Windows XP Logon Methods

We usually log on to Windows XP first. Windows XP has a much stricter login verification mechanism than Windows 98. It is very important for us to understand and master the login verification mechanism and principles of Windows XP and enhance our understanding of system security, and effectively prevents and solves hacker and virus intrusion.

1. Learn about several logon types of Windows XP

1. Interactive Login

Interactive login is the most common type of logon, that is, the User logs on to the local machine through the corresponding User Account and password. Some netizens think that "Interactive login" is "Local login", which is actually incorrect. "Interactive Logon" also includes "domain account logon", while "Local Logon" is limited to "Local Account Logon ".

It is worth mentioning that, through the terminal service and remote desktop login host, can be seen as "Interactive login", the verification principle is the same.

During interactive login, the system first checks the type of User Account to be logged on, whether it is a Local User Account or a Domain User Account ), then adopt the corresponding verification mechanism. Different user account types have different processing methods.
◇ Local User Account

Log on with a local user account. The system verifies the information stored in the local SAM Database. That is why the SAM file can be deleted when Windows2000 forgets the Administrator password. However, Windows XP cannot be used, probably for security reasons. After logging on with a local user account, you can only access local resources with access permissions. (Figure 1)

　　

◇ Domain user account

Log on with a domain user account, and the system verifies the data stored in the Active Directory of the domain controller. If this user account is valid, you can access resources with access permissions in the entire domain after logging on.

TIPS: if the computer is added to the domain, the Login Dialog Box displays the "log on to:" project, from which you can choose to log on to the domain or log on to the local machine.

2. network logon

If the computer is added to a working group or domain, you need to "log on to the network" to access resources of other computers. 2. Enter the user name and password of the Heelen host for verification. Note that the user account entered must be on the host of the other party, rather than the user account on the host. This is because the user account validity is controlled by the interviewed host during network login.

　　

3. service logon Service logon is a Special Logon method. In normal times, when the SYSTEM starts services and programs, it first runs after logging on to some user accounts. These user accounts can be domain user accounts, local user accounts, or SYSTEM accounts. Different user accounts have different access and control permissions for the system. In addition, you can only access local resources with access permissions when logging on with a local user account, cannot access resources on other computers, which is similar to "Interactive login. The task manager in Figure 3 shows that the accounts used by the system processes are different. When the system starts, some basic and Win32 services will be logged on to the system in advance to achieve access and control of the system. Run Services. msc to set these Services. SYSTEM services play an important role and generally Log On with the SYSTEM account. Therefore, the SYSTEM has absolute control permissions. Therefore, many viruses and Trojans are competing to join the aristocratic SYSTEM. In addition to SYSTEM, some services also log on with the Local Service and Network Service accounts. After the system initialization, all programs run by the user are logged on with the user's own account. 　 　　

From the principles mentioned above, it is not difficult to see why many computer articles tell General Users that Users in the Users Group should log on to their computers at ordinary times, even if they run viruses and Trojans, due to the permission restrictions of the logon user account, the resources belonging to the user can only be damaged at most, but important information for maintaining system security and stability is not destructive.

4. Batch Login

Batch login is rarely used by users and is usually used by programs that execute batch operations. When performing batch login, the account used must have the right to batch processing; otherwise, you cannot log on.

We usually have the most contact with "Interactive login", so I will explain in detail the principle of "Interactive login" below.
Ii. Interactive login, which components are used by the System

1. Winlogon.exe

Winlogon.exe is the most important component for "Interactive login". It is a security process and is responsible for the following work:

◇ Load Other Logon components.

◇ Provides a graphic interface for user operations related to security so that users can log on or log off.

◇ Send necessary information with GINA as needed.

2. GINA

GINA is called "Graphical Identification and Authentication"-Graphical recognition and verification. . During the login process, the "Welcome screen" and "Login Dialog Box" are displayed by GINA.

