|
|
In Windows XP, you can lock and unlock a workstation either manually (Fig. 11.6) or by means of a program (for example, by using a screen saver). For example, you can lock your workstation at the office, and then connect to it from other location and continue working with your documents. When you return to your workplace, you can unlock your workstation.
Fig. 11.6: Locking a workstation
When a user logs on to a computer, the Winlogon Service stores a hash of the user's password for unlock attempts made in the future. When the user attempts to unlock the workstation, this stored copy of the password is verified. If the password entered at the unlock dialog request and stored hash match, the workstation is unlocked. If the password entered does not match the stored hash, the workstation attempts to logon (authenticate the password). If the logon process succeeds, the local hash is updated with the new password. If the logon process is unsuccessful, the unlock process will also be unsuccessful.
Note | This only happens when you have Fast User Switching disabled. When you join a Windows XP Professional computer to a domain, the Welcome Screen logon (and Fast User Switching) is disabled. |
The unlocking process described above was designed in order to limit network traffic generated by the workstation. However, if you need to specify more stringent security, you can edit the following registry setting: ForceUnlockLogon (REG_DWORD data type) under the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
If this value is set to 0 (the default value), the system doesn't force authentication; if it is set to 1, online authentication is required to unlock the workstation, which can force a validation at the domain controller for the user who attempts to unlock the computer.
|
|