3.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'

Information

This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group.

For additional information, see Microsoft Knowledge Base article 324737:

How to turn on automatic logon in Windows

.

The recommended state for this setting is: Disabled

If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to `Disabled.

Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

Impact:

None - this is the default behavior.

Warning:

Windows Autopilot - Policy Conflicts

: Windows Autopilot pre-provisioning doesn't work when this GPO policy settings is enabled. An exception to this recommendation will be needed if Windows AutoPilot is used.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Windows

Control ID: 711e2e09d65b29c7b5b382d78ac74d790a694ed71177d1fc3e3565f54b370519