🚪Windows Logon Process

What is logon in windows ?

Table of Contents:

1. Intro to logon in windows

2. Key Components of the Logon Process

3. Steps in the Logon Process

4. Types of Logons

5. Security Features of the Logon Process

---

Intro to logon in windows

• A logon (or login) in Windows is the process by which a user or system gains access to a computer or network by providing valid credentials.

• Windows-based computers secure resources by implementing the logon process, in which users are authenticated.

• This process is fundamental to Windows security, as it ensures that only authorized users and systems can access resources.

• After a user is authenticated, authorization and access control technologies implement the second phase of protecting resources: determining if the authenticated user is authorized to access a resource.

• The logon process involves several components and steps, and it varies depending on the type of logon (e.g., interactive, network, service), each playing a vital role in verifying user credentials, enforcing security policies, and creating a secure user session.

---

Key Components of the Logon Process

The logon process in Windows involves several critical components:

Winlogon (Windows Logon Process)

LSASS (Local Security Authority Subsystem Service)

• Authenticates user credentials.

• Verifies credentials against the SAM database (workgroup) or Active Directory (domain).

• Generates access tokens for authenticated users.

SAM Database or Active Directory

• SAM Database: Stores local user accounts (workgroup/standalone machines).

• Active Directory: Stores domain user accounts (domain environment).

Credential Providers

• Allows users to authenticate with different methods (password, PIN, biometrics).

• Replaces the older GINA (Graphical Identification and Authentication) model.

Access Token

• Generated after successful authentication.

• Contains user’s SID, group SIDs, and privileges for access control.

---

Steps in the Logon Process

User Initiates Logon

• User presses Ctrl+Alt+Del(When system is PowerOn) or powers on the machine(When system is PowerOff).

Winlogon Displays the Login Screen

• Secure Desktop prompts the user for credentials.

User Enters Credentials

• Username and password (or PIN/biometric data) are provided.

Credentials are Passed to LSASS

• Credentials are sent to LSASS for authentication.

Authentication

• Workgroup: LSASS verifies credentials in the local SAM database.

• Domain: LSASS communicates with a domain controller for verification.

Token Generation

• LSA generates an access token upon successful authentication.

User Shell is Launched

• Windows loads Explorer.exe and the desktop environment.

Access Control

• The user’s access token determines access to resources (files, registry keys, etc.).

---

Types of Logons

Interactive Logon

• User logs in directly at the machine.

• Example: Logging into a local machine or via Remote Desktop.

Network Logon

• User/system accesses resources over a network.

• Example: Accessing a shared folder on another computer.

Batch Logon

• Used for scheduled tasks or batch jobs.

• Example: Running a Task Scheduler job.

Service Logon

• Used when a Windows service runs under a specific account.

• Example: A web server service running as a custom user account.

Unlock Logon

• User unlocks a locked workstation/session.

• Example: Unlocking a machine after Ctrl+Alt+Del.

Remote Interactive Logon

• User logs into a remote machine via RDP.

• Example: Using Remote Desktop (RDP) to access a server.

Cached Interactive Logon

• User logs in with cached credentials (offline mode).

• Example: Logging into a laptop while offline.

New Credentials Logon

• Alternate credentials are provided for resource access.

• Example: Using RunAs to execute a program as another user.

System Logon

• System logs in using the Local System account.

• Example: Startup processes during boot.

---

Security Features of the Logon Process

Secure Desktop

• The login screen runs in an isolated environment to prevent credential theft.

Credential Providers

• Supports multiple authentication methods (password, PIN, biometrics).

Account Lockout

• After multiple failed attempts, the account locks to prevent brute-force attacks.

Audit Logging

• Logon events (success & failure) are logged in the Security Event Log.

LSA Protection

• The LSASS process is protected to prevent unauthorized access or credential dumping.

---