I whole-heartedly agree with Lukas. For any user with access to remotely
confidential data, auto-logon is ridiculous.

What I would say were I in your shoes ...

"I am so sorry, Joe, but I am not willing to make an exception to the
policy. I was an idiot for allowing automatic logon in the first place,
because it is a huge security hole. All someone has to do is press the
power key on the PC, and they are on our network. I apologize for the
inconvenience, but this is how it needs to be."

If your IT practices are audited by outsiders, I would add before the
apology ... "I certainly would not want to have this blatant a vulnerability
on the <<whatever it is called>>."

If you are over-ruled by your superiors, I would implement it, but make sure
that things are limited. I would automate the login as a LOCAL user, and
not automate the connection to network resources or email. If they
complain, shrug your shoulders and say that is the best you can do with the
new system. I would also make absolutely certain that the automatic logons
are included in every security and operational audit.

Note #1 -- If they are so bothered by having to enter a user and password,
perhaps you could implement fingerprint signon or use a token.

Note #2 -- A company called Rohos has solution using a Yubikey token that
costs $32 per PC for the software and $25 for a Yubikey. I have never
implemented it, but I am confident that it is more secure than auto-login!
-->
http://www.rohos.com/support/knowledge-base/windows-logon-with-yubikey/

---------
Tom Jedrzejewicz
tomjedrz@xxxxxxxxxxxxxx


On Wed, Oct 14, 2009 at 10:17 AM, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>wrote:

All,

We have 3 users whose PCs are started via WOL at 5am. All 3 are XP Pro and
are in locked offices. The primary reason for this 5am WOL is so that
things like AV scan, spyware scan, any backup, etc, would be done before
they got here.

Until last June, they were also set up for autologin (TweakUI), meaning the
user was logged on and they had various applications (Outlook/Thunderbird,
5250 sessions, etc) start before they got here. That always bugged me a
bit, but, as I said, they were behind locked doors. When we set up a
domain
at that time, autologin went away due to requiring CAD to log in.

I get asked repeatedly to go back to allowing autologin. I know how to do
that on a PC by PC basis via gpedit.msc, but I am loathe to do so. The
network consultant is as well, he says he has NEVER set up a non-server PC
to do this. He suggested I tell them 1) if they leave their garage door
up,
they won't have to hit the button to open it when they get home, and 2) if
they leave their house unlocked, they won't have to use a key to get in.
<g>

I have read the MS documentation which says:

"If this policy is enabled on a computer, a user is not required to press
CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users
susceptible to attacks that attempt to intercept the users' passwords.
Requiring CTRL+ALT+DEL before users log on ensures that users are
communicating by means of a trusted path when entering their passwords."

The offices are cleaned 3 times a week. Without the CAD restriction,
either
the cleaning person or a night warehouseman could press the POWER button
and
be good to go.

What else can I give them as reasons?

Thanks.

--
Jeff Crosby
UniPro FoodService/Dilgard
P.O. Box 13369
Ft. Wayne, IN 46868-3369
260-422-7531
www.dilgardfoods.com

The opinions expressed are my own and not necessarily the opinion of my
company. Unless I say so.
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.