlock box as we both expected.
Does yours lock the work station if you kcik the screensaver from the start run box?
I have the screen saver's password box checked, and the screensaver works properly when the console timer expires. am using NT 40 sp3 optpack4 black16.scr
To dankh:
NT screensavers kick you to NT's unlock workstation box, not the cheesy Win95 version
null
I understood your point. I had already tried that. It works fine in Win 95, but in NT it reverts to the state of the console before the screen saver was invoked. If the normal timeout on the "console's" screen saver is one minute, and 55 seconds have elapsed since boot finished and the screen saver was invoked, and I move the mouse, the console reopens without a password and the timer resets. It does not show the Workstation Unlock box as we both expected.
Does yours lock the work station if you kcik the screensaver from the start run box?
I have the screen saver's password box checked, and the screensaver works properly when the console timer expires. am using NT 40 sp3 optpack4 black16.scr
To dankh:
NT screensavers kick you to NT's unlock workstation box, not the cheesy Win95 version
null
Null,
Maybe so, but i can still hack my way through it easily. I have done it before. :)
Maybe so, but i can still hack my way through it easily. I have done it before. :)
ASKER
I can see possibilities for hacking through or around the screen saver, but are you hacking the password feature?
'\0'
'\0'
dankh: you mind sharing how you do that?
NullT: it works for me and as I said it worked for the five others. I don't understand what your problem is--why does the timeout matter if you launch the screen saver from an external program. Once it is invoked it will go its way and therefore you will not be able to move the mouse to avoid it without seeing the lock box...
NullT: it works for me and as I said it worked for the five others. I don't understand what your problem is--why does the timeout matter if you launch the screen saver from an external program. Once it is invoked it will go its way and therefore you will not be able to move the mouse to avoid it without seeing the lock box...
ASKER
I don't understand what my problem is either. That's why I'm here. It works fine for me in 95 on several machines. I have screen saver starting from startup group, and also from a short cut on my desktop. I don't have a screen saver set in the display properties box at all. When I walk away from my PC I click the shortcut on my desktop and it is locked. It requires a pass word to unlock it.
In NT, starting from the logon script activates the screen saver, but requires no password if the workstation is "unlocked" beneath the screen saver. If I manually fire the screen saver, while the workstation is unlocked and move the mouse it returns to the unlocked state with no question. Does your installation behave this way? How are you invoking the screen saver?
If I initiate the screen saver from the RUN key of the registry, it starts for a moment, then disappears when Explorer refreshes. I left explorer and control panel open when I shut down and so they reopen when I start up again.
Perhaps some of the others you have helped can shed some light by reviewing their configurations and telling me how they invoke the screen saver.
I hope I am making this clear for you.
'\0'
ps
One way you can defeat screen savers on a fat drive is startup in dos and delete or rename all *.scrs, Or in 95 you can startup in safe mode and edit start menu, or registry.
'
In NT, starting from the logon script activates the screen saver, but requires no password if the workstation is "unlocked" beneath the screen saver. If I manually fire the screen saver, while the workstation is unlocked and move the mouse it returns to the unlocked state with no question. Does your installation behave this way? How are you invoking the screen saver?
If I initiate the screen saver from the RUN key of the registry, it starts for a moment, then disappears when Explorer refreshes. I left explorer and control panel open when I shut down and so they reopen when I start up again.
Perhaps some of the others you have helped can shed some light by reviewing their configurations and telling me how they invoke the screen saver.
I hope I am making this clear for you.
'\0'
ps
One way you can defeat screen savers on a fat drive is startup in dos and delete or rename all *.scrs, Or in 95 you can startup in safe mode and edit start menu, or registry.
'
okay, now I know what's going on. You have to start the screen saver not by executing screensaver.scr /s or the like, but with a launcher!!! you can get those at www.winfiles.com or www.download.com and all they do when executed is launch the currently defined screen saver. This way the password option will be enabled. Get a launcher and try it out, I am very positive this is the solution.
Mad,
Launcher? Couldn't you stop that from autoloading by holding down a key during boot?
I don't know if i should share the info about hacking through a password protected machine on EE.
Launcher? Couldn't you stop that from autoloading by holding down a key during boot?
