May 09 2010

Security and windows autologon

We will describe in this post how to secure your autologon workstations. Those PCs are accessed by everyone inside your company because no account and password are required to login.This is why you need to work out how to secure them.

The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.

In order to hide the password we will use the Autologon.exe tool developed by Sysinternals. This program uses the LSAStorePrivateData function in order to protect the password. This solution is less vulnerable than others, though not perfect. Have a look at this article which lists the free autologon solutions available.

We will now describe how to set up and automate the deployment of such workstations by following these steps: Create and configure service user and computer accounts in AD, customize service user accounts profiles, join workstations to the domain, apply restrictive GPOs to our computers and service user accounts and finally activate autologon on the workstations.

To achieve the first step we will use a script, fill in the file input.txt by writing on each line the name of the computer accounts to create. The service user account name will be prefixed with “s-” then the computer account name. You will need to change values at the beginning of the script in order to suit your environment:

  • OUComputers: The Organizational Unit Distinguished Name where you want to create your computer accounts. Put these accounts in a dedicated OU because we will apply a very restrictive GPO on these workstations. If you don’t want to or cannot isolate these accounts you will need to apply a security filter to the GPO in order not to impact other workstations or servers inside the OU. You can set up security filtering by creating a group of computer accounts and apply the GPO to this group only.
  • OUUsers: The OU Distinguished Name where you want to create your service user accounts.
  • DomainFQDN: Your domain FQDN.
  • DomainName: Your domain NetBios Name .
  • DNGroup: Group Distinguished Name your service user accounts should be members of. You can adapt the script to put service user accounts in several groups or none. Or change it in order to put the computer accounts into a group in order to achieve a group policy security filtering.
  • ProfileServerPath: Service user accounts will have roaming profiles that will also become mandatory via GPO. We will edit the profilepath account value in order to host the profiles on a network share

Here is the script:

'## debut script###
OUComputers = "OU=Autologon-Computers,DC=ldap389,DC=info"
OUUsers = "OU=Users-Autologon,DC=ldap389,DC=info"
DomainFQDN = ""
DomainName = "ldap389"
DNGroup = "CN=GroupAutologon,OU=Groups,DC=ldap389,DC=info"
ProfileServerPath = "ServerNameProfiles"
Const ForReading = 1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set fso = CreateObject("Scripting.FileSystemObject")
sCurPath = fso.GetAbsolutePathName(".")
Input = sCurPath&"input.txt"
Output = sCurPath&"output.txt"
Set df1 = fso.OpenTextFile(Input,ForReading,True)
Set FLog = fso.CreateTextFile(Output)
Do while Not df1.AtEndOfStream
	varLigne = df1.readline()
'Create service account to use for autologon
	Login = "s-"&varLigne
	Set objOU = GetObject("LDAP://"&OUUsers)
	Set objUser = objOU.Create("User", "cn="&Login)
	objUser.Put "sAMAccountName", ""&Login
	objUser.Put "UserPrincipalName", ""& Login &"@"&DomainFQDN
	objUser.Put "sn", ""&Login
	objUser.Put "givenname", ""&Login
	objUser.Put "description", "Autologon account: "&varLigne
	objUser.Put "Profilepath", ProfileServerPath&""&Login
'Generate password, use function of your choice, you can use by Mark D. MacLachlan
	pwd = generatePassword(15)
	objuser.SetPassword ""& pwd
'Set password never expires
intUAC = objUser.Get("userAccountControl")
    Wscript.Echo "Already enabled"
    objUser.Put "userAccountControl", intUAC XOR _
End If
' Set user cannot change password
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authorityself", "EVERYONE")
For Each strTrustee in arrTrustees
    Set objACE = CreateObject("AccessControlEntry")
    objACE.Trustee = strTrustee
    objACE.AceFlags = 0
    objDACL.AddAce objACE
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
'Generate command to run autogon.exe on workstation	
	Flog.writeline("autologon.exe "&Login&" "&DomainName&" "&pwd)
'Add user created to the group DNGroup
	Set objGroup1 = GetObject("LDAP://"&DNGroup)
	objGroup1.PutEx ADS_PROPERTY_APPEND, "member", Array("cn="&Login&","&OUUsers)
'Create computer account
	Set objOU2 = GetObject("LDAP://"&OUComputers)
	Set objCpu = objOU2.Create("Computer", "cn="&varLigne)
	objCpu.Put "sAMAccountName", varLigne & "$"
	objCpu.Put "userAccountControl", 4096
	objCpu.Put "description", "Autologon workstation"
msgbox "OK"
Function generatePassword(PASSWORD_LENGTH)
End Function
'## fin script###

Download script here:

Pour télécharger le script c’est ici:

In order to randomize the service user account password we use Mark D. MacLachlan’s function the same way as in my previous post. You can also decide to input the same password for each account. The accounts are flagged “User cannot change password” and “The password never expires” because if the password changes you will need to configure your workstation again with the autologon.exe program. The output.txt file contains command line instructions you should run on your workstations to set up autologon with Sysinternals tool. We will use this file later.

Now you need to configure your user accounts roaming profiles by copying it from an existing profile template.

Then, having created computer accounts with the above script, join your workstations to the domain.

Create and Link a GPO to the OU where are located the computer accounts, if necessary apply group policy security filtering. On those workstations we need to modify the user environment in order to secure them. In order to apply user settings on a computer object we use the Group Policy loopback feature.

Under Active Directory 2003 some registry settings cannot be edited through default administrative templates, therefore you have to create custom ADM files, I suggest you read this document, which explains all of the details for registry-based Group Policy. You can also use the reg2adm tool embedded in the Network UTilities Suite developed by Yizhar Hurwitz.

Under Active Directory 2008 thanks to Group Policy Preferences editing a registry key is more simple (read page 10 of the whitepaper).

We will use Simon Geary’s custom administrative template in order to disable USB, CD drives on the autologon workstations.

In order to make preconfigured roaming profiles mandatory we will enable this setting on the GPO:“Prevent Roaming Profile changes from being propagated to the server”.

Several restrictive settings are applied to the GPO, this list is not exhaustive, you can add or delete settings at your convenience:

Finally in order to activate the autologon on the workstations, you need to run the appropriate command line which is provided in the output.txt file on each computer.

This post is also available in: French

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment


WordPress Themes

Blossom Icon Set

Software Top Blogs