By default, a Windows 10 computer that is not part of a domain displays the Lock screen at startup and after a user has logged off. Touching or clicking the Lock screen displays the Windows 10 logon screen, which is also
displayed when a user selects the Sign Out option from the user icon menu.
The logon screen displays all enabled user accounts, allowing a user to select the appropriate account and enter the password if one has been specified.
First introduced in Windows 8.1 and enhanced with Windows 10 is the capability to use a Microsoft account to log on to the local computer. In Chapter 2, “Implementing Windows,” we covered how to create an account for a newly installed Windows 10 computer using either a Microsoft account or a local account. When you create new accounts for Windows 10, they can either use a local logon or a Microsoft account. The process is covered later in this section.
Although the default logon screen is convenient, especially in a home
environment, it does pose a security risk in a corporate environment, even in a small office. In an AD DS environment, the classic logon screen is no longer enabled by default in Windows 10. Instead, an option called Other User is made available to allow the user to enter domain credentials
previously unknown by the local machine.
You can change the way that a domain-joined Windows 10 displays the logon screen using the User Accounts applet, which you can find by typing netplwiz into the Search bar or Cortana and selecting Run Command. From the Advanced tab, click the check box in the Secure Sign-in section labeled Require Users to Press Crtl+Alt+Delete, as shown in Figure 7-33.
Figure 7-33. Enabling Secure Sign-in Using the User Accounts Applet
You can use Group Policy to require the use of the logon screen on domain- joined as well as non-domain-joined Windows 10 computers.
For a workgroup or non-domain-joined computer, open the Local Group Policy Editor, which you can find by searching for Group Policy from the Search bar or Cortana. Navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node and then disable Interactive Login: Do Not Require CTRL+ALT+DEL (see Figure 7- 34).
Figure 7-34. Disabling Interactive Logon: Do Not Require CTRL+ALT+DEL Using Local Group Policy Editor
This policy also works for domain-joined Windows 10 computers, and is enabled by default.
Note
The behavior of this setting changed beginning with Windows 8. On Windows 7 and earlier editions, a domain-joined computer disabled this
policy by default (disabled means users were required to press Ctrl+Alt+Del).
For Windows 8, 8.1, and Windows 10 computers, the policy is enabled by default, so users are not required to press Ctrl+Alt+Del.
To remove the display of the last username, navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node and enable the Interactive Logon: Do Not Display Last User Name policy.
Picture Password
You should be familiar with how users set up their picture passwords and how to manage the capability for users to use them, as covered in the previous section. Users should have an easier time managing their picture password than traditional passwords, which will typically require some complexity and frequent changes. Picture passwords can be not only more secure but also more reliable than plain text passwords. Picture passwords can have a much larger range of possible combinations, making them much harder to guess or even crack using brute force attacks.
If you want to allow your users to use picture passwords, be careful about the
group policies that you implement in your domain. Enabling the Group Policy Do Not Display Last User Name (found under Computer
Policy\Windows Settings\Security Settings\Local Policies\Security Options) seems like a good security practice; however, it will disallow users from using picture passwords to log in to their devices.
If a user forgets his picture password gesture, he can use the Sign-in Options link to switch to either a PIN (if he enabled one) or the text-based password.
If he is unable to recover using a PIN or password, and the device is not joined to the domain, he may need to reset the device and start over if an organizational administrator does not have an account on the device.
Managing Credentials
Users will also need access to other network resources not controlled by Windows or the local Active Directory domain. This can include websites, terminal servers, applications, and other resources that require credentials to use.
Windows 10 provides the Credential Manager for storing credentials in an electronic Windows vault, facilitating logon to these other resources. You can use Credential Manager to created stored credentials for each resource a user needs to work with.
You can start Credential Manager from the Control Panel under User Accounts, or by searching for credential using the Search bar or Cortana.
Credential Manager organizes credentials as either Web Credentials or Windows Credentials, presenting these options:
• Windows Credentials are used to store authorization accounts for other Windows servers and computers.
• Certificate-based Credentials are used to associate Internet or network addresses with user-based certificates. The certificates used for these
credentials must be stored in the user’s Personal store in Certificate Manager.
Managing certificates is covered in the next section.
• Generic Credentials include things like OneDrive and other cloud accounts,
Microsoft accounts, and other integrated services credentials.
Adding, Editing, and Removing Credentials in Credential Manager
To add a credential, start by opening Credential Manager as previously described, and then select the desired type of credential. For a Windows or generic credential, you see a screen similar to that shown in Figure 7-35.
Enter the required server or network name, username, and password, and then click OK. You are returned to the Credential Manager, where the added
credential appears under the appropriate category. You can now add additional credentials if needed.
Figure 7-35. Entering a New Windows Credential into Credential Manager
Entering a certificate-based credential is slightly different. Enter the required server or network name, and then click Select Certificate to locate a
certificate that should be stored in the Personal store of Certificate Manager, or on a Smart card. When done, click OK.
Credential Manager also enables you to modify or remove existing
credentials. Click the arrow next to the stored credential to expand its entry.
Clicking Edit takes you to the Edit Windows Credential screen, on which you can change the username and password or certificate. To delete a credential, click Remove and then click Yes to confirm your intentions.
Credential Manager can also be leveraged by Windows 10 apps, so if you have an online identity associated with a Windows app, it can place your
credentials into the Credential Manager. If you use a Microsoft account for your PC, your credentials will follow you to each device you use with your Microsoft account. This type of credential roaming is enabled by default on non-domain-joined computers and disabled on domain-joined computers.
