Interactive Logon Security Settings: A Comprehensive Guide

Interactive logon explained

Interactive login refers to a login approach wherein a user engages directly with the computer system through a user interface. Typically, this involves logging in via a graphical user interface (GUI) or a command line interface (CLI). Using interactive login, users gain access to a session that enables them to engage with the system as if they were physically present at the computer.

Exploring Windows Logon Scenarios

The sign-in procedure is similar to the logon process, as it necessitates a valid account and accurate credentials. However, logon details are stored in the Security Account Manager (SAM) database on the local computer and, if applicable, in Active Directory.

Here are the 4 common logon scenarios:

Interactive logon: Users have the option to engage in an interactive logon by employing either a local user account or a domain account for accessing a computer.

Network logon: requires user, service, or computer authentication prior to use. This process does not involve credentials entry dialog boxes; instead, it utilizes pre-established credentials or an alternative method for collecting authentication data.

Smart card logon: enables logon exclusively for domain accounts, excluding local accounts. Smart card authentication necessitates the utilization of the Kerberos authentication protocol.

Biometric logon: A device captures and constructs a digital representation of an artifact, like a fingerprint. This digital version is then compared to a sample of the same artifact for successful authentication.

User authentication processes

The terms “interactive logon access” and “interactive logon authentication” are related but refer to different aspects of the user authentication process. Access is about permission, while authentication is about verifying identity for security purposes.

Interactive logon access:

Refers to a user’s permission to log in and use a system interactively, whether physically or remotely, involving direct interaction with the computer using input devices such as a keyboard and mouse. Access in this context relates to the user’s privilege to engage in interactive logon activities.

In the context of Windows operating systems, for example, interactive logon refers to the process of logging in locally at the computer itself, as opposed to remote logon through services like Remote Desktop or SSH. Controlling and managing interactive logon access is crucial for ensuring the security of a system, and it often involves the implementation of password policies, account lockout policies, and other security measures to protect against unauthorized access.

Interactive logon authentication:

Refers to the process of confirming a user’s identity during the logon, involving validation of credentials like a username and password. This security measure ensures that only authorized users can access the system through the interactive logon process.

Interactive Logon Authentication in Windows ensures that only authorized users with valid credentials can access the system, contributing to the security and integrity of the operating environment.

Windows logon types

The Windows operating system supports various logon techniques that allow users to prove their identity and gain authorized access to a system or network. To differentiate between these logon methods in system security logs, Windows assigns a numeric code to each type of logon event. By categorizing logons into multiple types and recording them differently in the event logs, the Windows security auditing system can provide more detailed insights into how users are accessing protected resources within the system or domain. Administrators can analyze the logon patterns to trace issues or detect potential security breaches.

Here are the main Windows logon types and logon codes:

Logon type 2 – Interactive logon – A user logs on from console to access system with Ctrl+Alt+Del.

Logon type 3 – Network logon – Accessing shared folders/printers on network.

Logon type 4 – Batch logon – For automated scheduled tasks and batch jobs.

Logon type 5 – Service logon – For services running under specified accounts.

Logon type 7 – Unlock logon – Unlocking desktop session when returning from locked state.

Logon type 8 – NetworkCleartext logon – Logon over the network that sends password in cleartext.

Logon type 9 – NewCredentials logon – Used when user changes password or requests credential change.

Logon type 10 – RemoteInteractive logon - RDP logons to access desktop remotely.

Logon type 11 – CachedInteractive logon – Use cached credentials for access when network unavailable.

Logon type 13 - CachedUnlock logon – The logon is an attempt to unlock a workstation.

There are also some less common logon types like logon type 6 Proxy which is used for proxy connections and logon type 12 CachedRemoteInteractive which is the same as RemoteInteractive, except used internally for auditing purposes.

What is the difference between allow logon locally and interactive logon?

Interactive Logon represents a broader permission category, encompassing various access scenarios, whereas Allow Logon Locally specifies just local interactive sessions at the physical computer. Both mechanisms regulate access to interactive Windows user sessions but operate in distinct ways.

