◇ Domain user account
Log on with a domain user account, and the system verifies the data stored in the Active Directory of the domain controller. If this user account is valid, you can access resources that have access permissions in the entire domain after logon.
TIPS: if the computer is added to the domain, the Login Dialog Box displays the "log on to:" project, from which you can choose to log on to the domain or log on to the local machine.
2. network logon
If the computer is added to a working group or domain, you need to "log on to the network" to access resources of other computers. 2. Enter the user name and password of the heelen host for verification. Note that the user account entered must be on the host of the other party rather than the user account on the host. This is because the user account validity is performed by the host interviewed during network login.
3. service logon
Service logon is a Special Logon method. In normal times, the system starts services andProgramThese user accounts can be domain user accounts, local user accounts, or system accounts. Different user accounts have different access and control permissions for the system. In addition, you can only access local resources with access permissions when logging on with a local user account, cannot access resources on other computers, which is similar to "Interactive login.
The task manager in Figure 3 shows that the accounts used by the system processes are different. When the system starts, some basic and Win32 services will be logged on to the system in advance to achieve access and control of the system. Run services. MSC to set these services. It is precisely because system services play an important role. They generally log on to the system account and have absolute control permissions on the system. Therefore, many viruses and Trojans are competing to join the nobility. In addition to system, some services also log on with the Local Service and Network Service accounts. After the system initialization, all programs run by the user are logged on with the user's own account.
From the principles mentioned above, it is not difficult to see why many computersArticleGenerally, users must log on to the users group when using computers, because even if a virus or Trojan program is running, the logon permissions of the user account are limited, at most, only resources belonging to users can be damaged, but important information for maintaining system security and stability is not destructive.
4. Batch Login
Batch login is rarely used by users and is usually used by programs that execute batch operations. When performing batch login, the account used must have the right to batch processing; otherwise, you cannot log on.
We usually have the most contact with "Interactive Logon", so I will explain in detail the principle of "Interactive Logon.
Ii. Interactive login, which components are used by the System
1、winlogon.exe
Winlogon.exe is the most important component for "Interactive login". It is a security process and is responsible for the following work:
◇ Load Other Logon components.
◇ Provides a graphic interface for user operations related to security so that users can log on or log off.
◇ Send necessary information with Gina as needed.
2. Gina
Gina is called "Graphical identification and authentication "?? Graphical recognition and verification. . During the login process, the "Welcome screen" and "Login Dialog Box" are displayed by Gina.
For example, stylexp., you can specify winlogon.exe to load the Gina developed by the merchant to provide different Windows XP Logon interfaces. Because of this modifyability, there is now a Trojan horse that steals accounts and passwords.
One is a trojan for "Welcome screen" login, which simulates the welcome interface of Windows XP. After the user enters the password, it is obtained by the trojan program, but the user does not know it at all. Therefore, we recommend that you do not use the welcome screen to log on and set "Secure Login ".
The other is for the Gina trojan in the Login Dialog Box. The principle is to load it during login to steal the user's account and password, save the information to wineggdrop under % SystemRoot % system32. dat. This trojan will shield the system from the "Welcome screen" logon and "User Switching" functions, and also shield the "Ctrl-alt-Delete" Security logon prompt.
The user does not have to worry too much about being installed with the Gina Trojan. I will provide a solution here for your reference:
◇ If you want to check whether your computer has installed the Gina Trojan, you can download a Gina Trojan and run instgina-view, you can check whether the GinaDLL key value in the system has been installed with the DLL. It is mainly used to check whether the system has been installed with the Gina trojan for login. If the Gina Trojan is installed unfortunately, run instgina-remove to uninstall it.
3. LSA Service
What is LSA called "Local Security Authority "?? Local security authorization is a very important service in Windows. All security authentication-related processing must pass this service. The hacker obtains the user's account and password from winlogon.exe, and then processes the password through the key mechanism and compares it with the key stored in the account database. If the comparison result matches, lsa considers the user's identity as valid, allow users to log on to the computer. If the comparison result does not match, lsa considers the user's identity invalid. The user cannot log on to the computer.
Why are these three letters familiar? By the way, this is the relationship with the "Shock Wave" that has been raging for a while before. The "Shock Wave" worm uses the LSA remote buffer overflow vulnerability to obtain the highest system privilege system to attack the computer. There is a lot of information on the solution. I will not talk about it here.
