Solved

Auto Login - Windows server 2003

Posted on 2009-04-09
13
1,821 Views
Last Modified: 2012-05-06
Hi there,

We have some servers i'd like to auto-login - though most of what they do
runs as a service, some legacy desktop applications point blank refuse to
play nicely and must be run under a domain account. As the servers are on a
domain, the control userpasswords2 method of auto-logon will not work (the
options do not appear on a domain machine). TweakUI would be overkill and a
pain to roll out, so the registry is our only option.

If we were to restrict the Winlogon key in the registry to the local admins
group via ACL, what's the worst that could happen? (Please bear in mind that
the only people who ever access this server do it via a local intranet site
over the anonymous IUSR account, and people in the local admins group).
Thanks!
0
Comment
Question by:question
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 7

Expert Comment

by:spamster
ID: 24112108
So the question is, what's the worst that could happen if you had your server's auto-login? As long as they're physically secured, I don't think you should run into any problems. I'm setting it up on a test VM right now, cause I'm curious...
0
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24112143
Hello,

I think the real problem is the (encrypted) stored password. Somebody can copy these information from the registry to copy it to an other machine to gain admin access or the brute force to calc the password (with a current gpu it takes "only" 8 days).

But to gain access to the registry the attacker needs allready more rights than a normal user have.

Stefan
0
 
LVL 6

Author Comment

by:question
ID: 24112231
To put it in a diff way is that...
  How do i go about autologin other than this above method on a server 2003 on a domain

http://support.microsoft.com/default.aspx?scid=kb;[LN];324737
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 6

Author Comment

by:question
ID: 24112242
or if the above KB can still be used then how do i go about modifying permissions so that i dont give permissions for users who login to server to read that password.
  Remember it can be a Remote login session that the user might be on and reading this information on registry.
0
 
LVL 6

Author Comment

by:question
ID: 24165358
I am not worried about the attacker from inside network. AS long as i am not storing password in clear text i am good. how do i go about it?
0
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24165387
Hello,

tweak ui for windows 2003 server should store the password encrypted in
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon"

If not you may have a look at http://msdn.microsoft.com/en-us/library/aa378826.aspx

Stefan
0
 
LVL 6

Author Comment

by:question
ID: 24165463
Thanks a lot stefan. ofcourse i cannot use the winlogon in registry as it stores in clear text and we would be caught on auditing.
  Eventhough i was able to understand that the second part is about securing password i was unable to understand how i will be able to use that code available.
  btw... the server is in a domain.
0
 
LVL 4

Expert Comment

by:StefanKittel
ID: 24165508
Hello,

not so complicated. Tweak UI 2003 Server does store the password encrpyted.
But please try it and have a look in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon" to be sure if the password is real encrypted.

The link show the routines to write a programm to store an encrypted password by yourself.
If you can write such a program, you can set the local stored password through the network in one step.
If not you need your feet :-)

Stefan
0
 
LVL 6

Author Comment

by:question
ID: 24167891
I have a very minimal knowledge on vb 2008.
  But then if i write a program will it run as a service? I cant seem to understand a code.. is it kind of shell scripting? How do i integrate in a program.
  Though TweakUI is not harmful my client is harmful. So i was checking if there is a different way of encrypting the password.  Thanks a lot for the code but i am not sure how do i go about using it.
Apologies for the ignorance.. See if you can point me in any right direction to use the code/ a different idea.
   
 
0
 
LVL 6

Author Comment

by:question
ID: 24304825
Any other way to keep the password encrypted other than tweakui. The Tweakui powertoy installation on server will not be permitted by our client.
0
 
LVL 6

Author Comment

by:question
ID: 24389584
we have a domain policy where we have the policy configured for "interactive message" like welcome to... and stuff. we have few servers also under the ou's and we need to prevent just the interactive message policy from getting applied for a single ou alone
and we cannot block the domain policy as there are several other policies configured in the domain policy

-?
0
 
LVL 8

Accepted Solution

by:
dkumar82 earned 500 total points
ID: 24455422
follow the below step

STEP 1 APPLY AUTOLOGON FEATURE USING SYSINTERNAL'S AUTOLOGON
DOWNLOAD AUTOLOGON FROM THE INTERNET ADDRESS PROVIDED BELOW:
HTTP://DOWNLOAD.SYSINTERNALS.COM/FILES/AUTOLOGON.ZIP
OR READ MORE ABOUT AUTOLOGON, BY CLICKING THE LINK BELOW
HTTP://WWW.MICROSOFT.COM/TECHNET/SYSINTERNALS/SECURITYUTILITIES.MSPX
UNZIP AUTOLOGON.ZIP AND DOUBLECLICK THE AUTOLOGON.EXE
ENTER YOUR PASSWORD AND CLICK ENABLE
STEP 2
TO ENABLE THE LOGON SCREEN AFTER THE PC HAS AUTO BOOTED, TO ENSURE THAT THE PC OR
SERVER SECURES ITSELF, PLEASE FOLLOW THESE INSTRUCTIONS
1. GO TO CONTROL PANEL
2. DOUBLE-CLICK ON THE "DISPLAY" ICON
3. CLICK ON THE SCREEN SAVER TAB
4. SELECT A NUMBER IN THE MINUTES SCROLL BOX
5. CHECK THE BOX THE SAYS "ON RESUME, PASSWORD PROTECT
THATS ALL THERE IS TO IT!
0
 
LVL 6

Author Closing Comment

by:question
ID: 31568717
This really helps.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question