I have a machine which gets locked if no interaction is done after 15 minutes and when right time comes I want to unlock it programmatically because my program does some things which needs UI. Of course I can disable the screen locking entirely but let's consider that this is not an option.
I've googled and found out that I need to implement credential provider for this but I don't understand why. I guess I don't know the internal workings of the windows. If I know the username/password of the user or even when user doesn't have a password I can use why I need to implement the credential provider? I've read this article on Windows website and it seems like windows already has "System credential providers" but I could not found how I can interact with them (Maybe you can't and that's why everybody suggest to implement third party CP) Can somebody please explain how screen locking on windows works and why is that impossible to unlock the screen without implementing CP? thanks
If your machine locks, it will require some kind of credentials to be passed back through the LSA to unlock it. It is best to prevent the machine from locking in the first place.
If you pursue a strategy using a credential provider, you will need to find a way of securely recording and replaying the user's password. The credential provider will also put up a 'sign in' button as a 'road block' (Microsoft's term) to force user interaction when logging in.
Related
I am trying to enroll about a 100 systems in Intune. I want the user to be signed in as a standard user. I searched and found the only way to do this will be using AutoPilot. Thats is just not possible, It requires a factory reset device and a hardware hash for each device.
The other way they say is to run a Powershell script. That option won't work because I want only the one microsoft account on the system. Windows needs at least one Admin account.
I simply want the normal user to be a standard account and in case he needs admin privileges I can connect and type in cloud device administrator's credentials to give him access. However, I cannot find anyway to get this done, kind of hard to believe this is so difficult to do. Any suggestions?
Is there a reliably way to determine the last user name to login to the system? I've looked at LsaEnumerateLogonSessions() and LsaGetLogonSessionData() however they require elevation on Vista and later (which I'm keen to avoid). WMI has the same problem (presumably it's just calling Lsa behind the scenes).
I've also looked at "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" in HKLM, but in testing that's unreliable and doesn't get updated.
I'm really only interested in console logons, rather than Fast User Switching or TS logons.
I've read various articles, but have yet to come up with a good solution.
You might be able to use Audit Logon events - this requires your service to have a user access right to see the Security log, but not be a full Administrator.
Eventid 528 indicates who logged on, you'd have to find the most recent instance of this.
I'm building an Cocoa application that modifies a file on the user's operating system which requires admin permission. I have a proof of concept working which uses authopen but it doesn't deliver the UX experience I am hoping to achieve. Every time the file is modified it prompts the user to enter their password. Is there a way to have permissions granted to the application for the duration of its life?
Goal:
Application asks user for password once ever, going forth application does not prompt for password.
Next Best:
Application asks user for password once at application launch, going forth application does not prompt for password until application restart.
I'm aware of Authorization Services and the possibility of creating a Daemon which deals specifically with modifying privileged files, what I'm curious about is if either of my listed goals are even possible before diving too deep into another system.
Really appreciate any suggestions, critiques or helpful links.
Cheers,
Dustin
Yes, using Authorization Services is the way forward. You get an AuthorizationRef in your application via AuthorizationCopyRights() (which shows the UI if needed), and pass this to your helper (by packaging it up into an external form) which verifies that it actually got the necessary right before performing the privileged task. Authorization Services is able to register rights in the /etc/authorization database, so if you choose a custom right you can choose the default settings for who is allowed to acquire it, what timeout or other conditions exist and so on.
To deploy your privileged helper tool, you should use the Service Management framework, in particular SMJobBless() which verifies that the code signing identities on your client and helper match before deploying the helper as a launchd job. Then your helper can be initiated on demand by the main application.
Feel free to ask if you want clarification on any step in the answer, however I already wrote about both of these aspects of privilege separation in my book Professional Cocoa Application Security so feel free to buy a copy or two ;-).
We have developed a ASP.NET 3.5 web application with Web Server 2008 and has implemented a custom authentication solution using active directory as the credentials store. Our front end application uses a normal login form to capture the user name and password and leverages the Win32 LogonUser method to authenticate the user’s credentials. When we are calling the LogonUser method, we are using the LOGON32_LOGON_NETWORK as the logon type.
