Results 1 to 14 of 14
  1. #1
    New Lounger
    Join Date
    Apr 2010
    Location
    Texas
    Posts
    23
    Thanks
    1
    Thanked 0 Times in 0 Posts
    When I joined the computers I use at my office to the company's domain, they were automatically set to require me to hit Ctrl+Alt+Del before going onto the login screen. For some machines, such as my laptop, it is awkward to have to do the three-finger salute each time, so I'm thinking about turning off the setting at login.

    I guess I'm still not sure exactly what the point of Ctrl+Alt+Del on the login screen is, but I know it has to do with combatting fake login screens designed to steal passwords.

    I know how to turn off the Ctrl+Alt+Del requirement on login, but I wanted to start a discussion on whether I should. Is the security risk significant enough this day in age that it would make a difference whether or not I had the keystroke in place?

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,199
    Thanks
    48
    Thanked 987 Times in 917 Posts
    Security is up to you, so you can have it auto login if you like.

    cheers, Paul

  3. #3
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts
    What would happen to your job, if you got caught making this type of changes?
    In some companies you would lose your job, and would that be worth it?

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  4. #4
    New Lounger
    Join Date
    Apr 2010
    Location
    Texas
    Posts
    23
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by DaveA View Post
    What would happen to your job, if you got caught making this type of changes?
    In some companies you would lose your job, and would that be worth it?
    We don't have very stringent restrictions on the computers on this network, and I do have administrator access to all the computers I use, so that isn't a concern for me (knock on wood). In fact, I've already turned it off on one of the computers.

    For that matter, when our branch was on the company's main network, Ctrl+Alt+Del was turned off at one point--and the option to turn it back on was disabled. When we moved to our own domain, that restriction was not set, so now I'm free to change it.

    I'm not thinking about turning on automatic login. I do like having password protection on my office computers as well as mine at home. I'm just wondering if eliminating the extra keystroke is really a big deal from a security standpoint.

    Of course, that gets me thinking: I wonder if there are people who would recommend using the keystroke on home computers as well.

  5. #5
    New Lounger Corrine's Avatar
    Join Date
    Jun 2010
    Location
    Upstate, NY
    Posts
    18
    Thanks
    0
    Thanked 2 Times in 1 Post
    Hi, Pizzor2000.

    Before disabling that security feature, consider whether there is there any confidential data on your company computers and whether there are ever unaccompanied visitors in the office areas. Industrial espionage is a reality. Consider also whether everyone in the company/at your branch have the same access to all areas of the network. If anyone can walk up to any computer in the office and access all files, I would consider that a security risk.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
    Remember - A day without laughter is a day wasted. ~ ~ ~ May the wind sing to you and the sun rise in your heart.

  6. #6
    New Lounger
    Join Date
    Jun 2010
    Location
    Brisbane, QLD Australia
    Posts
    14
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Pizzor2000 View Post
    I guess I'm still not sure exactly what the point of Ctrl+Alt+Del on the login screen is, but I know it has to do with combatting fake login screens designed to steal passwords.
    CTA (Ctrl+Alt+Del) for historical reasons is a special keystroke combination that no other programs can expect to use. So starting from NT, Windows has hard-wired it to do only one thing, - bring up the real, valid, user/login control screen. What options you get vary depending on if you're logged in or not. From any program or part of windows, it does the same thing. Any shortcut or link (even in the start menu) has the possibility of being compromised, this (theoretically) doesn't.

    So if I were a hacker, and got access to your computer (physically or via malware) and put a fake login screen on it, and you press CTA, that should bring up the real one instead. I wouldn't, therefore, put the "please press CTA" message, hoping you won't do it. I'd then wait for your computer to be idle for a while, and put up the fake login screen then, hoping you'd try and login in again, at which point I've got your details. Requiring CTA at startup isn't going to help you then, unless you notice it's missing and figure out something is wrong. I might also try and replace the normal login screen with mine in the bootup process, but if you have the require CTA ticked, that will happen first, and pressing CTA will call the real one, not mine.

    By requiring it at startup, you're guaranteed to be using the real login process at that point. That's all. Whether this is reason enough for you to require it is up to you.

    DF

  7. #7
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Doesn't the CTRL&ALT&DEL when pressed together flush the keyboard buffer clearing any program that has found its way there waiting to capture your login details? That is what I was taught when working for an OEM. If I'm not mistaken one of the very early NT4 whitepapers explains why this was designed in that way. It is also a key sequence that only the kernel/winlogon process can recieve to guarantee access to the logon process. Depending on the OS and if the pc is a member of a domain, AD etc CTRL&ALT&DEL will result in different behaviour.

    Don't mean the below to be an in-your-face lecture I'm just trying to paint the picture from IT's point of view.

    Just because you are a "local administrator" doesn't give you the right to change your company’s security policy and disable a required part of the login process. We allow users such as developers who need to install software and test locally before going onto the next stage of target user testing etc but that doesn't give them the right to change anything to do with the system. Show what if you have to bend your fingers a bit to reach the keys on your laptop. Compared to how much time and hassle you and you company are going to have if you do get a breach, that little bit of inconvenience and the extra second of your life taken to press the button combination is well worth it.

    If your security policies are setup correctly every time you logon they will be re-writing that and many more settings in your registry assuming of course you have them implemented.