I don't know if i should share the info about hacking through a password protected machine on EE.
only if you put it into the startup group. if you put it into the logon script or the run registry key then it will run no matter what.
about hacking info-I don't think there should be a problem in posting it, but if you prefer no to, could you please send me the info via email to madduck@flix.de? I am very interested because I am in charge of the NT security of some local networks at my college and we need high security settings, including making sure that noone uses workstations without authorization.
Mad,
Ok, i will post it here. If you use a screensaver to execute the lockworkstation at boot up, all i would have to do is delete the screensaver(s) from your WinNt folder. I would restart the computer with any setup disk, get to a prompt, access your Winnt folder and delete the screensaver. Upon boot, i will automatically be logged on, and i will receive an error that the computer couldn't find xxxxx.scr.
Ok, i will post it here. If you use a screensaver to execute the lockworkstation at boot up, all i would have to do is delete the screensaver(s) from your WinNt folder. I would restart the computer with any setup disk, get to a prompt, access your Winnt folder and delete the screensaver. Upon boot, i will automatically be logged on, and i will receive an error that the computer couldn't find xxxxx.scr.
okay, but what if the system partition is NTFS?
Mad,
Hmmm, you are throwing in new variables! :) NTFS is a far more superior than FAt for security. I am sure there are ways around that, if i look hard enough. :)
Hmmm, you are throwing in new variables! :) NTFS is a far more superior than FAt for security. I am sure there are ways around that, if i look hard enough. :)
well, if someone has a server with FAT as system partition, then this someonee cannot be too concerned about security!!! so cracks and hacks here have no point. If you can crack the NTFS scenario then I'd be impressed!
Mad,
It can be done. Like i said, i ain't much of a hacker. But i am sure i can do it if i apply myself and my resources.
It can be done. Like i said, i ain't much of a hacker. But i am sure i can do it if i apply myself and my resources.
ASKER
Name the launcher you recommend for NT
ASKER
Mad
re FAT system partition, this is actually a recommended installation. system on a fat drive, data on NTFS. Most of our NT boxes are configured this way. If for some reason some system file or configuration file gets corrupted you can boot to an alternate operating system and fix it. Boot files on a FAT is necessary in cases of multi boot systems.
In terms of server security, you may be liable to a denial of service attack, but the data is protected on the NTFS partition.
To beat people from deleting the scr file you put that on the NTFS volume and call as normal.
Since this discussion seems to be non productive, I will soon withdraw the question and possibly repost with more explicit detail of the problem.
Thanks for your comments, but to date "I've been there, done that."
'\0'
re FAT system partition, this is actually a recommended installation. system on a fat drive, data on NTFS. Most of our NT boxes are configured this way. If for some reason some system file or configuration file gets corrupted you can boot to an alternate operating system and fix it. Boot files on a FAT is necessary in cases of multi boot systems.
In terms of server security, you may be liable to a denial of service attack, but the data is protected on the NTFS partition.
To beat people from deleting the scr file you put that on the NTFS volume and call as normal.
Since this discussion seems to be non productive, I will soon withdraw the question and possibly repost with more explicit detail of the problem.
Thanks for your comments, but to date "I've been there, done that."
'\0'
did my method not work?
I am pretty sure this is the only solution.
I am pretty sure this is the only solution.
MaDdUCK,
There are several routines available to mount NTFS volumes from dos without the security...
Null,
I'd reconsider about the FAT partitions... NTFS is far more secure (and multi boot, should not be allowed in a bussiness environment --> cuases nothing but pain!).
You are right about the saver thoug... kicking it launches it unprotected! you need a launcher as MaDdUCK said... and he is right again that it is the only solution
There are several routines available to mount NTFS volumes from dos without the security...
Null,
I'd reconsider about the FAT partitions... NTFS is far more secure (and multi boot, should not be allowed in a bussiness environment --> cuases nothing but pain!).
You are right about the saver thoug... kicking it launches it unprotected! you need a launcher as MaDdUCK said... and he is right again that it is the only solution
ghinstek:
well, but write access if limited or not available (ref: NTFSDOS by www.ntinternals.com). So at least your data is somewhat protected from alterations.
'\0':
trust me, this is the solution and thus I will reanswer. I have yet to find a free launcher which is good and easy to use..I may end up writing one some time! If you have microsoft office 95 you can launch your screen saver with msoffice.exe /s and with office 97, osa.exe /s.
