Windows

Lock down your Windows Vista logon tight and then even tighter

It is possible to lock down a Microsoft Windows Vista logon procedure. In fact, it is possible to lock the procedure even tighter if you are concerned about security. Greg Shultz walks you through the steps necessary for locking down Vista tight and then even tighter.

Recently in the Windows Vista Report, I showed you how to work around having to manually log on to a Windows Vista system in your home: Bypass the Windows Vista's logon procedure. While this tip was intended for situations in which you're the only one who ever uses your Windows Vista system in your home, many readers disagreed with the idea of leaving a system unprotected.

In response to those concerns, I then followed up that article with a technique that still allowed the primary benefit of having your computer automatically boot up, but still use a password: Automatically log in to Vista and still be password protected.

In this edition of the Windows Vista Report, I've decided to go in the other direction and show you how to lock down a Windows Vista logon procedure. And, if the first technique isn't tight enough for you, then I'll show you how to lock it down even tighter.

In the first technique, you will have to press [Ctrl] + [Alt] + [Delete] before you can see the regular Welcome screen, click your icon and type in your password. In the second technique, you will press [Ctrl] + [Alt] + [Delete] to see an alternative Welcome screen in which you'll have to type in both your username and password.

The local security policy

In order to lock down Windows Vista's logon procedure, you'll need to alter the local security policy. To make these types of alterations, you'll need to launch and work from the Security Settings Extension snap-in. To do so, click the Start button, type "local security policy" in the Start Search box as shown in Figure A, and press [Enter]. When you do, you'll encounter a UAC dialog box and will need to respond accordingly.

Figure A

To access the Security Settings Extension snap-in, you'll type local security policy in the Start Search box
In a moment, you'll see the Security Settings Extension snap-in in a console window titled Local Security Policy, as shown in Figure B.

Figure B

The Security Settings Extension snap-in appears in a console window titled Local Security Policy

Requiring [Ctrl] + [Alt] + [Delete]

To require users to press [Ctrl] + [Alt] + [Delete] before they see the Welcome screen, locate Local Polices in the tree pane and expand that branch. Once you do, click on the Security Options branch. When you see a set of polices fill the right pane, scroll through them until you locate a policy called Interactive Login: Do not require CTRL + ALT + DEL. Double click that policy to access the dialog box and then select the Disabled option, as shown in Figure C.

Figure C

To require users to press [Ctrl] + [Alt] + [Delete], you'll select the Disabled option
To complete the operation, click OK, close Local Security Policy console, and reboot your system. When you're system reboots, you'll see the Welcome screen shown in Figure D. When you press [Ctrl] + [Alt] + [Delete] you'll see the regular Welcome screen and can select your user account picture and then type in your password as you normally would.

Figure D

The Welcome screen now requires that you have to press [Ctrl] + [Alt] + [Delete] to log on.

Requiring [Ctrl] + [Alt] + [Delete] and account credentials

If you wish to have an even more secure logon, you can return to the Security Options branch in the Security Settings Extension snap-in. This time when you see a set of polices fill the right pane, scroll through them until you locate a policy called Interactive Login: Do not display last user name. Double click that policy to access the dialog box and then select the Enabled option, as shown in Figure E.

Figure E

To require users to type both their user name and password, you'll select the Enabled option
To complete the operation, click OK, close the Local Security Policy console, and reboot your system. When you're system reboots, you'll see the Welcome screen shown earlier in Figure D. When you press [Ctrl] + [Alt] + [Delete] you'll see the Welcome screen shown in Figure F. As you can see, you'll have to type both your user name and your password in order to log on.

Figure F

After pressing [Ctrl] + [Alt] + [Delete], you'll have to type both your user name and your password

Get Vista tips in your mailbox!

Delivered each Friday, TechRepublic's Windows Vista Report newsletter features tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

22 comments
naebeth
naebeth

Anyone know how to do the equivalent of this on Windows 7? Nothing shows up when I type in "local security policy", and I can't find anything similar in the Computer Management console or the Control Panel. I can't find anything about it in the GodMode folder, either.

mjksdiego
mjksdiego

When I type local security options, it does not find them.

riptorn3
riptorn3

That's All fine and everything.... But I lost my Display Picture??... How do you Display your logon picture??

pantankerous
pantankerous

I'm trying to implement this on a vista home premium machine but am unable to get the Local Security Policy snap-in to come up. When I search for it nothing is found. I've checked in the windows/system32 folder and don't see it. Is this something that needs to be installed first? FYI, I've turned off UAC and am logged in as an administrator. Any idea why I can't find the Local Security Policy snap-in?

sbw07
sbw07

Is there a way to hide only one of the usernames?

