In many FIPS 140-2 certificates, Windows must be placed into FIPS 140 mode as well as run in "single user mode". I am familiar with the local/group policy objects to enable FIPS mode. However, "single user mode" is almost always written in quotations (as I have done). No specific setting exists in GPO to enable this mode, and I have not found any details which indicate how to enable this mode of operation.
The best I've been able to find is that this means only one interactive user at any given time. Thus, I believe it is not a requirement that there is only one user account on the O/S, but rather a series of things that need to be configured to prevent multiple simultaneous interactive users. The only thing I can think of that might affect this is to disable incoming RDP/Remote Assistant.
What needs to be configured to prevent multiple concurrent interactive users in Windows workstations and servers?
EDIT: As most enterprises cannot allow only a single local login, I am looking to understand what constitutes restricting the environment to a single interactive session while not restricting multiple -- though not logged-in -- accounts.
The easiest approach would be to limit who can log on to a given computer to a single user account (be it a local or domain one); this can be easily done by restricting the "log on locally" right in the local security policies or via a GPO. Also, the various "log on as..." rights are a good place to start.
If you instead want to allow many users to log on, but only one of them at any given time, you would need to disable remote dekstop (or restrict it to a single session) and also disable user switching for the system console.
A thing to keep in mind is that, even if you only have a single interactive session, you could still have many background processes running as other user accounts (not to mention the three system contexts,
LocalSystem,LocalServiceandNetworkService); completely disallowing this would require a lot of tweaking in many places of the system.