What is AutoAdminLogon, and its benefits?
AutoAdminLogon is a Windows registry setting which automates the logon process of a specific user account during system startup, bypassing the typical login screen. Enabling this setting streamlines the startup process, being particularly useful in scenarios where a system needs to boot up and immediately launch specific applications or services without manual intervention.
It can simplify tasks such as automated system updates, batch processing, or kiosk setups in environments where users don’t frequently log in/out or where multiple systems are deployed for a specific task.
Anonymous Logon: Understanding the Security Battleground with NT Authority
Why have AutoAdminLogon set to "disabled"
Enabling AutoAdminLogon on a system grants unrestricted access to anyone with physical access to the machine, allowing potential access to all information stored on the machine itself, as well as any networks it may be connected to.
Additionally if enabled, the password is stored in the registry in plaintext, accessible remotely by the Authenticated Users group. Therefore, it is vital to ensure, if enabled, that the system is physically secured, and checks are in place to guarantee that untrusted users cannot remotely view the registry.
What will happen if AutoAdminLogon is "disabled"?
When restarting or booting up a system with AutoAdminLogon disabled, it will not automatically login, instead the Windows login screen will be presented and a username and password must be manually entered in order to gain access to the account.
AutoAdminLogon Vulnerabilities
Having AutoAdminLogon enabled increases the possibility of an unauthorized entity accessing the system and any connected networks.
Consequences of unrestricted access can be:
- Data breaches
- Data manipulation and corruption
- Malware installation
- Resource theft
- Privilege escalation
- Disruption of services
- Backdoor creation
- Legal and compliance issues
Disable AutoAdminLogon
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) |
Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required – it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog.
Policy setting via GPO
MSS: (AutoAdminLogon) Enable Automatic Logon ( not recommended)
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value Name | AutoAdminLogon |
Value Type | REG_SZ |
Enabled Value | 1 |
Disabled Value | 0 |
Default
The default setting for AutoAdminLogon is "Disabled".
Enable AutoAdminLogon
The following instructions detail how to enable AutoAdminLogon as provided from Microsoft configuring Windows AutoAdminLogon:
To use Registry Editor to turn on automatic logon, follow these steps:
- Select Start, and then select Run.
- In the Open box, type Regedit.exe, and then press Enter.
- Locate the: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey in the registry.
- On the Edit menu, select New, and then point to String Value.
- Type AutoAdminLogon, and then press Enter.
- Double-click AutoAdminLogon.
- In the Edit String dialog box, type 1 and then select OK.
- Double-click the DefaultUserName entry, type your user name, and then select OK.
- Double-click the DefaultPassword entry, type your password, and then select OK.
If the DefaultPassword value doesn’t exist, it must be added. To add the value, follow these steps:- On the Edit menu, select New, and then point to String Value.
- Type DefaultPassword, and then press Enter.
- Double-click DefaultPassword.
- In the Edit String dialog, type your password and then select OK.
Note: If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.
- If you have joined the computer to a domain, you should add the DefaultDomainName value, and the data for the value should be set as the fully qualified domain name (FQDN) of the domain, for example contoso.com..
- Exit Registry Editor.
- Select Start, select Shutdown, and then type a reason in the Comment text box.
- Select OK to turn off your computer.
- Restart your computer. You can now log on automatically.
Best Practices
While disabling AutoAdminLogon might not always be optimal in specific scenarios such as automated system updates, batch processing, or kiosk setups, for many it is important that AutoAdminLogon is set to disabled when possible, in order to mitigate potential security threats.
Hardening the system provides another layer of protection against unauthorized access, especially if the computer is in a shared environment or there are concerns regarding potential security risks.