SysInternals AutoLogon and securely encrypting passwords.

Can you claim that your house is “secure” if you leave the key for the front door under the welcome mat? :^)

Got into a discussion the other day with someone regarding what “encrypted” means with respect to the Microsoft System Internals tool AutoLogon. The Autologon tool says:

Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically.

Autologon is easy enough to use. Just run autologon.exe, fill in the dialog, and hit Enable. To turn off auto-logon, hit Disable. Also, if the shift key is held down before the system performs an autologon, the autologon will be disabled for that logon. You can also pass the username, domain and password as command-line arguments: autologon user domain password

My emphasis added.

Auto Logon

When you login to Windows, it requires you to enter a user name and a password. But what if we want to automate some installation across reboots or make the workstation into a Kiosk, when we want to *skip* the logon prompt? Well the OS *always* requires the username and password (credentials), so we can work around this by entering the credentials into the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="1"
"DefaultUserName"="admnistrator"
"DefaultPassword"="P@$$w0rd"
"DefaultDomainName"="contoso"

If Windows Sees that AutoAdminLogon is set to 1, and the rest of the registry entries are set, the OS will skip the Logon screen and go to the desktop. Now, This can be a problem in secure environments. First of all you don’t want just anyone to just bypass the first step in security and gain access to the desktop, so don’t use AutoAdminLogon for accounts that are important/sensitive. Secondly, the credentials, including the password are stored in registry as plain text, not a salted hash value as most passwords are stored. That means that anyone who has read privileges to the WinLogon Key DefaultPassword Value can read the password as plain text.

This is what the MDT Litetouch scripts use to perform an AutoLogon to the local administrator account. And I never use secure passwords for the administrator account. Instead I give some weak password, and once the OS installation is finished, I secure the machine by giving the Administrator Account a more secure password using the command:

net.exe user administrator *

LSA Secrets

Windows added a feature where the Logon process can read the DefaultPassword from LSA Secrets. LSA Secrets are a protected area of storage used to store internal private data. Data is stored in the registry under HKLM\SECURITY\Policy\Secrets, and this registry key has restricted ACL’s so it is not visible in regedit.exe using a normal user accounts. However, the DefaultPassword key can be decoded by any administrator using a simple Win32 API call.

What’s the point of having a registry key encrypted if any administrator can decrypt the value?!?! Well if you enabled AutoAdminLogon for a non-administrative user, the user can’t read the password under normal circumstances, secondly, you won’t be able to read the registry values over the network. You must have local administrative execution privileges. (and if you have local administrative privileges, you already have full access to the box :^(.

I wrote a exe to decrypt the AutoAdminLogon DefaultPassword stored in LSA Secrets. It’s only 2k in size, and can be downloaded from here:
https://skydrive.live.com/redir?resid=5407B03614346A99%213013

SysInternals AutoLogon tool

http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx

The SysInternals AutoLogon tool uses the LSA Secrets to store the DefaultPassword in the registry. Yes it is technically encrypted, *however* just because it’s encrypted, does not mean that it’s safe to put your secure passwords there. Any administrator can decrypt and read the value.

-k

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s