Windows Logon Scenarios
Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016
This reference topic for the IT professional summarizes common Windows logon and sign-in scenarios.
The Windows operating systems require all users to log on to the computer with a valid account to access local and network resources. Windows-based computers secure resources by implementing the logon process, in which users are authenticated. After a user is authenticated, authorization and access control technologies implement the second phase of protecting resources: determining if the authenticated user is authorized to access a resource.
The contents of this topic apply to versions of Windows designated in the Applies to list at the beginning of this topic.
In addition, applications and services can require users to sign in to access those resources that are offered by the application or service. The sign-in process is similar to the logon process, in that a valid account and correct credentials are required, but logon information is stored in the Security Account Manager (SAM) database on the local computer and in Active Directory where applicable. Sign-in account and credential information is managed by the application or service, and optionally can be stored locally in Credential Locker.
To understand how authentication works, see Windows Authentication Concepts.
This topic describes the following scenarios:
Interactive logon
The logon process begins either when a user enters credentials in the credentials entry dialog box, or when the user inserts a smart card into the smart card reader, or when the user interacts with a biometric device. Users can perform an interactive logon by using a local user account or a domain account to log on to a computer.
The following diagram shows the interactive logon elements and logon process.
Windows Client Authentication Architecture
Local and domain logon
Credentials that the user presents for a domain logon contain all the elements necessary for a local logon, such as account name and password or certificate, and Active Directory domain information. The process confirms the user’s identification to the security database on the user’s local computer or to an Active Directory domain. This mandatory logon process cannot be turned off for users in a domain.
Users can perform an interactive logon to a computer in either of two ways:
Locally, when the user has direct physical access to the computer, or when the computer is part of a network of computers.
A local logon grants a user permission to access Windows resources on the local computer. A local logon requires that the user has a user account in the Security Accounts Manager (SAM) on the local computer. The SAM protects and manages user and group information in the form of security accounts stored in the local computer registry. The computer can have network access, but it is not required. Local user account and group membership information is used to manage access to local resources.
A network logon grants a user permission to access Windows resources on the local computer in addition to any resources on networked computers as defined by the credential’s access token. Both a local logon and a network logon require that the user has a user account in the Security Accounts Manager (SAM) on the local computer. Local user account and group membership information is used to manage access to local resources, and the access token for the user defines what resources can be accessed on networked computers.
A local logon and a network logon are not sufficient to grant the user and computer permission to access and to use domain resources.
Remotely, through Terminal Services or Remote Desktop Services (RDS), in which case the logon is further qualified as remote interactive.
After an interactive logon, Windows runs applications on behalf of the user, and the user can interact with those applications.
A local logon grants a user permission to access resources on the local computer or resources on networked computers. If the computer is joined to a domain, then the Winlogon functionality attempts to log on to that domain.
A domain logon grants a user permission to access local and domain resources. A domain logon requires that the user has a user account in Active Directory. The computer must have an account in the Active Directory domain and be physically connected to the network. Users must also have the user rights to log on to a local computer or a domain. Domain user account information and group membership information are used to manage access to domain and local resources.
Remote logon
In Windows, accessing another computer through remote logon relies on the Remote Desktop Protocol (RDP). Because the user must already have successfully logged on to the client computer before attempting a remote connection, interactive logon processes have successfully finished.
RDP manages the credentials that the user enters by using the Remote Desktop Client. Those credentials are intended for the target computer, and the user must have an account on that target computer. In addition, the target computer must be configured to accept a remote connection. The target computer credentials are sent to attempt to perform the authentication process. If authentication is successful, the user is connected to local and network resources that are accessible by using the supplied credentials.
Network logon
A network logon can only be used after user, service, or computer authentication has taken place. During network logon, the process does not use the credentials entry dialog boxes to collect data. Instead, previously established credentials or another method to collect credentials is used. This process confirms the user’s identity to any network service that the user is attempting to access. This process is typically invisible to the user unless alternate credentials have to be provided.
To provide this type of authentication, the security system includes these authentication mechanisms:
Kerberos version 5 protocol
Public key certificates
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
NTLM, for compatibility with Microsoft Windows NT 4.0-based systems
For information about the elements and processes, see the interactive logon diagram above.
