Home / server / Questions / 262810
Accepted
aleroot
Asked: 2011-04-24 10:50:22 +0800 CST

Windows Server 2008 AutoLogin Permission on WinLogon Key

  • 772

I have a windows Server 2008 that need to automatically autologin on startup, i've added this registry key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName String Administrator
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword String PASSWORD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon DWORD 1

but in the key DefaultPassword is stored the Administrator password and a normal user on the server can view this password, i've tried to create a policy on the key Winlogon of the registry but if i deny the permission to view this key to a normal user, the user can't login, receive permission denied ...

Can i insert the encrypted password on the DefaultPassword key ? Can i disable the access to this key to a normal user without broke the windows access of the user ?

windows-server-2008 login password

3 Answers

  1. Best Answer

    Try Autologon.

    Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically.

    • 1

  2. Why are you worrying about the user seeing this password in the registry when you are logging them in as that user? They can just reset their password as that user anyway and change it to whatever they want. You can't worry about security on one hand and then give the user an open door on the other.

    I would evaluate what you are really trying to do in the first place. For example, can you autologon a user in as non administrator then elevate their permissions to do something they need to do? This seems like a more reasonable approach.

    • 0

  3. +1 for Autologon but I would go one step further if you can.

    If this server is in a domain, I would recommend using a Domain User service account to autologon not the (domain) Administrator account.

    Even though Autologon encrypts the password in the registry someone with permissions to the string/key could decrypt it. I believe Autologon stores the information under HKEY_LOCAL_MACHINE\SECURITY which users do not have access to by default but running under a service account is usually pretty quick to configure and adds another layer of security.

    The encrypted password is stored under: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword

    http://technet.microsoft.com/en-us/library/bb432638.aspx

    • 0