In this chapter, you’ll learn how to:
Customize your logon in various ways.
Set up an automatic logon.
Implement logon policies.
Handle the rights and privileges of built-in account types.
Use advanced methods for working with user accounts.
Create and enforce strong passwords.
Share your computer securely with other users.
If you have Microsoft Windows XP set up in the simplest configuration—a standalone computer with you as the sole user—you might be excused for not knowing that Windows XP even has a logon process or user accounts. That’s because, in the simplest-configuration scenario, Windows XP "hides" its logon and user features because they don’t need to be conspicuous. But what if you’re prudent (or even, let’s say it, a bit paranoid) and don’t want other people to use your computer when you’re not around? What if you’re concerned that a virus or Trojan horse program might gain control of your machine? What if you share your computer with other people and you want to keep your (and everyone else’s) files and settings secure and private? For these situations, you need to understand Windows XP’s logon and user features, and set them up to ensure peace of mind. This chapter shows you how to do that.
When you install Windows XP, the setup program asks you to enter a user name for each of the people who will be accessing the computer. How you initially log on to Windows XP depends on what you did at that point of the installation:
If you entered only a single user name and your computer is not part of a network domain, Windows XP logs on that user name automatically.
If you entered multiple user names and your computer is not part of a domain, Windows XP displays the Welcome screen, which lists the users (Figure 5-1 shows an example). Click the user name that you want to log on.
If your computer is part of a domain, Windows XP first displays the Welcome To Windows dialog box, which prompts you to press Ctrl+Alt+Delete. When you do that, you see the Log On To Windows dialog box, shown in Figure 5-2. (Windows XP refers to this process as the "Classic" logon.) Change the User Name, if necessary, enter the Password, and click OK.
The default logon is fine for most users, but there are many ways to change Windows XP’s logon behavior. The rest of this section looks at a few tips and techniques for altering your Windows XP logon method.
Many people prefer the Classic Windows XP logon because the initial step of pressing Ctrl+Alt+Delete adds an extra level of security. (It prevents automatic logons and thwarts any malicious programs—such as a password-stealing program—that might have been activated at startup.) If your computer uses the Welcome screen logon, you switch to the Classic logon by using any of the following techniques:
Launch Control Panel’s User Accounts icon, click Change The Way Users Log On Or Off, and then clear the Use Welcome Screen check box.
In the registry (see Chapter 2), set the following DWORD value to 0 (reset it to 1 to revert to the Welcome screen):
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon LogonType
In the Group Policy editor, open Computer Configuration, Administrative Templates, System, Logon, and then enable the Always Use Classic Logon policy. (Note that setting this policy takes precedence over the User Accounts option or the registry setting.)
Windows XP’s fast user switching feature enables another user to log on to the system without logging off the current user. (Note, however, that fast user switching is available only if you use the Windows XP Welcome screen.) You use the feature by following these steps:
Select Start, Log Off. The Log Off Windows dialog box appears.
Click Switch User. The Welcome screen appears.
Click the name of the user who wants to log on.
If your computer doesn’t have much memory, fast user switching can be a problem because the programs and windows of other users remain open, which can slow down overall computer performance. If you have this problem, you can turn off fast user switching by launching Control Panel’s User Accounts icon, clicking Change The Way Users Log On Or Off, and then clearing the Use Fast User Switching check box.
Another chore you performed during the Windows XP setup routine was to specify an Administrator password. One of the confusing aspects about Windows XP is that after the setup is complete, the Administrator account seems to disappear. The secret is that Administrator actually is a hidden account that appears only in a limited set of circumstances, such as when you boot Windows XP in Safe Mode or when no other administrative-level accounts are defined on your system. Outside of these scenarios, there are several ways to log on to Windows XP using the Administrator account:
If you’re using the Welcome screen, press Ctrl+Alt+Delete twice.
If you’re using the Classic logon, enter Administrator in the User Name text box.
Set up an automatic logon using the Administrator (see the next section).
Tweak Windows XP to make the Administrator account visible in the Welcome screen. To do this, open the Registry Editor and navigate to the following key:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon SpecialAccountsUserList
Add a new DWORD value named Administrator and set its value to 1. (To hide Administrator in the Welcome screen, set this value to 0.)
Insider Secret
The UserList registry key is also useful for hiding accounts. If you have a user account defined but you don’t want other users to see that name in the Welcome screen, add a DWORD value to the UserList key, give it the same name as the user, and set its value to 0. You can access this account using the same methods that we outlined in this section for the Administrator account.
If you’re using a standalone computer that no one else has access to (or that will be used by people you trust), you can save some time at startup by not having to type a user name and password. In this scenario, the easiest way to do this is to set up Windows XP with just a single user account, which means Windows XP will log on that user automatically at startup. If you have multiple user accounts (for testing purposes, for example), or if you want the Administrator account to be logged on automatically, then you need to set up Windows XP for automatic logons.
Previous versions of Windows required you to edit the registry to set up an automatic logon, but this capability is built into Windows XP. Here are the steps to follow:
In the Run dialog box, enter control userpasswords2 and press Enter. Windows XP displays the User Accounts dialog box, which we’ll discuss in more detail later in this chapter (see "The User Accounts Dialog Box").
