Preventing and solving hacker intrusion, logging on to Windows XP (2)

Iii. What did Winlogon do before and after login?

If you set "Secure Login", a SAS (Secure Attention Sequence ?? Security Warning sequence ). SAS is a group of key combinations. The default value is Ctrl-Alt-Delete. It ensures that the information entered during interactive login is accepted by the system and not obtained by other programs. Therefore, using "Secure Login" to log on ensures that the user's account and password are not stolen by hackers. To enable the secure logon function, run the "Control userpasswords2" command to open the "User Account" dialog box and select "advanced ". (4) Select the "Ask the user to press Ctrl-Alt-Delete" option and click OK. In the future, there will be a prompt in front of each Login Dialog Box, asking the user to press Ctrl-Alt-Delete to display the Windows xp gina Login Dialog Box, because only the system's GINA can intercept the key combination information. As mentioned above, the GINA Trojan will block the "Secure Login" prompt. Therefore, if the "Secure Login" prompt is blocked for no reason, it is also a precursor to discovering the Trojan. The "Secure Login" function was used to protect system security as early as Windows 2000.

Figure 4

After SAS is registered in Winlogon, GINA is called to generate three desktop systems, which are used as needed by users:

◇ Winlogon desktop users log on to the Winlogon desktop. The Login Dialog Box we see is only displayed by GINA.

If you cancel logon using the "Welcome screen" mode, Windows XP will activate Winlogon desktop whenever you press "Ctrl-Alt-Delete, the "Windows Security" dialog box shown in Figure 5 is displayed. (Note that the Winlogon desktop is not the same as the dialog box. The dialog box is displayed only when Winlogon calls other programs ).

Figure 5

◇ User desktop is our daily desktop, which is the most important Desktop System in the system. You must provide the correct account and password before "User desktop" is displayed ". In addition, Winlogon initializes the user desktop based on the information in the Registry and the user configuration file.

◇ Screen Protection desktop screen protection is screen protection, including "System screen protection" and "User Screen Protection ". If "system Screen Protection" is enabled, the system will go to "system Screen Protection" if the user does not log on and has no operation for a long time "; for "User Screen Protection", users must log on before accessing it. Different users can set different "User Screen Protection ".

4. If you want to log on, you have to go through GINA.

During the "Interactive login" process, Winlogon calls the GINA group file to convey the account and password provided by the user to GINA. GINA is responsible for verifying the validity of the account and password, then, the verification result is fed back to the Winlogon program. When talking with winlogon.exe, ginawill first determine the current status of winlogon.exe and then perform different verification tasks based on different statuses. Generally, winlogon.exe has three statuses:

1. logged-on status

As the name suggests, after a user successfully logs on, the user enters the "logged on" status ". In this status, you can perform any operation with control permissions.

2. canceled

After you select the "logout" command in the logged-on status, the user enters the "logged-out status" and displays the Winlogon desktop. GINA displays the logon dialog box or welcome screen.

3. Locked

When the user presses the "Win + L" key to lock the computer, it enters the "locked state ". In this status, GINA is responsible for displaying the dialog box for user login. At this time, the user has two options: one is to enter the current user's password and return the "logged-on status"; the other is to enter the Administrator account and password and return the "logged-off status ", however, the status and unsaved data of the original user are lost.

5. logon to the Local Machine

1. Press Ctrl + Alt + Del.

2. Winlogon detects that the user presses the SAS key and calls GINA. The logon dialog box is displayed for the user to enter the account and password.

3. the user enters the account and password. After confirming, GINA sends the information to LSA for verification.

4. When a user logs on to the local machine, LSA will call the Msv1_0.dll verification package to process user information and generate a key, which is compared with the key stored in the SAM Database.

5. If the user is valid after comparison, SAM will ?? Security ID), the SID of the user group to which the user belongs, and other related information is sent to LSA.

6. lsacreate a security token for the received sidinformation, and then send the token and token to winlogon.exe.

7. After Winlogon.exe processes user logon, the entire logon process is completed.

6. logon to the domain

The verification process for logging on to the domain also has different verification methods for different verification protocols. If the domain controller is Windows NT 4.0, the NTLM authentication protocol is used. The verification process is similar to the previous "login to local machine process, the difference is that the Account Verification is not performed in the local SAM database, but in the domain controller. For Windows 2000 and Windows 2003 domain controllers, generally, the Kerberos V5 protocol is more secure and reliable. To log on to the domain through this protocol, you must prove to the domain controller that your domain account is valid. You must first apply for the TGS (Ticket-Granting Service ?? Bill granting service ). After the permission is granted, the user applies for a session ticket for the computer to be logged on, and finally needs to apply for access to the local system service of the computer.

The process is as follows:

1. Press Ctrl + Alt + Del.

2. Winlogon detects that the user presses the SAS key and calls GINA. The logon dialog box is displayed for the user to enter the account and password.

3. Select the domain to be logged on and enter the account and password. After confirming, GINA sends the information entered by the user to LSA for verification.

4. When a user logs on to the local machine, LSA sends the request to the Kerberos authentication package. A hash algorithm is used to generate a key based on user information and store the key in the certificate cache.

5. the Kerberos validators send messages to KDC (Key Distribution Center ?? Key Distribution Center) sends a verification service request that contains user identity information and authentication pre-processing data, including the user certificate and hash algorithm encryption time.

6. After KDC receives data, it uses its own key to decrypt the time mark in the request. The user can determine whether the decryption time mark is correct.

7. If the user is valid, KDC will send a TGT (Ticket-Granting Ticket ?? A ticket is granted to the user ). The TGT (AS_REP) decrypts the user's key, this includes the session key, the name of the user to which the session key points, the maximum life cycle of the ticket, and other data and settings that may be required. The ticket applied by the user is encrypted in the KDC key and attached to AS_REP. The authorization data section of TGT contains the SID of the user account, the global group to which the user belongs, and the SID of the general group. Note: The SID returned to the LSA contains the user's access token. The maximum life cycle of a ticket is determined by the Domain Policy. If the ticket exceeds the validity period in the active Session, the user must apply for a new ticket.

8. When a user tries to access resources, the customer system uses the Kerberos TGS request service ticket (TGS_REQ) of TGT from the domain controller ). Then, TGS sends the service bill (TGS_REP) to the customer. The service ticket is encrypted using the server key. At the same time, the SID is copied from TGT by the Kerberos service to all sub-sequence service tickets contained in the Kerberos service.

9. The customer submits the ticket directly to the network service to be accessed. The service ticket can prove the user's identity and permissions for the service, as well as the user's identity for the service.

7. Should I be lazy ?? Set automatic logon

For the sake of security, we usually need to enter the account and password when entering Windows XP. Generally, we use a fixed account to log on. In the face of every cumbersome Password Input, some friends simply set a blank password or a weak password similar to "123", and most of these accounts are administrator accounts. However, hackers can easily scan all computers with weak passwords in an IP segment using common scanning tools.

Therefore, it is recommended that you set the password as complex as possible. If you are in trouble, you can set automatic logon, but automatic logon is not safe. Because Automatic Logon means that anyone who can directly access the computer can access the system. On the other hand, the account and password are clearly saved in the registry, so anyone who has the permission to access the Registry, can be viewed through the network. Therefore, if you want to set logon, it is best not to set it as the administrator account, you can set it as the user account of the USERS group. To set automatic logon, Run "Control userpasswords2". In the "User Account" window, cancel the "to use the local machine, you must enter the user name and password" option, after confirmation, a dialog box is displayed. Enter the account and password for automatic logon. Note: The password is not verified here. You must ensure that the password and account are correct .?