Interactive logon policies control how users authenticate to Windows systems, making them a critical component of endpoint and server security. In this post, we examine this feature in detail, understand its vulnerabilities, and how to fix them.
What You Will Learn
- What is an interactive logon?
- Why Insecure Logon Configurations Expose System Credentials.
- Which logon-related settings are most critical for security?
- How Interactive Logon Policies Align with Compliance Frameworks.
- How CalCom CHS Enforces Secure Logon Policies.
Interactive Logon Explained
Interactive login is where a user directly authenticates through a computer’s user interface. Typically, this involves logging in via a graphical user interface (GUI) or a command line interface (CLI). Using interactive login, users gain access to a session that enables them to engage with the system as if they were physically present at the computer.
Outdated Protocols? Don't Get Left Behind
Windows Logon Scenarios
The sign-in procedure is similar to the logon process, as it necessitates a valid account and accurate credentials. However, logon details are stored in the Security Account Manager (SAM) database on the local computer and, if applicable, in Active Directory.
Here are the 4 common logon scenarios:
- Interactive logon: Users have the option to engage in an interactive logon by using either a local user account or a domain account to access a computer.
- Network logon: requires user, service, or computer authentication prior to use. This process does not involve credentials entry dialog boxes; instead, it utilizes pre-established credentials or an alternative method for collecting authentication data.
- Smart card logon: enables logon exclusively for domain accounts, excluding local accounts. Smart card authentication necessitates the utilization of the Kerberos authentication protocol.
- Biometric logon: A device captures and creates a digital representation of a biometric artifact, such as a fingerprint. This digital version is then compared to a sample of the same artifact for successful authentication.
User Authentication Processes
The terms “interactive logon access” and “interactive logon authentication” are related but refer to different aspects of the user authentication process. Access is about permission, while authentication is about verifying identity for security purposes.
Interactive Logon Access
Refers to a user’s permission to log in and interact with a system, whether physically or remotely, involving direct interaction with the computer using input devices such as a keyboard and mouse. Access in this context relates to the user’s privilege to engage in interactive logon activities.
In the context of Windows operating systems, for example, interactive logon refers to the process of logging in locally on the computer itself, as opposed to remote logon through services such as Remote Desktop or SSH. Controlling and managing interactive logon access is crucial for ensuring system security, often involving the implementation of password policies, account lockout policies, and other security measures to protect against unauthorized access.
Interactive Logon Authentication
Refers to the process of verifying a user’s identity during login, which involves validating credentials such as a username and password. This security measure ensures that only authorized users can access the system through the interactive logon process.
Interactive Logon Authentication in Windows ensures that only authorized users with valid credentials can access the system, contributing to the security and integrity of the operating environment.
Windows logon types
The Windows operating system supports various logon techniques that allow users to prove their identity and gain authorized access to a system or network. To differentiate between these logon methods in system security logs, Windows assigns a numeric code to each type of logon event. By categorizing logons into multiple types and recording them differently in the event logs, the Windows security auditing system can provide more detailed insights into how users are accessing protected resources within the system or domain. Administrators can analyze the logon patterns to trace issues or detect potential security breaches.
Here are the main Windows logon types and logon codes:
| Code | Type | Description |
|---|---|---|
| 2 | Interactive | A user logs on from the console with Ctrl+Alt+Del. |
| 3 | Network | Accessing shared folders/printers on network. |
| 5 | Service | For services running under specified accounts. |
| 6 | Proxy | Used for proxy connections |
| 7 | Unlock | Unlocking the desktop session when returning from the locked state. |
| 8 | NetworkCleartext | Used when the user changes their password or requests a credential change. |
| 9 | NewCredentials | Used when a user requests or changes their password. |
| 10 | RemoteInteractive | RDP logons allow remote access to the desktop. |
| 11 | CachedInteractive | Use cached credentials for access when the network is unavailable. |
| 12 | CachedRemoteInteractive | Same as 11, and used only for internal auditing. |
| 13 | CachedUnlock | The logon attempts to unlock a workstation. |
What is the difference between allowing logon locally and interactive logon?
Interactive Logon represents a broader permission category, encompassing various access scenarios, whereas Allow Logon Locally specifies just local interactive sessions at the physical computer. Both mechanisms regulate access to interactive Windows user sessions but operate in distinct ways.
To better understand, here is an example:
Allow Logon Locally
- Specifies whether a user can physically log into a particular computer by signing in at the computer’s keyboard/console.
- It allows interactive logon access at the local computer level.
Interactive Logon
- Refers more broadly to a user signing in and accessing a Windows desktop session, whether locally or remotely.
- Includes logging on via Remote Desktop, in addition to physically at the computer’s keyboard.
Governs the ability to access an interactive Windows session in general rather than just local logons.