The issue we have found is that user profile folders are being created under the C:\Users folder of the web server. The folder seems to be created when a new user who has never logged on before is logging in for the first time. As the number of new users logging into the application grows, disk space is shrinking due to the large number of new user folders getting created.
I need to get the token back after the authentication (authenticated \ password locked \ wrong password ) its futher use and based on logic showing different web pages
Has anyone seen this behavior with the Win32 LogonUser method?
Please answer the following issue:
Is it possible to disable this behavior to create the folder as taking 2.78 MB of space for every new user and it eating my disck space?
I have tried LOGON32_LOGON_BATCH but it was giving an error 1385 in authentication user.
For any solution related to LOGON32_LOGON_BATCH, can you please confirm if that will stop creating the folders at location C:\users.
Also for any possible solution I need either
I am able to disable the folder to be created at C:\user or
Any other option to authenticated user which will not creat folders.
Pass LOGON32_LOGON_BATCH and grant the users permission to log on as a batch job on that machine using Group Policy.
The MSDN documentation for LogonUser recommends LOGON32_LOGON_BATCH as the logon type for web services:
This logon type is intended for batch
servers, where processes may be
executing on behalf of a user without
their direct intervention. This type
is also for higher performance servers
that process many plaintext
authentication attempts at a time,
such as mail or Web servers. The
LogonUser function does not cache
credentials for this logon type.
Have you tried that?
You don't write any information about the version of products (.NET, Windows Server which you use) and the best answer on your question can depend on this. Moreover the best way for your solution depend on what you want to do with the users token after logon. Do you really want to use this token or you want only verify the user? So I try to answer most general on your question.
In general, error 1385 (ERROR_LOGON_TYPE_NOT_GRANTED) means following (see http://support.microsoft.com/kb/155012/en):
A user has requested a type of logon,
such as interactive or network, that
was not granted. An administrator has
control over who may logon
interactively and through the network.
There are SE_BATCH_LOGON_NAME and SE_DENY_BATCH_LOGON_NAME (NTSecAPI.h) privileges which can be disabled/enabled in your case (see http://msdn.microsoft.com/en-us/library/bb545671%28VS.85%29.aspx for description). Use Process Explorer started with administrator rights (see http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to see which privileges has a process and which from there are enabled (see "Security" tab of a process). If your account used for the application pool don't have SE_BATCH_LOGON_NAME granted or this privilege is not enabled before call of LogonUser, you should add the corresponding code in your program.
By the way sometimes you don't really want to do much with an user account and want only verify a password. To do this you can use an old way with SSPI (see http://support.microsoft.com/kb/180548/en) which are used inside of LogonUser implementation. This way is the most smart and quick way to verify an user account which I know.
You can look at "The SSPI Workaround" (see http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html) for more information of usage SSPI in .NET 2.0.
As we all know,we can use such api as "LockWorkStation()" in "user32.dll" to lock windows.
But how to unlock it?
For example, if i run an app at first, I want the app to unlock windows by itself after 30 second.
How to do it? In another word, if auto-logging in, windows will read the username and password from regedit and then use an api to login by those.
Now i need the api. It must exist, but it seems not to make public.
I can get the app the username and password of the windows.
It seems that there is some Api in WBF.But you know,the resource is too less.
I don't want to send keyboard message to solve the problem,for it is the worst method.
Promoting my comment because it needs more explanation:
You really want to write a GINA (for XP) or a Credential Provider for Windows Vista and beyond.
Fundamentally the Windows authentication model is based on the user providing evidence (identification) that they're authorized to access the computer (either by their credentials or biometric data or smartcard or other information). Once you've been authorized to log onto the computer, Windows allows you access.
When the workstation is locked (for whatever reason - screen saver, user typing in Win-L) the user needs to be re-authenticated.
Typically that's sufficient - the authorization is good for a period of time (determined by the administrator). If (for policy reasons) you need a finer grained control model, you could use your "LockWorkstation" idea to force the user to re-authenticate themselves. You need to be VERY careful about false positives (nothing pisses off users more than being told they're not allowed to use their computer simply because they removed their glasses or combed their hair differently) and how much drain on system resources your app causes.
When the workstation is locked the only way to unlock it is by the user logging in (pressing Alt+Ctrl+Del and entering correct password). This is a security feature that you cannot circumvent using an application API.