18.8.28.1 (L1) Ensure 'Always use classic logon' is set to 'Enabled'

Information

This policy setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain.

The recommended state for this setting is: Enabled

Explicitly requiring a user to enter their username and password is ideal and a requirement when utilizing the classic logon method. This setting is primarily important because it does not permit the use of a simple logon screen with user accounts presented.

Note: Systems joined to a domain typically are not impacted by this recommendation as username, password, and domain are required for system access. However, this setting is important for standalone systems.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Administrative Templates\System\Logon\Always use classic logon

Note: This Group Policy path is provided by the Group Policy template Logon.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:

The classic logon screen is always presented to the user at logon, rather than the simple logon screen.

See Also

https://workbench.cisecurity.org/benchmarks/14289

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 6e1bbe9bb8e0dbf88648d915ff55a1fb60ff6e58aeff060b3e67340809933f6d