Interactive logon explained
Interactive login refers to a login approach wherein a user engages directly with the computer system through a user interface. Typically, this involves logging in via a graphical user interface (GUI) or a command line interface (CLI). Using interactive login, users gain access to a session that enables them to engage with the system as if they were physically present at the computer.
In this blog we will cover:
- Windows Logon Scenarios
- User authentication processes
- Windows logon types
- Difference between allow logon locally and interactive logon
- Difference between interactive and non-interactive logon
- Security settings for Interactive logon 22.214.171.124 to 126.96.36.199
- Interactive Logon Vulnerabilities
- Hardening Interactive logon
Exploring Windows Logon Scenarios
The sign-in procedure is similar to the logon process, as it necessitates a valid account and accurate credentials. However, logon details are stored in the Security Account Manager (SAM) database on the local computer and, if applicable, in Active Directory.
Here are the 4 common logon scenarios:
Interactive logon: Users have the option to engage in an interactive logon by employing either a local user account or a domain account for accessing a computer.
Network logon: requires user, service, or computer authentication prior to use. This process does not involve credentials entry dialog boxes; instead, it utilizes pre-established credentials or an alternative method for collecting authentication data.
Smart card logon: enables logon exclusively for domain accounts, excluding local accounts. Smart card authentication necessitates the utilization of the Kerberos authentication protocol.
Biometric logon: A device captures and constructs a digital representation of an artifact, like a fingerprint. This digital version is then compared to a sample of the same artifact for successful authentication.
User authentication processes
The terms “interactive logon access” and “interactive logon authentication” are related but refer to different aspects of the user authentication process. Access is about permission, while authentication is about verifying identity for security purposes.
Interactive logon access:
Refers to a user’s permission to log in and use a system interactively, whether physically or remotely, involving direct interaction with the computer using input devices such as a keyboard and mouse. Access in this context relates to the user’s privilege to engage in interactive logon activities.
In the context of Windows operating systems, for example, interactive logon refers to the process of logging in locally at the computer itself, as opposed to remote logon through services like Remote Desktop or SSH. Controlling and managing interactive logon access is crucial for ensuring the security of a system, and it often involves the implementation of password policies, account lockout policies, and other security measures to protect against unauthorized access.
Interactive logon authentication:
Refers to the process of confirming a user’s identity during the logon, involving validation of credentials like a username and password. This security measure ensures that only authorized users can access the system through the interactive logon process.
Interactive Logon Authentication in Windows ensures that only authorized users with valid credentials can access the system, contributing to the security and integrity of the operating environment.
Windows logon types
The Windows operating system supports various logon techniques that allow users to prove their identity and gain authorized access to a system or network. To differentiate between these logon methods in system security logs, Windows assigns a numeric code to each type of logon event. By categorizing logons into multiple types and recording them differently in the event logs, the Windows security auditing system can provide more detailed insights into how users are accessing protected resources within the system or domain. Administrators can analyze the logon patterns to trace issues or detect potential security breaches.
Here are the main Windows logon types and logon codes:
Logon type 2 – Interactive logon – A user logs on from console to access system with Ctrl+Alt+Del.
Logon type 3 – Network logon – Accessing shared folders/printers on network.
Logon type 4 – Batch logon – For automated scheduled tasks and batch jobs.
Logon type 5 – Service logon – For services running under specified accounts.
Logon type 7 – Unlock logon – Unlocking desktop session when returning from locked state.
Logon type 8 – NetworkCleartext logon – Logon over the network that sends password in cleartext.
Logon type 9 – NewCredentials logon – Used when user changes password or requests credential change.
Logon type 10 – RemoteInteractive logon - RDP logons to access desktop remotely.
Logon type 11 – CachedInteractive logon – Use cached credentials for access when network unavailable.
Logon type 13 - CachedUnlock logon – The logon is an attempt to unlock a workstation.
There are also some less common logon types like logon type 6 Proxy which is used for proxy connections and logon type 12 CachedRemoteInteractive which is the same as RemoteInteractive, except used internally for auditing purposes.
What is the difference between allow logon locally and interactive logon?
Interactive Logon represents a broader permission category, encompassing various access scenarios, whereas Allow Logon Locally specifies just local interactive sessions at the physical computer. Both mechanisms regulate access to interactive Windows user sessions but operate in distinct ways.