Tip
Windows automatically adds credentials to Credential Manager for you when you are working and saves a logon that you have entered. For instance
selecting the Remember My Credentials check box when logging in to a Remote Desktop Connection, or checking the box when connecting to a remove file share, will tell Windows to save the credential in Credential Manager.
Windows Credentials Backup and Restore
You can back up your Windows Credentials using Credential Manager, store them in a separate location, and restore your credentials if your computer or hard drive is replaced. Use the following procedure:
Step 1. In Credential Manager, select Windows Credentials and then click Back Up Credentials.
Step 2. Type the path to the desired location or click Browse to locate the appropriate folder. It is recommended that you use removable media or a trusted network location. Click Next.
Step 3. On the next screen, press Ctrl+Alt+Delete to continue the backup on the Secure Desktop.
Step 4. The next screen asks you to secure the backup with a password. Enter and confirm your password in the text boxes provided, and then click Next.
Be sure to use a good password that you will remember. You will need this password if you need to restore your credentials.
Step 5. The next screen indicates that the backup was successful. Click the
Finish button to exit the wizard.
Restoring your credentials follows a similar process. You can use this if your computer or hard drive is replaced, or you want to transfer your credentials from one computer to another. Use the following procedure to restore credentials:
Step 1. In Credential Manager, select Windows Credentials, and then click Restore Credentials.
Step 2. On the resulting dialog box, type the path to the backup file, or click the Browse button to navigate to it. Click the Next button.
Step 3. On the next screen, press Ctrl+Alt+Delete to continue the restore on the Secure Desktop.
Step 4. Enter the password you used when backing up the credentials.
Step 5. The credentials are restored. If you used removable media for the backup location, you can remove it, and then click Finish.
Web Credentials
The Web Credentials store was a new feature in Windows 8 and is included in Windows 10. This credentials store is integrated with Internet Explorer and Edge and is used to store any saved passwords for websites, FTP sites, and other Internet services accessed through the web browser.
The alternate way to access Web Credentials is using the Internet Explorer Options:
Step 1. From the Internet Explorer settings menu, select Internet Options.
Step 2. Click the Content tab from the Internet Options dialog.
Step 3. Under the AutoComplete section, click the Settings button.
Step 4. From the resulting AutoComplete Settings dialog box, click the
Manage Passwords button.
The Credential Manager will be displayed with the Web Credentials section selected. From here you can display the credential details, remove
credentials, and display the password by clicking the Show link.
Note that unlike Windows Credentials, there is no interface for adding credentials, or for backing up and restoring Web Credentials. Because Web Credentials can display the original plain-text password used, backing up these credentials to another location can cause a security risk.
Managing Multifactor Authentication
When you use Credential Manager to store a certificate-based credential as discussed in the previous section, it looks for the certificate in the Personal store of Certificate Manager. When you log on using a smart card, the smart card contains a certificate with information that verifies your identity. When you use Encrypting File System (EFS) to encrypt a file you will learn about in Chapter 14, “Configuring File and Folder Access,” you create a certificate that is stored in the same certificate store. Windows 10 provides the
Certificate Manager Microsoft Management Console (MMC) snap-in to manage stored certificates.
Certificates are managed in several stores, and Windows 10 maintains three separate sets of stores: one set for your user account, another for the
computer Service accounts, and one for the Computer account itself. That means there can be a large number of separate sets, depending on the number of users on the computer and the number of service accounts for installed services. There is always only one set of stores for the local computer itself.
You can open Certificate Manager from the page in Credential Manager that enables you to add a certificate-based credential. You can also load
Certificate Manager by typing certificates into the Search box or Cortana and selecting the mode of certificates to manage. You can choose from Manage File Encryption Certificates, Manage Computer Certificates, or Manage User Certificates. Certificate Manager opens and displays a series of certificate stores, as shown in Figure 7-36. Expand any of these certificate stores and
click the Certificates subnode to display any available certificates. Double- click a certificate to display its details. You can see the purposes for which the certificate is intended and the validity period. The Details tab includes information such as the serial number, signature hash algorithm, issuer, public key value, and so on.
Figure 7-36. Using Certificate Manager to View and Manage Different Types of Certificates in Different Certificate Stores
You can also view additional information and configure certificate properties by selecting the Details tab and clicking the Edit Properties button. From the Certificate Properties dialog box, you can modify the certificate purposes, specify cross-certificate download URLs, specify Online Certificate Status Protocol (OCSP) download URLs, and extend validation parameters.
Using the Friendly Name field and the Description field in the General tab can help to differentiate among similar certificates. Cross-certificates are used to establish trust between separate certification authority (CA) hierarchies, such as those used on diverse networks. OCSP responders are used to verify certificate validity and check against certificate revocation lists issued by CAs.
Requesting Certificates
There are a number of ways to request a personal or computer certificate for use in encryption and authentication. You may be provided a certificate by your company, loaded on a smart card or installed on your workstation.
Companies often implement their own Public Key Infrastructure (PKI), with an internal Certificate Authority (CA) to issue certificates.
A common way to implement certificate distribution in a large company is to provide users the ability to request certificates from the domain on any
domain-joined computer using their Active Directory account. Using this technique, users only need to request a personal certificate. They can then use it for VPN, email, and other purposes. The procedure is as follows:
Step 1. Open Certificate Manager, either from Credential Manager or using the Search bar or Cortana.