I observed a rather curious behavior of Windows 7 at some of our office PCs:
- User A logs into his account as usual.
- User A locks the PC (via Win+L or similar).
- User B (doesn't matter who, it just has to be someone with a different user account) then logs into the same PC with his credentials (either directly at the PC or remote).
- User B logs off again.
- Directly after being presented with the "logging off" screen, User A's session is unlocked, without requiring User A's password.
This exact pattern works as presented on all affected PCs with arbitrary combinations of user accounts. I've heard our admin mention that it even works to unlock admin accounts, should they ever happen to stay logged into the right PC. It doesn't, however, work on a batch of newer PCs we recently got for our team.
Is this "phenomenon" known? I wasn't able to find reports of similar behavior via google so I assume it has to be something specific to our office environment. What flaw in the configuration of Windows 7 could lead to such behavior?
Some background:
- Our PCs run Windows 7 Professional, 64bit. SP1 is installed. Security updates seem to be applied regularly.
- All user's accounts are domain accounts.
- I informed one of our admins about this peculiarity some months ago but since the behavior persists, I'll try to present the issue in a more pressing manner (and make sure to include the one responsible for IT security as well this time).
- I'm aware this has some implications regarding information security. (This allows impersonation, access to restricted network drives etc…) But at least on my PC, it seriously messes with my window arrangements, so it's not likely someone exploits it without me noticing afterwards. I'm sure the only reason it hasn't already been dealt with is because there hasn't been any (known) case of abuse. Also it requires physical access to the respective PC to be exploitable.
- I'm just a user without elevated privileges. I'll try to supply whatever information will be needed (if any) but will be likely to hit some restriction sooner or later.
- Also I'd like to apologize if my terminology regarding system administration is off – I'm no professional. Please let me know if I can improve my wording anywhere.
Autoruns' Logon tab (Microsoft entries are hidden):
The blacked-out section is a script that maps network drives depending on who logs in.
Autoruns' Winlogon tab (there are only Windows entries):
Best Answer
This is has designed.
Refer to Interactive logon: Require Domain Controller authentication to unlock workstation
It is a security setting that essentially if not enabled allows the user to login w/o validating to a domain controller.
In your case User A validated and was cached. User B was validated and when User A came back, it used the cached. If that setting is set, it should require re-authentication back to the domain controller so there's the draw back. If you have a say a laptop and lost your network connection, how do you connect back to the domain controller to unlock. Hence it can be a 'dangerous' setting.