What is the difference between an interactive and a non-interactive logon?
The key difference between interactive and non-interactive logons lies in user involvement using distinct authentication processes. This refers to whether the user signs into an interactive user session or simply accesses resources without a visual desktop session.
Interactive logons involve users directly accessing the Windows shell or desktop, interacting with the system through a keyboard and mouse. On the other hand, non-interactive logons are used by established accounts that run scheduled tasks, services, and other automated processes without requiring user interaction.
Vulnerabilities
The interactive logon process for Windows systems is vulnerable to various security issues that can compromise user credentials and enable unauthorized access. Inadequately secured settings for the user logon experience provide opportunities for attackers to obtain passwords and gain control of systems.
Some common vulnerabilities associated with interactive logon settings include:
- Information disclosure: Windows includes the default display of the last username used for login, which may enable attackers to guess or launch brute-force attacks. Additionally, custom messages, although personalized, may inadvertently expose system or user details, thereby increasing vulnerability to social engineering attacks.
- Compromised accounts: Particularly when service accounts with interactive login capabilities are misused, granting attackers significant control over the system. Additionally, weak passwords, stemming from poor practices such as reuse or reliance on common dictionary words, make accounts susceptible to brute-force or spray attacks.
- Automatic logon: Skipping login altogether exposes the system if compromised.
- Guest account enabled: The built-in Guest account with limited privileges can still be exploited for lateral movement within the system.
- Insufficient session timeout: Leaving sessions active for extended periods without user interaction increases the time window for exploitation.
Security settings for Interactive logon
The Center for Internet Security (CIS) benchmarks comprise hundreds of recommendations for securing Windows systems, organized into various categories and priority levels. For interactive logon on Windows systems, CIS provides specific security recommendations within the Windows benchmarks, which are listed below:
2.3.7.1 Ensure ‘Interactive logon: Do not require CTRL+ALT+DEL’ is set to ‘Disabled’ (Automated)
Determines whether users must press Ctrl+Alt+Del before logging on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press Ctrl+Alt+Del before logging on to Windows, unless they use a smart card for Windows logon. A smart card is a tamper-proof device that stores security information.
2.3.7.2 Ensure ‘Interactive logon: Don’t display last signed-in’ is set to ‘Enabled’ (Automated)
The setting that determines the account name of the last user to log on to the client computers in your organization will be displayed in each computer’s respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.
2.3.7.3 Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’ (Automated)
This policy detects logon session inactivity. If the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
2.3.7.4 Configure ‘Interactive logon: Message text for users attempting to log on’ (Automated)
Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end-user computers. This policy setting specifies a text message that displays to users when they log on.
2.3.7.5 Configure ‘Interactive logon: Message title for users attempting to log on’ (Automated)
Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end-user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system.
2.3.7.6 Ensure ‘Interactive logon: Number of previous logons to cache (in case domain controller is not available)’ is set to ‘4 or fewer logon(s)’ (MS only) (Automated)
This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally, allowing users to log on even if a domain controller cannot be contacted.
This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who can access the server’s file system could locate this cached information and use a brute force attack to determine user passwords.
2.3.7.7 Ensure ‘Interactive logon: Prompt user to change password before expiration’ is set to ‘between 5 and 14 days’ (Automated)
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends configuring this policy setting to 14 days to provide sufficient warning to users when their passwords are about to expire.
2.3.7.8 Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only) (Automated)
Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain controller must authenticate the domain account used to unlock the computer. If you disable this setting, logon information confirmation with a domain controller is not required for a user to unlock the computer.
However, suppose you configure the “Interactive logon: Number of previous logons to cache (in case the domain controller is not available)” setting to a value greater than zero. In that case, the user’s cached credentials will be used to unlock the computer.
Note: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
2.3.7.9 Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher (Automated)
This setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
How to plan and manage your hardening project
Key Takeaways
- Interactive logon policies control how users access Windows systems.
- Misconfigured logon settings increase the risk of attacks.
- Properly configured policies enhance compliance with security frameworks
- Key settings include password requirements, lockout policies, and credential caching
- CalCom CHS automates interactive logon hardening
How CalCom CHS Hardens Interactive Logons
Securing the interactive logon methods in a Windows environment is a fundamental activity to guard access from unauthorized users. The logon interface, which validates user credentials and grants system entry privileges, is a prime target for malicious actors and requires stringent controls.
CalCom Hardening Suite (CHS) automates the hardening procedures for interactive logon settings to block common threats, such as brute force password guessing or credential stuffing attacks. By automating the hardening of interactive logon settings, you can streamline the process, making it significantly faster and less resource-intensive. It allows for continuous monitoring that enforces hardening measures, ensuring persistent protection across multiple systems.
