Autologon password readable

Risk Level: High risk vulnerability  High

Check or Attack Name: Autologon password
Platforms: Windows NT
Description:

The autologon password is readable by non-Administrators. If the latest Windows NT 4.0 Service Pack has not been applied, attackers can read the autologon password and freely access the system.
Remedy:

Disable autologon, protect the Winlogon registry key, and apply the latest Windows NT 4.0 Service Pack.

If autologon is not being used, disable autologon.

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To disable autologon, follow these steps:

  1. Open the Registry Editor. From the Windows NT Start menu, select Run.
  2. Type regedt32 and click OK.
  3. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.
  4. Select the AutoAdminLogon value.
  5. From the Edit menu, select Delete. Click Yes to confirm the deletion of this value.
  6. Repeat steps 4 and 5 for the DefaultUser and DefaultPassword registry values.

—OR—

If autologon is required, restrict access on the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key to administrators and the system.

To restrict registry access, follow these steps:

  1. Open the Registry Editor. From the Windows NT Start menu, select Run.
  2. Type regedt32 and click OK.
  3. Go to the key that requires permissions.
  4. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
  5. Use these guidelines to review the listed permissions:
    • Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
    • Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
    • Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
    • Review any names that should not be in the list, and remove the name or change their permission as appropriate.

—AND—

To install the latest Windows NT 4.0 Service Pack, follow these steps:

  1. Open a web browser.
  2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
  3. Find the installation program you downloaded to your computer.
  4. Double-click the program icon to start the installation.
  5. Follow the installation directions.

Windows NT 4.0 SP3 or later service packs create the winreg key.
References:

Microsoft Knowledge Base Article Q114615, Bypassing Automatic Logon in Windows NT, http://support.microsoft.com/support/kb/articles/q114/6/15.asp
X-Force Logo
Know Your Risks