Tesline-Service GINA. Advanced authentication module for Windows 2000/XP/2003.

Updated : Jan. 25, 2007

Applies to: Windows XP/2000/2003, Rohos Logon Key .

Summary:
GINA is a replaceable DLL component for Windows NT/2000/XP. GINA implements the authentication policy of the interactive logon model, and is expected to perform all identification and authentication user interactions.
Rohos Logon Key replaces Windows MSGina.dll by Rohos GINA module that implements standard login/password authentication as well as two-factor authentication by using USB flash drive.

The following topics cover conceptual information about GINA DLL module developed by Tesline-Service SRL, USB flash drive identification mechanism, PIN code entry and product related issues.

About Winlogon and GINA

Logon into Windows is performed through the interactive login process (Winlogon). Winlogon is a trusted process for managing security related user interaction, MSGina.dll and network providers. To alter the interactive logon procedure, MSGina.dll can be replaced with a customized GINA DLL.
Rohos Logon Key modifies the following registry value to replace typical GINA component:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: ginadll
Value: rohos_ui.dll

It creates three desktops: an application desktop (used by the user), a winlogon desktop (used by the winlogon to display the login UI), and a screensaver desktop (to run the screensavers). Only the winlogon process has access to the winlogon desktop. This means that whenever winlogon desktop is active, no other process has access to the data associated with the desktop. This prevents any other processes from getting the password that is used to logging and unlocking the desktop. The screensaver is run in a separate desktop so that if the screensaver is marked secure, the winlogon switches to the winlogon desktop on its termination, thus locking the system.
Registering CTRL+ALT+DEL makes Winlogon ensuring that no other application has hooked that key sequence.
When user enters the password, the Winlogon sends user credentials to the Local Security Authority Server (LSA) which authenticates user. Then it generates the access token of the user. This access token is then used to create the user shell.

Windows Login dialog and list of user accounts

Open screenshot in New window screen shot
When Windows starts User Authentication dialog appears. Rohos GINA provides enhanced Login dialog with customized list of user accounts, date and time, shutdown button, typical login dialog.

The list of user accounts is displayed according to Windows XP welcome-screen specification. Each user item has a picture and password hint. Users with blank password can login by single click.
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts \ UserList \
Key: %USER NAME%
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints\%USER NAME%
Key: Picture Source
Tip: To add or remove users from the login window (welcome screen) open Rohos Center and click Setup Users link.
Full Name for user account is supported. User account contains system name for internal system purposes and user-friendly name that can be displayed on the login screen. This name can be changed any time without affecting the system.
Date and time is displayed on the login dialog box.
Shutdown computer button allows to Shut Down, Restart, Hibernate, Stand-by from Authentication Dialog Box.
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system Key: ShutdownWithoutLogon (0 = disabled, 1 = enabled)
Legal Notice Before Logon Gina uses these fields to display a text to any user before logging onto the system. This is useful when it is required by law to warn people that it is illegal to attempt to log on without being an authorized user.

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: LegalNoticeText

Learn more about Rohos welcome screen customization: How to change text based notices in various parts of the welcome screen?

Authentication and Login

When you start your computer Rohos welcome screen (gina) appears and user can choose user account to log in. Tesline-Service GINA supports various login methods:

Users who do not use password - log in by clicking on their icon.
Automatic Logon to Windows is supported (AutoAdminLogon=1).
User accounts that are not displayed on the welcome screen can log in by typical login dialog box by clicking on the User account link.

Using two-factor authentication with USB flash drive & PIN code. Learn more How to use USB flash drive for Windows login?

Supported security policies:

Password expiration - if user account has an option to periodically change password Tesline-Service GINA will force this policy according to system settings;
Disabled/Locked user accounts are supported;
Disabling user to change his/her password is supported;
Shutdown without logon. You can run hibernate/Standby mode using shutdown computer button (if enabled by security policy).

Authentication in Windows Active Directory (Windows domain)

Active Directory is an essential and inseparable part of the Windows 2000 network architecture, an integrated set of directory services that improves the management, security, and interoperability of the Windows network operating system.

On a computer that is a part of a network domain, a user must be a member of at least one group. The permissions and rights granted to a group are assigned to its members.

Tesline-Service GINA allows to easily satisfy the needs of both the administrators and users, making the access to the Windows Active Directory (ex-Domain) resources easier, faster and more secure. If the computer has already been configured by the administrator to work with the Directory, then accessing to Active Directory becomes just a few clicks away. After installing Rohos Logon Key and restarting the computer you will see the welcome screen.

Rohos uses default domain setting to display domain users on the welcome screen for easy login into domain:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: AltDefaultDomainName, AltDefaultUserName
Tesline-Service GINA provides additional login dialog box to log in into Domain under user account from domain that is not represented on the Rohos welcome screen. To use it press Ctrl+Alt+Del. Here you can enter your login password and Active Directory domain name.
Two-factor authentication with USB flash drive is supported.
Map User Home Folder (drive) and setting environment variables are supported.
UPN format for domain login is supported (user-name@domain-name.com)

Windows Security Dialog Box by Ctrl+Alt+Del

The dialog box, which appears when you press the secure attention sequence (SAS i.e., Ctrl+Alt+Del), has a title of Windows Security. Windows XP doesn't display the security dialog box when user presses Ctrl+Alt+Del. Tesline-Service GINA supports this dialog (as Win+L to lock Windows). Security Panel Functions:

Here you can see: icon of the current user, current working hours that you have spent on computer;
Change of Windows password
Lock desktop (log off user and turn off computer as well);
Open Task Manager;
Review network security (shared folders, opened files, connections);
View free space on hard drives and USB flash drive;

To customize the title of this dialog box Gina uses the following registry key:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Welcome (e.g., Windows Security for JoelTech Domain)

To disable buttons in the Windows Security Dialog Box Gina uses the following registry key:

Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
Keys: DisableChangePassword (1= disabled), DisableTaskMgr (1= disabled), DisableLockWorkstation (1= disabled)

Tesline-Service GINA provides additional security items: Network Opened Shares, Active connections.

Locked Window

When you lock your computer by Win+L shortcut or Lock Workstation button on the Ctrl+Alt+Del dialog the locked desktop window appears. Supported actions on this window:

Unlock workstation by User password;
Unlock workstation by Local Administrator password;
Unlock workstation by using USB flash drive;(Using USB flash drive for login)
Run hibernate/Standby mode using shutdown computer button (if enabled by security policy).

Additional features:

Opened Programs counter is displayed on the locked screen;
Date and Time displayed on the locked screen;
Working time (how many hours for today a user has spent while working on the PC, excluding pauses like: screen saver, restarting, hibernate, locked desktop);
Auto shutdown/hibernate feature. (see tweaks AutoShutdownWhenLocked)

Shutdown dialog

Native Windows MSGina.dll component contains Computer shutdown dialog, and GINA specification rules do not allow to replace this dialog. However, Tesline-Service GINA sets up its own shutdown dialog with additional features:

Current User picture (also supported for Windows2000);
Working time information (how many hours for today user has spent while working on the PC, excluding pauses like: screen saver, restarting, hibernate, locked desktop);
Hibernate button (no need to press Shift button to use hibernate).

Note: Shutdown dialog is replaced by injecting special code into Explorer process. If this causes troubles then this ability can be disabled (see Rohos tweaks.)