To better understand, here is an example:

Allow Logon Locally:

Specifies whether a user can physically log into a particular computer by signing in at the computer’s keyboard/console.
It allows interactive logon access at the local computer level.

Interactive Logon:

Refers more broadly to a user signing in and accessing a Windows desktop session, whether locally or remotely.
Includes logging on via Remote Desktop, in addition to physically at the computer’s keyboard.

Governs the ability to access an interactive Windows session in general rather than just local logons.

What is the difference between interactive and non-interactive logon?

The key difference between interactive and non-interactive logon lies in user involvement using distinct authentication processes. This means whether the user signs into an interactive user session or just accesses resources without a visual desktop session.

Interactive logons involve users directly accessing the Windows shell or desktop, interacting with the system through a keyboard and mouse. On the other hand, non-interactive logons are utilized by established accounts running scheduled tasks, services, etc., without requiring user interaction.

Security settings for Interactive logon

The Center for Internet Security (CIS) benchmarks contain hundreds of recommendations to secure Windows systems, grouped into different categories and levels of priority. For interactive logon on Windows systems, CIS provides specific security recommendations within the Windows benchmarks which are listed below:

2.3.7.1 Ensure ‘Interactive logon: Do not require CTRL+ALT+DEL’ is set to ‘Disabled’ (Automated)

Security setting: This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. A smart card is a tamper-proof device that stores security information.

2.3.7.2 Ensure ‘Interactive logon: Don’t display last signed-in’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer’s respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.

2.3.7.3 Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’ (Automated)

Security setting: Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

2.3.7.4 Configure ‘Interactive logon: Message text for users attempting to log on’ (Automated)

Security setting: Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users when they log on.

2.3.7.5 Configure ‘Interactive logon: Message title for users attempting to log on’ (Automated)

Security setting: Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system.

2.3.7.6 Ensure ‘Interactive logon: Number of previous logons to cache (in case domain controller is not available)’ is set to ‘4 or fewer logon(s)’ (MS only) (Automated)

Security setting: This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.

2.3.7.7 Ensure ‘Interactive logon: Prompt user to change password before expiration’ is set to ‘between 5 and 14 days’ (Automated)

Security setting: This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

2.3.7.8 Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only) (Automated)

Security setting: Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain controller must authenticate the domain account that is being used to unlock the computer. If you disable this setting, logon information confirmation with a domain controller is not required for a user to unlock the computer. However, if you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to a value that is greater than zero, then the user’s cached credentials will be used to unlock the computer.

Note: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

2.3.7.9 Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher (Automated)

Security setting: This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

Server Hardening The Complete Guide

Vulnerabilities

The interactive logon process for Windows systems faces various vulnerabilities that can compromise user credentials and enable unauthorized access. Inadequately secured settings for the user logon experience provide opportunities for attackers to obtain passwords and gain control of systems.

Some common vulnerabilities associated with interactive logon settings include:

Information disclosure: Windows include the default display of the last username used for login, potentially enabling attackers to guess or launch brute-force attacks. Additionally, custom messages, though personalized, might inadvertently expose system or user details, increasing vulnerability to social engineering attacks.

Compromised accounts: Particularly when service accounts with interactive login capabilities are misused, granting attackers significant control over the system. Additionally, weak passwords, stemming from poor practices like reuse or reliance on common dictionary words, make accounts susceptible to brute-force or spraying attacks.

Automatic logon: Skipping login altogether exposes the system if compromised.

Guest account enabled: The built-in Guest account with limited privileges can still be exploited for lateral movement within the system.

Insufficient session timeout: Leaving sessions active for extended periods without user interaction increases the time window for exploitation.

Hardening Interactive logon

Securing the interactive logon methods in a Windows environment is a fundamental activity to guard access from unauthorized users. The logon interface that validates user credentials and grants system entry privileges is a prime target for malicious actors and requires stringent controls.

CalCom Hardening Suite (CHS) automates the hardening procedures around interactive logon settings to obstruct common threats like brute force password guessing or credential stuffing attacks. By automating the hardening of interactive logon settings, you can streamline the process, making it significantly faster and less resource-intensive. It allows for continuous monitoring that enforces hardening measures, ensuring persistent protection across multiple systems.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.