    As a person who designs, implements, manages and investigates issues within our corporate financial infrastructure this type of change would be detected in a number of ways using various controls and auditing we have in place even if a user managed to find a way around the automated enforcement of our security standards. You only need a single breach on a single computer to affect your whole infrastructure so with this in mind unless you had a better reason than "it's awkward" you would be getting fired.

    It's not clear whether the computers you joined to the domain were company owned or not. If they aren't then they wouldn't even be allowed to be connected to the network let alone join the domain. If you needed a pc/pc's with a specific logon requirement then normally a bespoke protected/standalone environment would be provided. Despite what business users think most IT depts. including the dreaded security are there to help and will endeavour to provide a means to what you are wanting to do but sometimes there just have to be compromises for both sides. After all the only really secure system is one that nobody logs on to and/or isn't connected to any network.

  8. #8
    New Lounger
    Join Date
    Apr 2010
    Location
    Texas
    Posts
    23
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you, Stephen, for the explanation of how Ctrl+Alt+Delete works. And thank you, Lee, for the IT guy's perspective.

    I don't think there is a specific policy pertaining to the keystroke, at least on this branch's network. Since I installed the OS myself on my main PC, I can't go by what was set up when it was given to me. As I mentioned earlier, the keystroke was disabled when I was on my parent company's domain (I assume per a network policy restriction), so I'm sure most would argue that I should turn it off to conform to the main network's standard. Some of my co-workers on the branch network do have it on.

    I haven't turned off the Ctrl+Alt+Del prompt on any of my computers since I posted this question--in fact, I actually turned it back on on my main computer, but I still haven't decided what I'll do on the laptop. If the higher-ups ever tell me one way or another, I will immediately change it on all of my computers.

    Out of curiosity: if Ctrl+Alt+Del only allows the true login screen to show up, does that also throw off legitimate modifications to the login system? I have seen programs, such as fingerprint scanners, set up their own Windows login screens.

  9. #9
    New Lounger
    Join Date
    May 2010
    Location
    Rochester, NY
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Suppose you walk away from your desk and leave your PC logged on. I come and put a little program on your machine and start it running. It gives you something that looks, for all the world, like the Windows Login Screen, with the little cursor on "User Name". You come back, see the logon prompt, put in your user name and password (which, of course, I don't echo), and hit <Enter>. My program squirrels away the information, sends a "wrong password" message, then brings you to the real logon prompt (I'm not sure how I manage to log you out, but I'm sure this can be done). You have now given away your password to my nice "Trojan horse" and never know it.

    Of course, if you'd hit Ctrl-Alt-Del, you would have gotten the attention of the underlying OS, and either awakened Task Manager (a clue!) or gotten a "real" logon prompt. On a home PC where noone has access to the machine other than yourself, logon security is No Big Deal, and you can choose (though I don't!) to bypass it. But if you are going to have a logon procedure, you want to use Ctrl-Alt-Del to be sure that you are giving your username and password to your computer, not to someone else!

  10. #10
    Star Lounger
    Join Date
    Dec 2009
    Location
    Sydney, Australia
    Posts
    74
    Thanks
    6
    Thanked 6 Times in 6 Posts
    I had believed/hoped that CAD would stop someone waking up my computer (eg, if in sleep mode) and accessing the logon screen. Is this true/false. If false, I can't see huge benefit to it, as my logon screen also seems secure enough for my needs.

  11. #11
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Jon Cook View Post
    I had believed/hoped that CAD would stop someone waking up my computer (eg, if in sleep mode) and accessing the logon screen. Is this true/false. If false, I can't see huge benefit to it, as my logon screen also seems secure enough for my needs.
    If I understand your question correctly my answer to it is "False". Did you want yet another screen or process to protect the logon screen? CTRL+ALT+DEL guarantees access to the OS logon screen/process rather than a spoof logon screen designed to gather your data. After that it's down to having the correct credentials to type in. That to me is the "Huge Benefit" in any environment including the home.

    It's your security so you do what you think best just like we all use the security product/s we use. Anything that requires physical keyboard actions to access the logon process that cannot be mimicked by a piece of code is a good thing in my mind.

  12. #12
    Bronze Lounger
    Join Date
    Apr 2001
    Location
    Peterborough, Ontario, Canada
    Posts
    1,450
    Thanks
    0
    Thanked 1 Time in 1 Post
    I have a supplementary question, if that is allowed (it's off-topic, but close enough to probably interest readers of this thread): For a standalone or networked computer that is turned off, what are contemporary views of using a power-on password. (Oh-oh - I just remembered: pull a jumper and replace it. It's as easy as hot-wiring a jalopy, but it is a hardware gimmick that requires access to the innards.)

  13. #13
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    My opinion is that it is not worth the trouble. If I am trying to quickly access your machine while you are away, it is no more secure than a windows login password. The only thing it really protects you from is somebody booting a "live" cd or usb key to copy files from within the OS. If your risk level is very high, bitlocker or some other drive encryption is much safer.

    If I physically have the machine and am interested in the data, I would probably pull the drive and image it.

  14. #14
    Lounger
    Join Date
    Dec 2009
    Location
    StoneyCreek, TN
    Posts
    38
    Thanks
    0
    Thanked 1 Time in 1 Post
    The responses are all very good, but I just want to add a little tech info. CAD is very special because they are designed to flip a hardware switch that only they can do, then the hardware switch informs windows that they were depressed. What it means is that a human is truly sitting at the keyboard and the command cannot be given remotely. The same hardware switch will reboot the computer too as we all know. The special hardware switch is a great little tool that can't be duplicated by anything other than actually pressing the buttons.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •