G
Guest
Environment:
Windows XP Pro SP1 authenticating to a network domain. The workstation is
located in an area with routine corporate physical security readily available
to other employees. It is not in a physically secured area such as a server
room.
Issue:
The IT department has begun pushing out periodic Automated Updates overnight
which subsequently reboot my workstation. The negative result of this
process is my scheduled tasks, which require my network credentials, fail
because I am no longer logged into the network when the task is scheduled to
run. (I leave my workstation logged in and locked when unattended).
Givens:
1. Tasks will remain on the existing workstation.
(That is where required software is located).
2. Task will continue to use my existing network account credentials.
(Tasks require security access to network resources which require
permissions granted to my network account).
Proposed solution:
I have identified a means to Autologin to the domain after the workstation
is rebooted following the Automated Updates. It requires changes to the
Winlogon registry key. However, the process requires the password to be
stored in the registry in clear text. The obvious downside here is that
other users with sufficient permission can read the password, either locally
or remotely. I believe I can mitigate this exposure by modifying the
permissions on the Winlogon key to restrict access to everyone except my
network account and SYSTEM. Another minor downside is that all future
network account password changes would also have to be made to the registry
key.
A remaining issue is how to lock my workstation immediately after the
machine has rebooted and Autologin has logged into the domain with my network
credentials. I need to identify a means to run a command at startup that
will lock the workstation and can not be circumvented by a user.
I am familiar with the following command that will lock the workstation:
%windir%\System32\rundll32.exe user32,LockWorkStation
However, I need to identify a means to run the command that can not be
bypassed by a user. For example, putting the command in Start
Menu\Programs\Startup is not a feasible option because this startup method
can be skipped
Questions:
Q1. Does anyone see any other security holes in the Autologin portion of the
process I described that I failed to mention?
Q2. Is there a way to run the command to lock the workstation at startup
that a user can not break out of before it runs?
Thank you.
Windows XP Pro SP1 authenticating to a network domain. The workstation is
located in an area with routine corporate physical security readily available
to other employees. It is not in a physically secured area such as a server
room.
Issue:
The IT department has begun pushing out periodic Automated Updates overnight
which subsequently reboot my workstation. The negative result of this
process is my scheduled tasks, which require my network credentials, fail
because I am no longer logged into the network when the task is scheduled to
run. (I leave my workstation logged in and locked when unattended).
Givens:
1. Tasks will remain on the existing workstation.
(That is where required software is located).
2. Task will continue to use my existing network account credentials.
(Tasks require security access to network resources which require
permissions granted to my network account).
Proposed solution:
I have identified a means to Autologin to the domain after the workstation
is rebooted following the Automated Updates. It requires changes to the
Winlogon registry key. However, the process requires the password to be
stored in the registry in clear text. The obvious downside here is that
other users with sufficient permission can read the password, either locally
or remotely. I believe I can mitigate this exposure by modifying the
permissions on the Winlogon key to restrict access to everyone except my
network account and SYSTEM. Another minor downside is that all future
network account password changes would also have to be made to the registry
key.
A remaining issue is how to lock my workstation immediately after the
machine has rebooted and Autologin has logged into the domain with my network
credentials. I need to identify a means to run a command at startup that
will lock the workstation and can not be circumvented by a user.
I am familiar with the following command that will lock the workstation:
%windir%\System32\rundll32.exe user32,LockWorkStation
However, I need to identify a means to run the command that can not be
bypassed by a user. For example, putting the command in Start
Menu\Programs\Startup is not a feasible option because this startup method
can be skipped
Questions:
Q1. Does anyone see any other security holes in the Autologin portion of the
process I described that I failed to mention?
Q2. Is there a way to run the command to lock the workstation at startup
that a user can not break out of before it runs?
Thank you.