I will keep looking (winfiles.com, download.com etc. are the places to go) and you shall hear from me as soon as I found one. maybe you want to ask in the win or c++ programming area as to how to code a launcher if you'd want to do it yourself.
well, but write access if limited or not available (ref: NTFSDOS by www.ntinternals.com). So at least your data is somewhat protected from alterations.
'\0':
trust me, this is the solution and thus I will reanswer. I have yet to find a free launcher which is good and easy to use..I may end up writing one some time! If you have microsoft office 95 you can launch your screen saver with msoffice.exe /s and with office 97, osa.exe /s.
I will keep looking (winfiles.com, download.com etc. are the places to go) and you shall hear from me as soon as I found one. maybe you want to ask in the win or c++ programming area as to how to code a launcher if you'd want to do it yourself.
ASKER
Mad,
To date your suggestion did not work. I have not found launcher for NT that causes the under lying console to be locked when the screen saver releases. It works fine in Win 95, but not in NT.
Do you have a launcher that will?
ghinstek,
I won't argue that NTFS is not superior. We may convert at some point. For now we are trying to get the various platforms communicating. I think the net result is I will have to forgo auto login and find some other way of defining the user account under which client access talks to the 400.
thanks
'\0'
To date your suggestion did not work. I have not found launcher for NT that causes the under lying console to be locked when the screen saver releases. It works fine in Win 95, but not in NT.
Do you have a launcher that will?
ghinstek,
I won't argue that NTFS is not superior. We may convert at some point. For now we are trying to get the various platforms communicating. I think the net result is I will have to forgo auto login and find some other way of defining the user account under which client access talks to the 400.
thanks
'\0'
ASKER
osa.exe /s fire screen saver, but does not require password to unlock.
Ability - an application launcher will fire ss on demand, still no password
Ability - an application launcher will fire ss on demand, still no password
you are right...I tried it now. sorry then!
I will keep looking. did you ask in the programming areas?
I will keep looking. did you ask in the programming areas?
Geeze,
You guys still on this problem??
You guys still on this problem??
looks like it, huh?
ASKER
OK, we're on track and can see the problem. Somehow clicking the Lock Workstation button for the NT Security Box causes the Workstation to lock. There must be an API or underlying function call responding to that event. I need to trigger that event.
I didn't ask in the programming areas yet. I was hoping jkr might jump in on this one.
An alternative answer would suit me. If I can't work out security issues with autologon, then how can I cause a drive mapping such as net use, with /USER: and password if NO ONE logs onto the system. I've tried net start, net user.... in the autoexec.bat, no effect. I have called same commands in bat file called from run key and also run services key. Run doesn't fire until someone logs on, run services din't work, but I'm not sure when it triggers (except sooner). The server in question is a standalone in a small work group, connecting to a BDC in another domain. I don't want to join that domain or set up trusts because the application will eventually move to a corporate web server.
'\0'
I didn't ask in the programming areas yet. I was hoping jkr might jump in on this one.
An alternative answer would suit me. If I can't work out security issues with autologon, then how can I cause a drive mapping such as net use, with /USER: and password if NO ONE logs onto the system. I've tried net start, net user.... in the autoexec.bat, no effect. I have called same commands in bat file called from run key and also run services key. Run doesn't fire until someone logs on, run services din't work, but I'm not sure when it triggers (except sooner). The server in question is a standalone in a small work group, connecting to a BDC in another domain. I don't want to join that domain or set up trusts because the application will eventually move to a corporate web server.
'\0'
Null,
I've seen a little service like bat file which is supposed to run before logon and calls a batfile... it is called autoexnt and you can find it at
http://www.jsiinc.com/TIP0000/rh0006.htm
I have never tried it so I don't know if it'll do the trick...
I've seen a little service like bat file which is supposed to run before logon and calls a batfile... it is called autoexnt and you can find it at
http://www.jsiinc.com/TIP0000/rh0006.htm
I have never tried it so I don't know if it'll do the trick...
autoexnt unfortunately does only execute upon logon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To dankh,
It works. It's not fancy, but it fires from the run key without a problem. I imagine the startup script will behave as well.
Thanks for the help.
'\0'
It works. It's not fancy, but it fires from the run key without a problem. I imagine the startup script will behave as well.
Thanks for the help.
'\0'
ASKER