FXEF
FXEF

Requiring [Ctrl] + [Alt] + [Delete] and account credentials would be the most secure method. I also would suggest that all Vista machines be set with only one user account with administrative privileges. I call this account "root", all other accounts are non-administrative users. All users should always login as a non-administrative user, and only use "root" when prompted by UAC.

aspaulding
aspaulding

I really appreciate this.Vista is new and i am certainly trying gain as much as possible when touble shooting vista and this sure will help in my armour.

hja
hja

Does this procedure work with Vista Home Premium?

tony45
tony45

Good ole MS. Always trying to weasel as much money as possible out of its long time customers. You need to have one of the higher level versions of Vista. Business or Ultimate I guess. If you are going to go through the trouble of learning a new OS, why don't you try out Ubuntu Linux? FREE ! ! ! MS doesn't make a penny off of you.

The Listed 'G MAN'
The Listed 'G MAN'

is that it is spelled 'Trouble'. It's Arsenal not Armour - Armour is for protection where as you have an arsenal of weapons to troubleshoot with. Edit: Just for info - not picking on your post.

brian.samuela
brian.samuela

I like the idea of 2-factor authentication, Out of Band without tokens or USBs to manage.

groffg
groffg

While concealing the name of the user who last logged in is marginally more secure, it is mostly an inconvenience to the user. I.e., if I were breaking into a Windows box, I would just use a tool (like "ntpasswd") to reset the admin password, not try to guess my way in via the Windows login prompt. Aside from requiring all users of a machine to have a password that meets complexity rules, I suggest something more substantial: full disk encryption. There are plenty of tools out there that can be used to encrypt an entire volume/disk, one of which is built into two versions (but only one retail version) of Windows Vista. That feature is BitLocker Drive Encryption, or BitLocker for short. I've been using it & it works great on my machine.

bwilliams
bwilliams

Anakam is not just SMS, but also IVR, voice biometrics, and secure token...on a single software platform INSIDE your enterprise...

andre.j.hawkins
andre.j.hawkins

You should give PhoneFactor a whirl (www.phonefactor.com). Out of Band, no tokens, cheap and easy to try.

hakman420
hakman420

Updating your BIOS can allow for device recognition in some cases.. Hardware requirements for BitLocker Drive Encryption Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, you must have one of the following: A computer with Trusted Platform Module (TPM), which is a special microchip in some newer computers that supports advanced security features. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM. A removable USB memory device, such as a USB flash drive. If your computer doesn?t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive. Note Some BitLocker features and settings can be enabled by Group Policy settings. To turn on BitLocker Drive Encryption, your computer?s hard disk must: Have at least two partitions. One partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. Be formatted with the NTFS file system. Have a BIOS that is compatible with TPM and supports USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.For more information on updating your BIOS, see Update the BIOS for BitLocker Drive Encryption.

kumar.jeff
kumar.jeff

yeah, but you have to pay for the pin entry. We chose the pin entry version in our PhoneFactor OWA setup. Had to pay but I don't think it was the much. Worth it for a whole lot more peace of mind.

andre.j.hawkins
andre.j.hawkins

Good amount of flexibility as well. Pin entry vs. "#" entry, wireless or wireline.

brian.samuela
brian.samuela

Yes the free-ness referring to your time set up and the free-ness of the application is important as well. At least 2 additional elements are important, including the free-ness of not having to buy tokens, and free-ness of managing tokens. Finally, the free-ness of phonefactor covering the costs of authentication calls out is pretty important.

andre.j.hawkins
andre.j.hawkins

Well, good news about phonefactor is that it is free to try and use for up to double digit users and a single application. Of course the term free is so subjective: My time fiddling with it isn't free. Good news here is that it takes about half hour to set up, so the free element in this case is actually almost true.

brian.samuela
brian.samuela

Yep, aware of them. Got to figure out how to sell it internally. I think I need to pitch the "trial" aspect to get my management to buy in. Seems like there isn't much risk to giving it a go...