WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Require Domain Controller authentication to unlock workstation

Interactive logon: Require Domain Controller authentication to unlock workstation

When you attempt to unlock a workstation where the password protected screen saver has activated, by default the workstation does not verify the password against a domain controller; the workstation simply checks the password against an in memory copy of the credentials you entered when you logged on earlier. The result is that you can still unlock the computer even if your account has been locked out or disabled at the domain controller. It also means someone can indefinitely attempt to guess your password by trying to unlock the computer (the attacker will however be slowed down by the increasing “wait” periods imposed by Windows when it realizes someone is trying to guess the password???).

In terms of risk, I can see 2 scenarios you should think about:

  • An intruder with physical access to a computer repeatedly attempts to guess the password by trying to unlock the computer.
  • You disable an employee’s account in connection with an emergency termination but are unable to intercept the person before they reach their computer. The employee is still able to unlock their computer and access or destroy records.

This policy, if enabled, forces the workstation to check with the domain controller and verify the status of your account and that the credentials entered to unlock the computer are correct.

How does this work if you are logged on with cached credentials?

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users. 

Bottom line

This is probably a good policy to enable but it will slightly increase the time it takes to unlock workstations and add a negligible increased load on domain controllers.

Back to top

 

Additional Resources