Q: Are there any security objections against the use of the Welcome screen to log on to Windows?

A: The Welcome screen allows users to start a Windows logon process simply by clicking their user account on the Welcome screen. The Welcome screen is available only on standalone Windows XP machines. In enterprise environments, I recommend you disable the Welcome screen for logging on to Windows.

The main security objection against using the Welcome screen for logging on to Windows is that it lets users start a logon process without using the Secure Attention Sequence (SAS--or Ctrl+Alt+Del). The SAS guarantees that the authentic Windows logon dialog box appears. It ensures that a user is communicating with the OS by means of a trusted path when entering his or her password and not with a program that mimics a logon prompt to retrieve password information. Note that a user can always evoke the classic Windows logon dialog box--even from the Welcome Screen--by pressing Ctrl+Alt+Del twice.

Two other security disadvantages of using the Welcome screen are that it can display user account names and give password hints. But you can remedy these two problems: You can hide user accounts from the welcome screen, and you can simply not use password hints. These issues are good examples of how ease of use can result in bad security.

There are two ways to hide accounts from the XP Welcome screen:

  • Disable the account: You can do this in the account properties that are accessible from the Microsoft Management Console (MMC) Local Users and Groups snap-in.
  • Make the following registry change: Open the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList registry key, create a new REG_DWORD value, set its name to the username of the account you want to hide, and set its value to 0.

There are two ways to enforce the use of secure logon (Ctrl+Alt+Del) for logging on to Windows on standalone XP machines:

  • Use the “Change the way users log on or off” option in the XP User Accounts Control Panel applet. Clear the “Use the Welcome screen” option.
  • Create the LogonType registry key and set its value to 0. This key is located in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System registry container.

The best solution is to join the standalone machines to a Windows domain. On domain-joined machines, users must by default always use Ctrl+Alt+Del and the classic Windows logon dialog box to log on interactively to the domain. In that case, I also recommend you don't give your users local accounts--only domain accounts.