On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box.
Click OK. Windows XP prompts you to specify the account you want to log on automatically.
Fill in the User Name, Password, and Confirm Password text boxes and then click OK.
If you have Tweak UI (described in Chapter 1), open the Logon, Autologon setting and select the Log On Automatically At System Startup check box. Enter the user name, the domain (your computer name), and click Set Password to enter the account password. When you click OK, Tweak UI makes some changes in the following registry key:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
The AutoAdminLogon value is set to 1; your user name appears in the DefaultUserName setting; your computer name appears in the DefaultDomainName setting. Note that previous versions of Tweak UI stored your password in the DefaultPassword setting. Your password appeared as plain text, so anyone could have read it or even changed it. Tweak UI for Windows XP is more secure because it stores your password in the Local Security Authority database, which is the Windows XP component that manages and validates local security credentials.
Tip
You can temporarily suspend the automatic logon by holding down the Shift key while Windows XP starts up.
If you want the automatic logon to occur a set number of times only, open the following registry key:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Create a new string setting named AutoLogonCount and set its value to the number of times you want the automatic logon to occur. With each logon, Windows XP decrements this setting until it reaches zero, at which point Windows XP sets AutoAdminLogon to 0 to disable the automatic logon.
Windows XP Professional defines a number of security policies related to the logon process. (See Chapter 1 to learn how to use Windows XP’s policy editors.) You can get to these policies in two ways:
In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
In the Local Security Settings editor, select Security Settings, Local Policies, Security Options.
Most of the logon options are listed in the Interactive Logon group of policies. Here’s a list of the most useful options (note that all of these options apply to the Classic logon):
Do Not Display Last User Name. Enable this option to clear the User Name text box each time the Log On To Windows dialog box appears. Although it adds a bit of inconvenience to the logon, this is a good security feature because it denies an intruder an important piece of information: a legitimate system user name. (This is particularly true if you rename the Administrator account, as we’ll describe later in this chapter in the "Setting Account Policies" section.) This policy modifies the following registry key (0 = disable; 1 = enable):
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpolicies systemdontdisplaylastusername
Do Not Require CTRL+ALT+DEL. Enable this policy to bypass the initial Welcome To Windows dialog box (the one that prompts you to press Ctrl+Alt+Delete) and go directly to the Log On To Windows dialog box. This can save you a startup step, but it decreases the security of the logon. The main concern here is that your system might get infected with a virus or Trojan horse program that displays a fake Log On To Windows dialog box as a ruse to capture your user name and password. If you decide to enable this policy, make sure you have a good anti-virus program and that you use it often. This policy modifies the following registry key (0 = disable; 1 = enable):
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpolicies systemDisableCAD
Message Text For User Attempting To Log On. Use this option to specify a text message that appears in a dialog box after any user presses Ctrl+Alt+Delete (but before the Log On To Windows dialog box appears). This policy modifies the following registry setting:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpolicies systemlegalnoticetext
Message Title For Users Attempting To Log On. Use this option to set the title of the dialog box that contains the message to the user that you specified in the previous setting. This policy modifies the following registry setting:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpolicies systemlegalnoticecaption
Number of Previous Logons To Cache (In Case Domain Controller Is Not Available). Use this option to set the number of previous domain logons (user name, password, and domain) that Windows XP will retain. By retaining a logon, Windows XP enables that user to log on to Windows XP even if a domain controller isn’t present (for example, on a notebook that isn’t always connected to the network at startup). This policy modifies the following registry setting:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon cachedlogonscount
Prompt User To Change Password Before Expiration. Use this option to set the number of days prior to password expiration that a message forewarning the expiration will be displayed. (We’ll show you how to set an expiration date for a password later in this chapter.) This policy modifies the following registry setting:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon passwordexpirywarning
As you saw in the previous section, the logon security policies are stored in the registry. Windows XP has a number of other registry-related logon settings that we’ll explore in this section:
Controlling the Shift key override of an automatic logon. Create the following string value and use it to determine whether the user can override an automatic logon by holding down the Shift key during startup (0 = enable Shift override; 1 = disable Shift override):
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon IgnoreShiftOverride
Forcing an automatic logon. This is similar to overriding the Shift key at startup. That is, the following string setting (you need to add it by hand) determines whether the user can bypass an automatic logon (0 = bypass possible; 1 = bypass not possible):
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon ForceAutoLogon
Disabling logon options. The Log On To Windows dialog box (Classic logon) has an Options button that toggles on and off the Log On To list, the Log On Using Dial-Up Connection check box, and the Shut Down button. Use the following DWORD value to control whether these options appear (0 = disable; 1 = enable):
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon ShowLogonOptions
Adding text to the logon dialog box. Specify text in the following string setting (you need to create the setting by hand) to display a message in the Log On To Windows dialog box above the User Name text box:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon LogonPrompt
Disabling the dial-up logon. If you don’t want users to attempt to use a dial-up connection to log on, create the following string setting and use it to disable the Log On Using Dial-Up Connection check box in the Log On To Windows dialog box (0 = disable; 1 = enable):
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon RASDisable