4. SAM Database
Sam is called "Security Account Manager "?? The security account manager is a protected sub-system that manages and groups user and user information by storing security accounts in the computer registry. We can regard Sam as an account database. For computers not added to the domain, it is stored locally, and for computers added to the domain, it is stored on the domain controller.
If a user attempts to log on to the local machine, the system compares the account information stored in the SAM Database on the local machine with the information provided by the user. If the user attempts to log on to the domain, the system compares the account information in the SAM Database stored in the domain controller with the information provided by the user.
5. Net Logon Service
Net Logon Service is mainly used together with NTLM (Default Authentication Protocol for nt lan Manager and Windows NT 4.0, the user verifies that the information in the SAM Database on the Windows NT domain controller matches the information provided by the user. The NTLM protocol is used to ensure compatibility with Windows NT.
6. KDC Service
KDC (Kerberos Key Distribution Center ?? Kerberos Key Distribution Center) is used in collaboration with the Kerberos authentication protocol to verify User Logon within the entire Active Directory. If you do not have a Windows NT Computer in the domain, you can only use the Kerberos protocol to ensure maximum security. This service can be enabled only after the Active Directory Service is started.
7. Active Directory Service
If the computer is added to the Windows2000 or Windows2003 domains, you need to start the service to support the Active Directory function.
Iii. What did Winlogon do before and after login?
If you set "Secure Login", a SAS (secure attention sequence ?? Security Warning sequence ). SAS is a group of key combinations. The default value is Ctrl-alt-Delete. It ensures that the information entered during interactive login is accepted by the system and not obtained by other programs. Therefore, using "Secure Login" to log on ensures that the user's account and password are not stolen by hackers. To enable "secure logon", run the "control userpasswords2" command to open the "User Account" dialog box and select "advanced ". (4) Select the "Ask the user to press Ctrl-alt-Delete" option and click OK. In the future, there will be a prompt before each Login Dialog Box, asking the user to press the Ctrl-alt-delete key combination, in order to display the Windows XP Gina Login Dialog Box at login, because only the system's Gina can intercept the key combination information. As mentioned above, the Gina Trojan will block the "Secure Login" prompt. Therefore, if the "Secure Login" prompt is blocked for no reason, it is also a precursor to discovering the Trojan. The "Secure Login" function was used to protect system security as early as windows.
After SAS is registered in Winlogon, Gina is called to generate three desktop systems, which are used as needed by users:
◇ Winlogon desktop users log on to the Winlogon desktop. The Login Dialog Box we see is only displayed by Gina. If you cancel logon using the "Welcome screen" mode, Windows XP will activate Winlogon desktop whenever you press "Ctrl-alt-Delete, the "Windows Security" dialog box in Figure 5 is displayed. (Note: Winlogon desktop is not equivalent to a dialog box. The dialog box is displayed only when Winlogon calls other programs)
◇ User desktop is our daily desktop, which is the most important Desktop System in the system. You must provide the correct account and password before "User desktop" is displayed ". In addition, Winlogon initializes the user desktop based on the information in the Registry and the user configuration file.
◇ Screen Protection desktop screen protection is screen protection, including "System screen protection" and "User Screen Protection ". If "system Screen Protection" is enabled, the system will go to "system Screen Protection" if the user does not log on and has no operation for a long time "; for "User Screen Protection", users must log on before accessing it. Different users can set different "User Screen Protection ".
4. If you want to log on, you have to go through Gina.
During the "Interactive login" process, Winlogon calls the Gina group file to convey the account and password provided by the user to Gina. Gina is responsible for verifying the validity of the account and password, then, the verification result is fed back to the Winlogon program. When talking with winlogon.exe, ginawill first determine the current status of winlogon.exe and then perform different verification tasks based on different statuses. Generally, winlogon.exe has three statuses:
1. logged-on status
As the name suggests, after a user successfully logs on, the user enters the "logged on" status ". In this status, you can perform any operation with control permissions.
2. canceled
After you select the "logout" command in the logged-on status, the user enters the "logged-out status" and displays the Winlogon desktop. Gina displays the logon dialog box or welcome screen.
3. Locked
When the user presses the "win + L" key to lock the computer, it enters the "locked state ". In this status, Gina is responsible for displaying the dialog box for user login. At this time, the user has two options: one is to enter the current user's password and return the "logged-on status"; the other is to enter the Administrator account and password and return the "logged-off status ", however, the status and unsaved data of the original user are lost.
