MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)ID: oval:gov.nist.usgcb.windowsseven:def:122 | Date: (C)2012-04-13 (M)2023-07-04 |
Class: COMPLIANCE | Family: windows |
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
This entry determines whether the automatic logon feature is enabled. (This entry is separate from the Welcome screen feature; if you disable that feature, this entry is not affected.) By default, this entry is not enabled. Automatic logon uses the domain, user name, and password that are stored in the registry to log users on to the computer when the computer starts. The logon dialog box is not displayed.
Vulnerability:
If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plain text. The specific registry key that stores this setting is can be read remotely by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot view the registry remotely.
Countermeasure:
Do not configure the AutoAdminLogon entry except on highly secure computers, where it should be configured to a value of Disabled.
Potential impact:
None. By default this entry is not enabled.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!AutoAdminLogon
Platform: |
Microsoft Windows 7 |