Security and windows autologon
We will describe in this post how to secure your autologon workstations. Those PCs are accessed by everyone inside your company because no account and password are required to login.This is why you need to work out how to secure them.
The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.
In order to hide the password we will use the Autologon.exe tool developed by Sysinternals. This program uses the LSAStorePrivateData function in order to protect the password. This solution is less vulnerable than others, though not perfect. Have a look at this article which lists the free autologon solutions available.
We will now describe how to set up and automate the deployment of such workstations by following these steps: Create and configure service user and computer accounts in AD, customize service user accounts profiles, join workstations to the domain, apply restrictive GPOs to our computers and service user accounts and finally activate autologon on the workstations.
To achieve the first step we will use a script, fill in the file input.txt by writing on each line the name of the computer accounts to create. The service user account name will be prefixed with “s-” then the computer account name. You will need to change values at the beginning of the script in order to suit your environment:
- OUComputers: The Organizational Unit Distinguished Name where you want to create your computer accounts. Put these accounts in a dedicated OU because we will apply a very restrictive GPO on these workstations. If you don’t want to or cannot isolate these accounts you will need to apply a security filter to the GPO in order not to impact other workstations or servers inside the OU. You can set up security filtering by creating a group of computer accounts and apply the GPO to this group only.
- OUUsers: The OU Distinguished Name where you want to create your service user accounts.
- DomainFQDN: Your domain FQDN. li>
- DomainName: Your domain NetBios Name . li>
- DNGroup: Group Distinguished Name your service user accounts should be members of. You can adapt the script to put service user accounts in several groups or none. Or change it in order to put the computer accounts into a group in order to achieve a group policy security filtering.
- ProfileServerPath: Service user accounts will have roaming profiles that will also become mandatory via GPO. We will edit the profilepath account value in order to host the profiles on a network share
Here is the script:
'## debut script### OUComputers = "OU=Autologon-Computers,DC=ldap389,DC=info" OUUsers = "OU=Users-Autologon,DC=ldap389,DC=info" DomainFQDN = "ldap389.info" DomainName = "ldap389" DNGroup = "CN=GroupAutologon,OU=Groups,DC=ldap389,DC=info" ProfileServerPath = "ServerNameProfiles" Const ForReading = 1 Const ADS_PROPERTY_APPEND = 3 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 Set fso = CreateObject("Scripting.FileSystemObject") sCurPath = fso.GetAbsolutePathName(".") Input = sCurPath&"input.txt" Output = sCurPath&"output.txt" Set df1 = fso.OpenTextFile(Input,ForReading,True) Set FLog = fso.CreateTextFile(Output) Do while Not df1.AtEndOfStream varLigne = df1.readline() 'Create service account to use for autologon Login = "s-"&varLigne Set objOU = GetObject("LDAP://"&OUUsers) Set objUser = objOU.Create("User", "cn="&Login) objUser.Put "sAMAccountName", ""&Login objUser.Put "UserPrincipalName", ""& Login &"@"&DomainFQDN objUser.Put "sn", ""&Login objUser.Put "givenname", ""&Login objUser.Put "description", "Autologon account: "&varLigne objUser.Put "Profilepath", ProfileServerPath&""&Login objUser.SetInfo 'Generate password, use function of your choice, you can use http://www.tek-tips.com/faqs.cfm?fid=5340 by Mark D. MacLachlan pwd = generatePassword(15) objuser.SetPassword ""& pwd objUser.AccountDisabled=False objUser.SetInfo 'Set password never expires intUAC = objUser.Get("userAccountControl") If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then Wscript.Echo "Already enabled" Else objUser.Put "userAccountControl", intUAC XOR _ ADS_UF_DONT_EXPIRE_PASSWD objUser.SetInfo End If ' Set user cannot change password Set objSD = objUser.Get("ntSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl arrTrustees = array("nt authorityself", "EVERYONE") For Each strTrustee in arrTrustees Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = strTrustee objACE.AceFlags = 0 objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE Next objSD.DiscretionaryAcl = objDACL objUser.Put "nTSecurityDescriptor", objSD objUser. SetInfo 'Generate command to run autogon.exe on workstation Flog.writeline("autologon.exe "&Login&" "&DomainName&" "&pwd) 'Add user created to the group DNGroup Set objGroup1 = GetObject("LDAP://"&DNGroup) objGroup1.PutEx ADS_PROPERTY_APPEND, "member", Array("cn="&Login&","&OUUsers) objGroup1.SetInfo 'Create computer account Set objOU2 = GetObject("LDAP://"&OUComputers) Set objCpu = objOU2.Create("Computer", "cn="&varLigne) objCpu.Put "sAMAccountName", varLigne & "$" objCpu.Put "userAccountControl", 4096 objCpu.Put "description", "Autologon workstation" objCpu.Setinfo Loop df1.close msgbox "OK" WScript.Quit Function generatePassword(PASSWORD_LENGTH) '...................... End Function '## fin script### |
Download script here:
Pour télécharger le script c’est ici:
In order to randomize the service user account password we use Mark D. MacLachlan’s function the same way as in my previous post. You can also decide to input the same password for each account. The accounts are flagged “User cannot change password” and “The password never expires” because if the password changes you will need to configure your workstation again with the autologon.exe program. The output.txt file contains command line instructions you should run on your workstations to set up autologon with Sysinternals tool. We will use this file later.
Now you need to configure your user accounts roaming profiles by copying it from an existing profile template.
Then, having created computer accounts with the above script, join your workstations to the domain.
Create and Link a GPO to the OU where are located the computer accounts, if necessary apply group policy security filtering. On those workstations we need to modify the user environment in order to secure them. In order to apply user settings on a computer object we use the Group Policy loopback feature.
Under Active Directory 2003 some registry settings cannot be edited through default administrative templates, therefore you have to create custom ADM files, I suggest you read this document, which explains all of the details for registry-based Group Policy. You can also use the reg2adm tool embedded in the Network UTilities Suite developed by Yizhar Hurwitz.
Under Active Directory 2008 thanks to Group Policy Preferences editing a registry key is more simple (read page 10 of the whitepaper).
We will use Simon Geary’s custom administrative template in order to disable USB, CD drives on the autologon workstations.
In order to make preconfigured roaming profiles mandatory we will enable this setting on the GPO:“Prevent Roaming Profile changes from being propagated to the server”.
Several restrictive settings are applied to the GPO, this list is not exhaustive, you can add or delete settings at your convenience:
Finally in order to activate the autologon on the workstations, you need to run the appropriate command line which is provided in the output.txt file on each computer.
This post is also available in: French