Smart card logon
Smart cards can be used to log on only to domain accounts, not local accounts. Smart card authentication requires the use of the Kerberos authentication protocol. Introduced in Windows 2000 Server, in Windows-based operating systems a public key extension to the Kerberos protocol’s initial authentication request is implemented. In contrast to shared secret key cryptography, public key cryptography is asymmetric, that is, two different keys are needed: one to encrypt, another to decrypt. Together, the keys that are required to perform both operations make up a private/public key pair.
To initiate a typical logon session, a user must prove his or her identity by providing information known only to the user and the underlying Kerberos protocol infrastructure. The secret information is a cryptographic shared key derived from the user’s password. A shared secret key is symmetric, which means that the same key is used for both encryption and decryption.
The following diagram shows the elements and processes required for smart card logon.
Smart Card credential provider architecture
When a smart card is used instead of a password, a private/public key pair stored on the user’s smart card is substituted for the shared secret key, which is derived from the user’s password. The private key is stored only on the smart card. The public key can be made available to anyone with whom the owner wants to exchange confidential information.
For more information about the smart card logon process in Windows, see How smart card sign-in works in Windows.
Biometric logon
A device is used to capture and build a digital characteristic of an artifact, such as a fingerprint. This digital representation is then compared to a sample of the same artifact, and when the two are successfully compared, authentication can occur. Computers running any of the operating systems designated in the Applies to list at the beginning of this topic can be configured to accept this form of logon. However, if biometric logon is only configured for local logon, the user needs to present domain credentials when accessing an Active Directory domain.
Additional resources
For information about how Windows manages credentials submitted during the logon process, see Credentials Management in Windows Authentication.
Средства администрирования и типы входа Administrative tools and logon types
Справочные сведения в этом разделе помогут вам выявить риск раскрытия учетных данных, связанный с использованием различных средств для удаленного администрирования. This reference information is provided to help identify the risk of credential exposure associated with different administrative tools for remote administration.
Удаленное администрирование всегда предполагает, что учетные данные указываются на исходном компьютере, поэтому для доверенных рабочих станций привилегированного доступа рекомендуется использовать конфиденциальные и хорошо защищенные учетные записи. In a remote administration scenario, credentials are always exposed on the source computer so a trustworthy privileged access workstation (PAW) is always recommended for sensitive or high impact accounts. Вероятность кражи указанных учетных данных с целевого (удаленного) компьютера зависит главным образом от типа входа в Windows, использованного при подключении. Whether credentials are exposed to potential theft on the target (remote) computer depends primarily on the windows logon type used by the connection method.
В таблице ниже содержатся рекомендации по использованию самых распространенных средств администрирования и способов подключения: This table includes guidance for the most common administrative tools and connection methods:
| Способ подключения Connection method | Тип входа в систему Logon type | Повторное использование учетных данных на целевом компьютере Reusable credentials on destination | Комментарии Comments |
|---|---|---|---|
| Вход в консоль Log on at console | Interactive (Интерактивные) Interactive | v v | Предусматривает использование карт удаленного доступа или Lights-Out и сетевых KVM. Includes hardware remote access / lights-out cards and network KVMs. |
| RUNAS RUNAS | Interactive (Интерактивные) Interactive | v v | |
| RUNAS /NETWORK RUNAS /NETWORK | NewCredentials NewCredentials | v v | Предполагает клонирование текущего сеанса LSA для локального доступа и использованные новых учетных данных при подключении к сетевым ресурсам. Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
