Updated
: Jan. 25, 2007
Summary:
GINA is a replaceable DLL component for
Windows NT/2000/XP.
GINA implements the authentication policy of the interactive logon model, and is
expected to perform all identification and authentication user interactions.
Rohos Logon Key replaces Windows MSGina.dll by Rohos GINA module that implements standard login/password
authentication as well as two-factor authentication by using USB flash drive.
The following topics cover conceptual information about GINA DLL module developed by
Tesline-Service SRL, USB flash drive identification mechanism, PIN code entry and product related
issues.
About Winlogon and GINA
Logon into Windows is performed through the interactive login process (Winlogon). Winlogon is a trusted process for managing security related user interaction,
MSGina.dll and network providers. To alter the interactive logon procedure, MSGina.dll
can be replaced with a customized GINA DLL.
Rohos Logon Key modifies the following registry value to replace typical GINA component:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: ginadll
Value: rohos_ui.dll
- It creates three desktops: an application desktop (used by the user), a winlogon
desktop (used by the winlogon to display the login UI), and a screensaver desktop
(to run the screensavers). Only the winlogon process has access to the winlogon
desktop. This means that whenever winlogon desktop is active, no other process has access
to the data associated with the desktop. This prevents any other processes from getting
the password that is used to logging and unlocking the desktop. The screensaver is run
in a separate desktop so that if the screensaver is marked secure, the winlogon switches
to the winlogon desktop on its termination, thus locking the system.
- Registering CTRL+ALT+DEL makes Winlogon ensuring that no other application has hooked that key sequence.
- When user enters the password, the Winlogon sends user credentials to the Local Security
Authority Server (LSA) which authenticates user. Then it generates the access
token of the user. This access token is then used to create the user shell.
Windows Login dialog and list of user accounts
screen shot
When Windows starts User Authentication dialog appears.
Rohos GINA provides enhanced Login dialog with customized list of user accounts, date and time, shutdown button, typical login dialog.
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: LegalNoticeText
Learn more about Rohos welcome screen customization: How to change text based notices in various parts of the welcome screen?
Authentication and Login
When you start your computer Rohos welcome screen (gina) appears and user can choose user account to log in.
Tesline-Service GINA supports various login methods:
- Users who do not use password - log in by clicking on their icon.
- Automatic Logon to Windows is supported (AutoAdminLogon=1).
- User accounts that are not displayed on the welcome screen can log in by typical login dialog box by
clicking on the User account link.
Using two-factor authentication with USB flash drive & PIN code. Learn more How to use USB flash drive for Windows login?
Supported security policies:
- Password expiration - if user account has an option to periodically change password Tesline-Service GINA will force this policy according to system settings;
- Disabled/Locked user accounts are supported;
- Disabling user to change his/her password is supported;
- Shutdown without logon. You can run hibernate/Standby mode using shutdown computer button (if enabled by security policy).
Authentication in Windows Active Directory (Windows domain)
Active Directory is an essential and inseparable part of the Windows 2000 network architecture, an integrated set
of directory services that improves the management, security, and interoperability
of the Windows network operating system.
On a computer that is a part of a network domain, a user must be a member of at
least one group. The permissions and rights granted to a group are assigned to its members.
Tesline-Service GINA allows to easily satisfy the needs of both the administrators and users, making the access to the Windows Active
Directory (ex-Domain) resources easier, faster and more secure. If the computer has already been configured by
the administrator to work with the Directory, then accessing to Active Directory becomes just a few clicks away. After installing Rohos Logon Key and restarting the computer you will see the welcome screen.
- Rohos uses default domain setting to display domain users on the welcome screen for easy login into domain:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: AltDefaultDomainName, AltDefaultUserName
- Tesline-Service GINA provides additional login dialog box to log in into Domain under
user account from domain that is not represented on the Rohos welcome screen. To use it
press Ctrl+Alt+Del. Here you can enter your login password and Active Directory domain name.
- Two-factor authentication with USB flash drive is supported.
- Map User Home Folder (drive) and setting environment variables are supported.
- UPN format for domain login is supported (user-name@domain-name.com)
Windows Security Dialog Box by Ctrl+Alt+Del
The dialog box, which appears when you press the secure attention sequence
(SAS i.e., Ctrl+Alt+Del), has a title of Windows Security.
Windows XP doesn't display the security dialog box when user presses Ctrl+Alt+Del.
Tesline-Service GINA supports this dialog (as Win+L to lock Windows). Security Panel Functions:
- Here you can see: icon of the current user, current working hours that you have spent on computer;
- Change of Windows password
- Lock desktop (log off user and turn off computer as well);
- Open Task Manager;
- Review network security (shared folders, opened files, connections);
- View free space on hard drives and USB flash drive;
To customize the title of this dialog box Gina uses the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Welcome (e.g., Windows Security for JoelTech Domain)
To disable buttons in the Windows Security Dialog Box Gina uses the following registry key:
Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
Keys: DisableChangePassword (1= disabled), DisableTaskMgr (1= disabled), DisableLockWorkstation (1= disabled)
Tesline-Service GINA provides additional security items: Network Opened Shares, Active connections.
Locked Window
When you lock your computer by Win+L shortcut or Lock Workstation button on the Ctrl+Alt+Del dialog
the locked desktop window appears.
Supported actions on this window:
- Unlock workstation by User password;
- Unlock workstation by Local Administrator password;
- Unlock workstation by using USB flash drive;(Using USB flash drive for login)
- Run hibernate/Standby mode using shutdown computer button (if enabled by security policy).
Additional features:
- Opened Programs counter is displayed on the locked screen;
- Date and Time displayed on the locked screen;
- Working time (how many hours for today a user has spent while working on the PC, excluding pauses like: screen saver, restarting, hibernate, locked desktop);
- Auto shutdown/hibernate feature. (see tweaks AutoShutdownWhenLocked)
Shutdown dialog
Native Windows MSGina.dll component contains Computer shutdown dialog,
and GINA specification rules do not allow to replace this dialog.
However, Tesline-Service GINA sets up its own shutdown dialog with additional features:
- Current User picture (also supported for Windows2000);
- Working time information (how many hours for today user has spent while working on the PC, excluding pauses like: screen saver, restarting, hibernate, locked desktop);
- Hibernate button (no need to press
Shift button to use hibernate).
Note: Shutdown dialog is replaced by injecting special code into Explorer process.
If this causes troubles then this ability can be disabled (see Rohos tweaks.)
See also:
How to increase password security with two-factor authentication.
It is not true when they say that security improves as password complexity increases. In reality, users simply write down difficult passwords, leaving the system vulnerable. Security is better increased by using two-factor authentication solutions.
Here's how to configure two-factor authentication for Windows and how it affects your Windows security.
Rohos Logon Key
It allows to access to Windows computer in a
secure way by USB Key.
Turns any USB flash drive into protection key for your computer.
Restricts access to a PC for certain users based on USB Key/time factor.
Top of page |
|
Rohos Logon Key
Replaces password based login into two-factor authentication by using USB flash drive
|
|
|