Often when we use Windows XP, we always have to log in first. Windows XP's login authentication mechanism and principle are much stricter and more complicated than Windows 98. There is no longer a scandal that can enter the system by pressing the "Cancel" button (can be disabled by modifying the registry). It is very important for us to understand and master the login authentication mechanism and principle of WindowsXP. It can enhance the understanding of system security and effectively prevent and solve the invasion of hackers and viruses.
First, understand several types of WindowsXP login
1, interactive login
Interactive login is our usual most common type, that is, the user through the corresponding user account (User Account) and password in the machine log in. Some netizens think that "interactive login" is "local login", in fact, this is wrong. "Interactive login" also includes "domain account login", while "local login" is limited to "local account login", please see below for details.
It is necessary to mention that the terminal service and remote desktop login host can be regarded as "interactive login", the principle of verification is the same.
In the interactive login, the system will first check the type of user account that is logged in, whether it is a local user account (Local User Account) or a domain user account (Domain User Account), and then use the corresponding authentication mechanism. Because of the type of user account that is not used, the processing method is different.
本地 Local User Account
Log in with a local user account and the system will verify the information stored in the local SAM database. Therefore, why Windows 2000 can forgo the Administrator password to delete the SAM file. However, it is not possible for Windows XP, it may be for security reasons. After logging in with a local user account, you can only access local resources with access rights. (Figure 1)
Javascript:if(this.width>screen.width-300)this.width=screen.width-300" border=0>
Account
Log in with the domain user account, and the system verifies the data stored in the Active Directory of the domain controller. If the user account is valid, you can access the resources with access rights in the entire domain after logging in.
Tip: If the computer joins the domain, the login dialog will display the "Login to:" item, from which you can choose to log in to the domain or log in to the machine.
2, Network login
If the computer is joined to work Group or domain, when you want to access resources of other computers, you need "network login". As shown in Figure 2, when you want to log in to the host named Heelen, enter the host name and password of the host and verify it. The user account entered must be on the other host, not the user account on the host. Because the network account is used, the validity of the user account is performed by the host.
Javascript: If(this.wid Th>screen.width-300)this.width=screen.width-300" border=0>
3. Service Login
Service Login is a special login method. In normal times, when the system starts services and programs, it is run after logging in with certain user accounts. These user accounts can be domain user accounts, local user accounts, or SYSTEM accounts. Log in with different user accounts, and the access and control rights to the system are different. Moreover, when you log in with a local user account, you can only access local resources with access rights and cannot access resources on other computers. Interactive login is similar.
As you can see from the task manager in Figure 3, the account used by the system process is different. When the system starts, some base and Win32 services will be pre-logged into the system to achieve access and control of the system. These services can be set by running services.msc. It is the system services that have a pivotal position. They are generally logged in with the SYSTEM account and have absolute control over the system, so many viruses and Trojans are also vying to join the nobility. In addition to SYSTEM, some services are also logged in with the Local Service and Network Service accounts. After the system is initialized, all the programs that the user runs are logged in with the user's own account.
Javascript:if(this.width>screen.width-300)this.width=screen.width-300" border=0>
The principle from above is not It is easy to see why many computer articles tell the average user that users should log in as users in the Users group when using the computer. Because even if the virus and Trojan programs are run, they can only destroy the users themselves because of the corresponding permission restrictions of the login user account. Resources, and important information for maintaining system security and stability is not destructive.
4, batch login
Batch login is rarely used by ordinary users, usually used by programs that perform batch operations. When performing batch login, the account used must have the right to batch work, otherwise you can't log in.
Usually we have the most "interactive login", so I will explain the "interactive login" in detail. The principle of
Second, interactive login, which components are used in the system
1, winlogon.exe
winlogon.exe is the most important component of "interactive login", It is a secure process and is responsible for the following work:
◇Loading other login components.
◇ Provides a graphical interface for user-related operations, so that users can log in or log out, etc.
◇ , GINA sends the necessary information.
2, GINA
GINA's full name is "Graphical Identification and Authentication" - graphical recognition and verification. It is several dynamic database files, called by winlogon.exe, It provides a function to identify and verify the user's identity, and feeds the user's account and password to winlogon.exe. During the login process, the "Welcome Screen" and "Login Dialog" are displayed by GINA.