To better understand, here is an example:
Allow Logon Locally:
- Specifies whether a user can physically log into a particular computer by signing in at the computer’s keyboard/console.
- It allows interactive logon access at the local computer level.
- Refers more broadly to a user signing in and accessing a Windows desktop session, whether locally or remotely.
- Includes logging on via Remote Desktop, in addition to physically at the computer’s keyboard.
Governs the ability to access an interactive Windows session in general rather than just local logons.
What is the difference between interactive and non-interactive logon?
The key difference between interactive and non-interactive logon lies in user involvement using distinct authentication processes. This means whether the user signs into an interactive user session or just accesses resources without a visual desktop session.
Interactive logons involve users directly accessing the Windows shell or desktop, interacting with the system through a keyboard and mouse. On the other hand, non-interactive logons are utilized by established accounts running scheduled tasks, services, etc., without requiring user interaction.
Security settings for Interactive logon
The Center for Internet Security (CIS) benchmarks contain hundreds of recommendations to secure Windows systems, grouped into different categories and levels of priority. For interactive logon on Windows systems, CIS provides specific security recommendations within the Windows benchmarks which are listed below:
188.8.131.52 Ensure ‘Interactive logon: Do not require CTRL+ALT+DEL’ is set to ‘Disabled’ (Automated)
Security setting: This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. A smart card is a tamper-proof device that stores security information.
184.108.40.206 Ensure ‘Interactive logon: Don’t display last signed-in’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer’s respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.
220.127.116.11 Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’ (Automated)
Security setting: Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
18.104.22.168 Configure ‘Interactive logon: Message text for users attempting to log on’ (Automated)
Security setting: Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users when they log on.
22.214.171.124 Configure ‘Interactive logon: Message title for users attempting to log on’ (Automated)
Security setting: Microsoft recommends that you use this setting, if appropriate to your environment and your organization’s business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system.
126.96.36.199 Ensure ‘Interactive logon: Number of previous logons to cache (in case domain controller is not available)’ is set to ‘4 or fewer logon(s)’ (MS only) (Automated)
Security setting: This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.
188.8.131.52 Ensure ‘Interactive logon: Prompt user to change password before expiration’ is set to ‘between 5 and 14 days’ (Automated)
Security setting: This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.
184.108.40.206 Ensure ‘Interactive logon: Require Domain Controller Authentication to unlock workstation’ is set to ‘Enabled’ (MS only) (Automated)
Security setting: Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain controller must authenticate the domain account that is being used to unlock the computer. If you disable this setting, logon information confirmation with a domain controller is not required for a user to unlock the computer. However, if you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to a value that is greater than zero, then the user’s cached credentials will be used to unlock the computer.
Note: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
220.127.116.11 Ensure ‘Interactive logon: Smart card removal behavior’ is set to ‘Lock Workstation’ or higher (Automated)
Security setting: This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
The interactive logon process for Windows systems faces various vulnerabilities that can compromise user credentials and enable unauthorized access. Inadequately secured settings for the user logon experience provide opportunities for attackers to obtain passwords and gain control of systems.
Some common vulnerabilities associated with interactive logon settings include:
Information disclosure: Windows include the default display of the last username used for login, potentially enabling attackers to guess or launch brute-force attacks. Additionally, custom messages, though personalized, might inadvertently expose system or user details, increasing vulnerability to social engineering attacks.
Compromised accounts: Particularly when service accounts with interactive login capabilities are misused, granting attackers significant control over the system. Additionally, weak passwords, stemming from poor practices like reuse or reliance on common dictionary words, make accounts susceptible to brute-force or spraying attacks.
Automatic logon: Skipping login altogether exposes the system if compromised.
Guest account enabled: The built-in Guest account with limited privileges can still be exploited for lateral movement within the system.
Insufficient session timeout: Leaving sessions active for extended periods without user interaction increases the time window for exploitation.
Hardening Interactive logon
Securing the interactive logon methods in a Windows environment is a fundamental activity to guard access from unauthorized users. The logon interface that validates user credentials and grants system entry privileges is a prime target for malicious actors and requires stringent controls.
CalCom Hardening Suite (CHS) automates the hardening procedures around interactive logon settings to obstruct common threats like brute force password guessing or credential stuffing attacks. By automating the hardening of interactive logon settings, you can streamline the process, making it significantly faster and less resource-intensive. It allows for continuous monitoring that enforces hardening measures, ensuring persistent protection across multiple systems.