Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #1 
Good morning people.

A friend of mine asked me if its possible auto logon 12 local user accounts on its server 2012r2.

Is it possible and if yes is there a risk to it?


Thank you

__________________
Just call me the 1000Questionsguy
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #2 
Hi,

yes, it is possible and yes, of course there is risk to storing credentials in recoverable format.

The degree of risk is determined by the degree of access the stored account would be able to obtain. If, for instance, it is a local administrator on that server and there are domain users (or, worse, domain admins) logging on to that server, the risk potential goes as high as losing your entire domain to an attacker. If the stored user doesn't have any rights except for normal user rights, there is antivirus on the machine, etc. the risk might be acceptable.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
pct

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 31
Reply with quote  #3 
It is possible to use autologon: https://technet.microsoft.com/en-us/sysinternals/autologon.aspx

but I have never used that on servers due to security reasons. IIRC the password is stored in the registry.

What is the excact use case? what is the server used for?

__________________
"All parts must go together without forcing...by all means do not use a hammer." - IBM maintenance manual, the very early years
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #4 
AFAIK, those passwords are stored in the SAM file.  If someone can dump that file using psexec through Metasploit, they will have the encrypted file.  It can take days to decrypt it but it is possible.
0
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #5 
Thank you very much. I have sent him the link here so he can read it and knows about the risks also. One thing i want to ask for my self is autologon from sysinternals can automatically logon multiple users? i though it can logon 1 user only automatically
__________________
Just call me the 1000Questionsguy
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #6 
Quote:
Originally Posted by nikolas.e
One thing i want to ask for my self is autologon from sysinternals can automatically logon multiple users? i though it can logon 1 user only automatically


AutoAdminLogon is a machine setting. So you can only logon one user. Which is OK because the machine only has one console session, and that's what autologon uses.

If you need multiple RDS sessions, you can do that also but by other means. What would be the use case for that?

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #7 
Quote:
Originally Posted by donoli
AFAIK, those passwords are stored in the SAM file.  If someone can dump that file using psexec through Metasploit, they will have the encrypted file.  It can take days to decrypt it but it is possible.


The password used for AutoAdminLogon is stored in the registry. The users' passwords are indeed stored in the SAM but as long as a user is logged on interactively they are stored in memory as well, and on older systems (as in "Server 2003") even in clear text.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #8 
Quote:
The password used for AutoAdminLogon is stored in the registry.


The original question was about 12 local users' logon not Admin.  Does that make a difference?  What registry key is used for either or both?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #9 
Quote:
Originally Posted by donoli


The original question was about 12 local users' logon not Admin.  Does that make a difference?  What registry key is used for either or both?

https://technet.microsoft.com/en-US/library/cc939702.aspx That's all there is.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #10 
As he told me he has an application with a service in each profile that needs to run and report simultaneously to a db server.


Note: I also told him to join the forum

__________________
Just call me the 1000Questionsguy
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 273
Reply with quote  #11 
Quote:
Originally Posted by nikolas.e
As he told me he has an application with a service in each profile that needs to run and report simultaneously to a db server.


Well, maybe he could rewrite his application as a genuine Windows Service or use a wrapper like http://runasservice.com/ to just run it multiple times in the respective account's context.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #12 
Thank you Evgenij for the information. I i will forward  him your last reply.
__________________
Just call me the 1000Questionsguy
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.