For example, stylexp, you can specify winlogon.exe to load the GINA developed by the merchant, so as to provide different Windows XP Logon interfaces. Because of this modifyability, there are now Trojans that steal accounts and passwords.

One is a trojan for "Welcome screen" login, which simulates the welcome interface of Windows XP. After the user enters the password, it is obtained by the trojan program, but the user does not know it at all. Therefore, we recommend that you do not use the welcome screen to log on and set "Secure Login ".

The other is for the GINA trojan in the Login Dialog Box. The principle is to load it at login to steal the user's account and password, save the information to WinEggDrop under % systemroot % system32. dat. This trojan will shield the system from the "Welcome screen" logon and "User Switching" functions, and also shield the "Ctrl-Alt-Delete" Security logon prompt.

The user does not have to worry too much about being installed with the GINA Trojan. I will provide a solution here for your reference:

◇ If you want to check whether your computer has installed the GINA Trojan, you can download a GINA Trojan and run InstGina-view, you can check whether the GinaDLL key value in the system has been installed with the DLL. It is mainly used to check whether the system has been installed with the Gina trojan for login. If the GINA Trojan is installed unfortunately, run InstGina-Remove to uninstall it.

3. LSA Service

LSA is called "Local Security Authority"-Local Security authorization. It is a very important service in Windows. All Security authentication-related processing must pass this service. The hacker obtains the user's account and password from winlogon.exe, and then processes the password through the key mechanism and compares it with the key stored in the account database. If the comparison result matches, LSA considers the user's identity as valid, allow users to log on to the computer. If the comparison result does not match, LSA considers the user's identity invalid. The user cannot log on to the computer.

Why are these three letters familiar? By the way, this is a service that is connected to the surging waves of data. The "Shock Wave" worm uses the LSA remote buffer overflow vulnerability to obtain the highest SYSTEM privilege SYSTEM to attack the computer. There is a lot of information on the solution. I will not talk about it here.

4. SAM Database

SAM is called Security Account Manager. It is a protected sub-system that manages user and user group information by storing Security accounts in the computer registry. We can regard SAM as an account database. For computers not added to the domain, it is stored locally, and for computers added to the domain, it is stored on the domain controller.

If a user attempts to log on to the local machine, the system compares the account information stored in the SAM Database on the local machine with the information provided by the user. If the user attempts to log on to the domain, the system compares the account information in the SAM Database stored in the domain controller with the information provided by the user.

5. Net Logon Service

Net Logon Service is mainly used together with NTLM (Default Authentication Protocol for nt lan Manager and Windows NT 4.0, the user verifies that the information in the SAM Database on the Windows NT domain controller matches the information provided by the user. The NTLM protocol is mainly used to preserve the compatibility of Windows NT.

6. KDC Service

The KDC (Kerberos Key Distribution Center-Kerberos Key Distribution Center) service is used in collaboration with the Kerberos authentication protocol to verify User Logon within the entire Active Directory. If you do not have a Windows NT Computer in the domain, you can only use the Kerberos protocol to ensure maximum security. This service can be enabled only after the Active Directory Service is started.

7. Active Directory Service

If your computer is added to a Windows 2000 or Windows 2003 domain, you must start the service to support the Active Directory function.

Iii. What did Winlogon do before and after login?

If you set "Secure Login", a SAS (Secure Attention Sequence-Security Warning Sequence) will be registered in the system during Winlogon initialization ). SAS is a group of key combinations. The default value is Ctrl-Alt-Delete. It ensures that the information entered during interactive login is accepted by the system and not obtained by other programs. Therefore, using "Secure Login" to log on ensures that the user's account and password are not stolen by hackers. To enable the secure logon function, run the "Control userpasswords2" command to open the "User Account" dialog box and select "advanced ". (4) Select the "Ask the user to press Ctrl-Alt-Delete" option and click OK. In the future, there will be a prompt before each Login Dialog Box appears, ask the user to press Ctrl-Alt-Delete