| Удаленный рабочий стол (успешный вход) Remote Desktop (success) | RemoteInteractive RemoteInteractive | v v | Если для клиента удаленного рабочего стола настроено предоставление общего доступа к локальным устройствам, их также могут скомпрометировать. If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
| Удаленный рабочий стол (ошибка: тип входа запрещен) Remote Desktop (failure — logon type was denied) | RemoteInteractive RemoteInteractive | — | По умолчанию, если произойдет ошибка входа по протоколу RDP, учетные данные будут храниться недолго. By default, if RDP logon fails credentials are only stored briefly. Если компьютер скомпрометирован, это правило не действует. This may not be the case if the computer is compromised. |
| Net use * \\SERVER Net use * \\SERVER | Network (Сеть) Network | — | |
| Net use * \\SERVER /u:user Net use * \\SERVER /u:user | Network (Сеть) Network | — | |
| Использование оснасток MMC для удаленного компьютера MMC snap-ins to remote computer | Network (Сеть) Network | — | Пример: Управление компьютерами, Просмотр событий, диспетчер устройств, службы Example: Computer Management, Event Viewer, Device Manager, Services |
| WinRM PowerShell PowerShell WinRM | Network (Сеть) Network | — | Пример: Сервер Enter-PSSession Example: Enter-PSSession server |
| PowerShell WinRM с CredSSP PowerShell WinRM with CredSSP | NetworkClearText NetworkClearText | v v | New-PSSession server New-PSSession server -Authentication Credssp -Authentication Credssp -Credential cred -Credential cred |
| PsExec без раскрытых учетных данных PsExec without explicit creds | Network (Сеть) Network | — | Пример: PsExec \\server cmd Example: PsExec \\server cmd |
| PsExec с раскрытыми учетными данными PsExec with explicit creds | Сетевой и интерактивный Network + Interactive | v v | PsExec \\server -u user -p pwd cmd PsExec \\server -u user -p pwd cmd Создает несколько сеансов входа в систему. Creates multiple logon sessions. |
| Удаленный реестр Remote Registry | Network (Сеть) Network | — | |
| Шлюз удаленных рабочих столов Remote Desktop Gateway | Network (Сеть) Network | — | Проверка подлинности на шлюзе удаленных рабочих столов. Authenticating to Remote Desktop Gateway. |
| Запланированная задача Scheduled task | Batch Batch | v v | Пароль также сохраняется в качестве секрета LSA на диске. Password will also be saved as LSA secret on disk. |
| Запуск средств в качестве службы Run tools as a service | Служба Service | v v | Пароль также сохраняется в качестве секрета LSA на диске. Password will also be saved as LSA secret on disk. |
| Сканеры уязвимостей Vulnerability scanners | Network (Сеть) Network | — | По умолчанию большинство сканеров используют сетевой вход, хотя некоторые поставщики могут реализовать вход другого типа, тем самым увеличивая риск кражи учетных данных. Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
Для проверки подлинности в сети используйте справочные данные из следующей таблицы: For web authentication, use the reference from the table below:
| Способ подключения Connection method | Тип входа в систему Logon type | Повторное использование учетных данных на целевом компьютере Reusable credentials on destination | Комментарии Comments |
|---|---|---|---|
| Обычная проверка подлинности IIS IIS «Basic Authentication» | NetworkClearText NetworkCleartext (IIS 6.0 и более поздних версий) (IIS 6.0+) Interactive (Интерактивные) Interactive | v v | |
| Встроенная проверка подлинности Windows IIS IIS «Integrated Windows Authentication» | Network (Сеть) Network | — | Поставщики NTLM и Kerberos NTLM and Kerberos Providers. |
Объяснение названий столбцов: Column Definitions:
- Тип входа в систему. Здесь указан тип входа в систему, инициируемый при подключении. Logon type — Identifies the logon type initiated by the connection.
- Повторное использование учетных данных на целевом компьютере. Типы учетных данных в этом столбце будут храниться в памяти процесса LSASS на конечном компьютере, на который выполнен локальный вход с использованием указанной учетной записи: Reusable credentials on destination — Indicates that the following credential types will be stored in LSASS process memory on the destination computer where the specified account is logged on locally:
- хэш-коды LM и NT; LM and NT hashes
- TGT Kerberos; Kerberos TGTs
- обычные текстовые пароли (если применимо). Plaintext password (if applicable).
В этой таблице используются символы: The symbols in this table defined as follows:
- «–» — указывает, что учетные данные не раскрываются. (-) denotes when credentials are not exposed.
- «v» — учетные данные раскрываются. (v) denotes when credentials are exposed.