5. logon to the Local Machine
1. Press CTRL + ALT + DEL.
2. Winlogon detects that the user presses the SAS key and calls Gina. The logon dialog box is displayed by Gina to allow the user to enter the account and password.
3. the user enters the account and password. After confirming, Gina sends the information to LSA for verification.
4. When a user logs on to the local machine, lsa will call the msv1_0.dll verification package to process user information and generate a key, which is compared with the key stored in the SAM Database.
5. If the user is valid after comparison, Sam will ?? Security ID), the SID of the user group to which the user belongs, and other related information is sent to LSA.
6llsacreate a security token for the received sidinformation, and then send the token and token to winlogon.exe.
7、winlogon.exe completes the entire logon process after slightly processing user logon.
6. logon to the domain
The verification process for logging on to the domain also has different verification methods for different verification protocols. If the domain controller is Windows NT 4.0, the NTLM authentication protocol is used. The verification process is similar to the previous "login to local machine process, the difference is that the Account Verification is not performed in the local Sam database, but in the domain controller. For Windows2000 and Windows2003 domain controllers, generally, the Kerberos V5 protocol is more secure and reliable. To log on to the domain through this protocol, you must prove to the domain controller that your domain account is valid. You must first apply for the TGS (ticket-granting service ?? Ticket granting
Service ). After the permission is granted, the user applies for a session ticket for the computer to be logged on, and finally needs to apply for access to the local system service of the computer.
the process is as follows:
1. The user first presses CTRL + ALT + DEL.
2. When Winlogon detects that a user presses the SAS key, it calls Gina. The Login Dialog Box is displayed for the user to enter the account and password.
3. Select the domain to be logged on and enter the account and password. After confirmation, Gina sends the information entered by the user to LSA for verification.
4. When a user logs on to the local machine, lsa sends the request to the Kerberos authentication package. Use the algorithm to generate a key based on user information and store the key in the certificate cache.
5. The Kerberos validators send messages to KDC (Key Distribution Center ?? Key Distribution Center) sends a verification service request that contains user identity information and authentication pre-processing data, including the user certificate and hash algorithm encryption time.
6. After KDC receives data, it uses its own key to decrypt the time tag in the request. If the decryption time tag is correct, it can determine whether the user is valid.
7. If the user is valid, KDC will send a TGT (ticket-granting ticket ?? A ticket is granted to the user ). The TGT (as_rep) decrypts the user's key, this includes the session key, the name of the user to which the session key points, the maximum life cycle of the ticket, and other data and settings that may be required. The ticket applied by the user is encrypted in the KDC key and attached to as_rep. The authorization data section of TGT contains the user account Sid, the global group to which the user belongs, and the SID of the general group. Note: The SID returned to the LSA contains the user's access token. The maximum life cycle of a ticket is determined by the Domain Policy. If the ticket exceeds the validity period in the active Session, the user must apply for a new ticket.
8. when a user attempts to access resources, the customer system uses the Kerberos TGS request service ticket (tgs_req) from the domain controller of TGT ). Then, TGS sends the service bill (tgs_rep) to the customer. The service ticket is encrypted using the server key. At the same time, the SID is copied from TGT by the Kerberos service to all sub-sequence service tickets contained in the Kerberos service.
9. The customer submits the ticket directly to the network service to be accessed. The service ticket can prove the user's identity and permissions for the service, and the user ID of the service.
7. Should I be lazy ?? Set automatic logon
For the sake of security, we usually need to enter the account and password when entering Windows XP. Generally, we use a fixed account to log on. In the face of every cumbersome Password Input, some friends simply set a blank password or a weak password similar to "123", and most of these accounts are administrator accounts. However, hackers can easily scan all computers with weak passwords in an IP segment using common scanning tools.
Therefore, it is recommended that you set the password as complex as possible. If you are in trouble, you can set automatic logon, but automatic logon is not safe. Because Automatic Logon means that anyone who can directly access the computer can access the system. On the other hand, the account and password are clearly saved in the registry, so anyone who has the permission to access the Registry, can be viewed through the network. Therefore, if you want to set logon, it is best not to set it as an administrator account. You can set it as a user account in the Users Group. To set automatic logon, Run "control userpasswords2", (6)
In the "User Account" window, cancel the "to use the local machine, the user must enter the user name and password" option. After confirmation, a dialog box is displayed. Enter the account and password you want to automatically log on. Note: password verification is not performed here. You must ensure that the password and account are correct.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
