Re: Local system and user account - registry

---

• From: Paul Adare <padare@xxxxxxxxxxx>
• Date: Thu, 5 Oct 2006 21:20:41 -0400

---

In article <OxMueCO6GHA.4996@xxxxxxxxxxxxxxxxxxxx>, in the
microsoft.public.security news group, David H. Lipman
<DLipman~nospam~@Verizon.Net> says...

/Think/ it accomplishes it ? NO.
It already does -- in practice, not in theory.
It is already shown to work. I didn't create the concept. I was GIVEN it. It was provided
to me in a Lessoned Learned document passed down through the hierarchy.

Great, I know lots of fables and such that have been passed down
through the ages, that doesn't make them necessarily true.

There are two type od Smart card excecptions. Hardware and User. If the hardware is set
through the the System Policy "SCForceOption" set to DWord 1, then they must use a Smart
Card. If their account is set to to use a Smart Card then they are forced to use a Smart
Card even if System Policy "SCForceOption" is set to DWord 0 (or no exist).

These aren't smart card _exceptions_. In the "hardware" case, you're
talking about a Group Policy setting that was introduced with XP SP2
that allows you to force the use of a smart card on a per computer
basis. In the "user" case, the user is required to use a smart card for
logon and their password is randomized to a 128 character password. You
never mentioned the use of either of these in your original post.

Either they logon as "User Name" or with a Smart Card. There is NO third way to logon.

Since you're checking this registry value in your script I'm assuming
that either certain user accounts are not being forced to use smart
cards and/or certain computers are not subject to the smart card
requirement. In the case of user accounts being forced to use smart
cards to logon there is only one way to logon. In the case of user
accounts that aren't configured to require smart cards, and if they're
using a computer that isn't subject to the smart card logon then I'm
sorry, but just because you think that there isn't a third way to
logon, there most definitely is, and that is using the UPN name form,
which your script will mistakenly report as a smart card logon.

So either the string has "@domain.com" in it or it does't. Nobody logs in as user@xxxxxxxxxxx
Nobody.

Based on your script, you can't possibly know this because as I said, a
smart card logon, or a logon with a UPN will both cause your script to
indicate that a smart card logon has occurred. A smart card logon and a
UPN logon will both place exactly the same data in that registry value
which means you can't depend on your script to tell you what you think
it is telling you. If you don't believe me, try it yourself.

If you want to argue the point, you are arguing with the wrong person. I have only
implemented a something that was provided to me and the fact is, it does work.

Try what I suggested. Your script will produce one of the following two
results:

1. The user used the user name, password, and domain boxes in the logon
dialog box to logon.
2. The user used a smart card, or they used a UPN name to logon.

You know an awful lot more about viruses and malware than I ever will,
but conversely, I know an awful lot more about PKI and smart cards than
you currently do.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

.

---

• References:
  • Local system and user account - registry
    • From: marek zegarek
  • Re: Local system and user account - registry
    • From: David H. Lipman
  • Re: Local system and user account - registry
    • From: Paul Adare
  • Re: Local system and user account - registry
    • From: David H. Lipman
  • Re: Local system and user account - registry
    • From: Paul Adare
  • Re: Local system and user account - registry
    • From: David H. Lipman

• Prev by Date: Re: Local system and user account - registry
• Next by Date: Re: Anyone familiar with wp-inklineglobal.com?
• Previous by thread: Re: Local system and user account - registry
• Next by thread: Re: Local system and user account - registry
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Local system and user account - registry ... in a PUBLIC News Group what that Domain is. ... It is through this method that I use in my KiXTart Login Script. ... A smart card logon uses the user's UPN name to logon ... (microsoft.public.security) Re: Problems loggin in Windows Vista with a smart card enabled acc ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... The provider may be returning a "no PIN prompt" flag and the SC ... press CTRL + ALT + DEL to be able to log on with a different account. ... (microsoft.public.platformsdk.security) Re: Problems loggin in Windows Vista with a smart card enabled acc ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... The provider may be returning a "no PIN prompt" flag and the SC ... The second tile says "other user" ... (microsoft.public.platformsdk.security) Re: Problems loggin in Windows Vista with a smart card enabled acc ... account configured for smart card logon in Windows Vista. ... in the paper published by Microsoft that is titled 'Windows Vista Smart Card ... press CTRL + ALT + DEL to be able to log on with a different account. ... In the hint I write the account I want to log on to: ... (microsoft.public.platformsdk.security) Re: iis smart card logon and delegation ... Is the IIS server joined to the domain? ... >> Guidelines for Enabling Smart Card Logon with Third-Party Certification ... >>> after the authentication the web application tries to connect ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)