Типы входа для приложений управления, которых нет в этой таблице, можно определить по соответствующему полю в событиях входа. For management applications that are not in this table, you can determine the logon type from the logon type field in the audit logon events. Дополнительные сведения см. в статье Аудит событий входа в систему. For more information, see Audit logon events.
На компьютерах под управлением Windows все процессы проверки подлинности обрабатываются как однотипные, независимо от протокола или средства проверки. In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used. В таблице ниже указаны самые распространенные типы входа в систему и их атрибуты в контексте кражи учетных данных: This table includes most common logon types and their attributes relative to credential theft:
| Тип входа в систему Logon type | # | Утвержденные средства проверки подлинности Authenticators accepted | Учетные данные повторно используются в сеансе LSA Reusable credentials in LSA session | Примеры Examples |
|---|---|---|---|---|
| Интерактивный (также называется локальным входом) Interactive (also known as, Logon locally) | 2 2 | Пароль, смарт-карта и Password, Smartcard, др. other | Да Yes | Вход в консоль, Console logon; RUNAS, RUNAS; аппаратные решения удаленного управления (например, сетевые KVM, карты удаленного доступа или Lights-Out на сервере), Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server) обычная проверка подлинности IIS (IIS 6.0 и предыдущих версий) IIS Basic Auth (before IIS 6.0) |
| Network (Сеть) Network | 3 3 | Пароль, Password, хэш NT, NT Hash, билет Kerberos Kerberos ticket | Нет (но если включено делегирование, используются билеты Kerberos) No (except if delegation is enabled, then Kerberos tickets present) | NET USE, NET USE; RPC-вызовы, RPC calls; удаленный реестр, Remote registry; встроенная проверка подлинности Windows IIS; IIS integrated Windows auth; проверка подлинности Windows SQL SQL Windows auth; |
| Batch Batch | 4 4 | Пароль (хранится в виде секрета LSA) Password (stored as LSA secret) | Да Yes | Запланированные задачи Scheduled tasks |
| Служба Service | 5 5 | Пароль (хранится в виде секрета LSA) Password (stored as LSA secret) | Да Yes | Службы Windows Windows services |
| NetworkClearText NetworkCleartext | 8 8 | Пароль Password | Да Yes | Обычная проверка подлинности IIS (IIS 6.0 и более поздних версий), IIS Basic Auth (IIS 6.0 and newer); Windows PowerShell с CredSSP Windows PowerShell with CredSSP |
| NewCredentials NewCredentials | 9 9 | Пароль Password | Да Yes | RUNAS /NETWORK RUNAS /NETWORK |
| RemoteInteractive RemoteInteractive | 10 10 | Пароль, смарт-карта и Password, Smartcard, др. other | Да Yes | Удаленный рабочий стол (ранее называемые «службами терминалов») Remote Desktop (formerly known as «Terminal Services») |
Объяснение названий столбцов: Column definitions:
- Тип входа в систему. Запрашиваемый тип входа. Logon type — The type of logon requested.
- # — числовой идентификатор типа входа, который указывается в событиях аудита в журнале событий безопасности. # — The numeric identifier for the logon type that is reported in audit events in the Security event log.
- Утвержденные средства аутентификации. Здесь указываются типы средств аутентификации, которые могут инициировать вход соответствующего типа. Authenticators accepted — Indicates which types of authenticators are able to initiate a logon of this type.
- Учетные данные повторно используются в сеансе LSA. Здесь указывается, открывается ли в результате входа соответствующего типа сеанс LSA, учетные данные которого, например обычные текстовые пароли, хэши NT или билеты Kerberos, могут использоваться для аутентификации на других сетевых ресурсах. Reusable credentials in LSA session — Indicates whether the logon type results in the LSA session holding credentials, such as plaintext passwords, NT hashes, or Kerberos tickets that could be used to authenticate to other network resources.
- Примеры. Список распространенных сценариев использования соответствующего типа входа. Examples — List of common scenarios in which the logon type is used.
Дополнительные сведения о типах входа см. в разделе Перечисление SECURITY_LOGON_TYPE. For more information about Logon Types, see SECURITY_LOGON_TYPE enumeration.
Дальнейшие действия Next steps