Theme setting software, such as StyleXP, can specify winlogon.exe to load the GINA developed by the merchant itself, thus providing different Windows XP login interface. Due to this modifiability, there is now a Trojan that steals accounts and passwords.
Is a Trojan for the "Welcome Screen" login method, it simulates the welcome interface of WindowsXP When the user enters the password, it is obtained by the Trojan horse, but the user is completely ignorant. Therefore, it is recommended that you do not log in with the welcome screen and set up "secure login".
The other is GINA for the login dialog. Trojan, the principle is to load at login to steal the user's account and password, and then save this information to WinEggDrop.dat under %systemroot%\\system32. The Trojan will block the system with the "Welcome Screen" login and "User Switch" function, and will also block the "Ctrl-Alt-Delete" security login prompt.
Users don't have to worry too much about being installed with the GINA Trojan. The author provides solutions here for your reference:
The so-called "resolving the bell needs to ring the bell", to see if your computer has installed the GINA Trojan. You can download a GINA Trojan, and then run InstGina -vIEw, you can check whether the GinaDLL key in the system has been installed DLL, mainly to check whether the system is installed by Gina Trojan as a login. If you are unlucky enough to install the GINA Trojan, you can run InstGina -Remove to uninstall it.
3, LSA service
LSA's full name is "Local Security Authority" - local security authorization, a very important service in the Windows system, all security certification related processing must pass this service. It obtains the user's account and password from winlogon.exe, and then processes it through the key mechanism and compares it with the key stored in the account database. If the comparison results match, the LSA considers the user's identity valid and allows the user to log in. computer. If the results of the comparison do not match, the LSA considers the user's identity to be invalid. At this point, the user cannot log in to the computer.
How do you think these three letters are familiar? Right, this is the relationship with the "shock wave" that has been raging in the past. The "Sasser" worm uses the LSA remote buffer overflow vulnerability to obtain the highest system authority SYSTEM to attack the computer. The solution to the problem is a lot of information online, not much to talk about here.
4, SAM database
SAM full name "Security Account Manager" - security account manager, is a protected subsystem, it is managed by the security account stored in the computer registry and users and User group information. We can think of SAM as an account database. For computers that are not joined to the domain, it is stored locally, and for computers that are joined to the domain, it is stored on the domain controller.
If the user attempts to log in to the machine, the system will use the account information stored in the SAM database stored on the machine to compare with the information provided by the user; if the user attempts to log in to the domain, the system will use the stored on the domain controller The account information in the upper SAM database is compared with the information provided by the user.
5, Net Logon service
Net Logon service is mainly used in conjunction with NTLM (NT LAN Manager, Windows NT 4.0 default authentication protocol), the user verifies that the information on the SAM database on the Windows NT domain controller is provided by the user. Whether the information matches. The NTLM protocol is primarily reserved for compatibility with Windows NT.
6, KDC service
KDC (Kerberos Key Distribution Center - Kerberos Key Distribution Center) service is mainly used in conjunction with the Kerberos authentication protocol, used to verify the user's login within the entire Active Directory. If you ensure that there are no Windows NT computers in the entire domain, you can only use the Kerberos protocol to ensure maximum security. This service will not be enabled until the Active Directory service is started.
7, Active Directory Service
If the computer joins the Windows2000 or Windows2003 domain, you need to start the service to support Active Directory (Active Directory) features.
Third, before and after login, what winlogon did
If the user sets "safe login", when the winlogon is initialized, a SAS (Secure Attention Sequence) will be registered in the system. SAS is a set of key combinations, which by default is Ctrl-Alt-Delete. Its role is to ensure that the information entered by the user when logging in interactively is accepted by the system and is not obtained by other programs. Therefore, using "secure login" to log in, you can ensure that the user's account and password will not be stolen by hackers. To enable the "safe login" function, you can run the "control userpassWords2" command, open the "User Accounts" dialog box, select "Advanced". (Figure 4) Select "Require users to press Ctrl-Alt-Delete" option and then confirm. Later, before each login dialog appears, there is a prompt asking the user to press Ctrl-Alt-Delete, in order to appear the Windows XP GINA login dialog when logging in, because only the GINA of the system itself can intercept this.