Learn Windows XP in 15 Minutes a Week: User Logon and Authentication, Part 1 Page 2

By Jason Zandri (Send Email)
Posted Aug 26, 2003

[NOTES FROM THE FIELD] - You can also start up a custom MMC from RUN on the Start Menu by entering RUNAS /user: MMC; where is the name of the user account with administrative access to the system. This will open a command window for the user to supply the required credentials, and the session text would look similar to this:

C:\%SYSTEMROOT%>runas /user: mmc

Enter the password for : (enter the password here)

Once the password is entered, the next line in the command window reads

Attempting to start mmc as user "\" ...

As long as the correct username and password combination is entered, the default MMC console should appear and be running in an administrative context for the local system.

Remember that to set the system to require the CTRL+ALT+DEL keys to be used log on you must to DISABLE the default setting of "Not defined" for the policy that reads "Interactive logon: Do not require CTRL+ALT+DEL."

In configurations where the system is a domain member or where a stand-alone system has been configured to not use the Welcome screen, users must provide a username (which the admin must know) to the client system's logon security dialog box (often called the "logon screen" or the "CTRL+ALT+DELETE screen") to identify themselves. The user must then provide the password (which the admin must also know) associated with the user account supplied to authenticate the user credential she supplied.

[NOTES FROM THE FIELD] - Windows XP Professional systems can be configured to not require individual usernames and passwords in a stand-alone configuration. The system can also be configured to assume the same user always logs on the box (or that a number of different users that log on are going to use the same user account), and it will automatically log in that single account every time the system starts.

A password is not necessary for this setup to work. Account passwords are entered once and remembered for each autologon event when the system is started. The account can also be configured without a password.

Both of these configurations are insecure and thus not recommended in most environments, where anyone can simply walk up to the system and use it.

In an enterprise environment, where autologon is used in conjunction with a domain user account, this may allow an unauthorized individual access to the network at large in some capacity by simply walking up to an active console.

Domain-level accounts can also be configured without a password, but this action is even more discouraged than an automatic local logon.

For most systems, supplying a correct corresponding password for the account entered is enough to prove to the system that a user is whom she says she is, and she will be provided access. This is called single factor authentication, as a single username/password combination has been provided, and access was allowed based on the correct entry of both.

In certain high-security environments and in particular situations, end users may be required to supply additional information above and beyond just identifying themselves by entering a username and validating that entry with a password.

They may, for example, be required to insert a smart card into the computer's card reader before starting a logon session. This is really no different from the steps taken at an ATM machine.

When you walk into a bank to get money from the ATM you take out your ATM card (something you have) and swipe it or insert it into the ATM's card reader. You then must enter in your personal identification number (PIN) for the ATM card (something you know). Once this is done, you can immediately access your account. This, all by itself, is a form of single factor authentication.

Let's step away from the ATM and repeat these steps at a secured computer console. Again, you would take your smartcard and swipe it or insert it into the card reader for the computer. Again, you enter your PIN. Once you have done this, you will be able to access the console and hit CTRL+ALT+DEL to bring up the logon window. From here, you supply a valid username and corresponding password combination (something you know) to log on to either the local system or access the domain. (Access would be determined based on the credentials supplied and depend on whether they were for a local or a domain account.)

A logon that requires both a smartcard and PIN combination as well as a username and password combination is an example of two-factor authentication. This type of logon is much more secure, as both identifiers are required for a successful logon to this configuration.

That wraps up this installment of "Learn Windows XP Professional in 15 Minutes a Week." As always, if you have any questions, comments, or even constructive criticism, feel free to drop me a note. I want to write solid technical articles that appeal to a wide range of readers and skill levels, and it is only through your feedback that I can be sure I am doing that.

Until next time, remember:

"Winners never quit and quitters never win so quit while you're ahead."

Page 2 of 2

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date