Tuesday, January 17, 2012

How to Enable Auto-Logon for your Server

WARNING: This Post reduces the physical security of your server, leaving the server open for anyone for a brief period of time after reboot.

So, you are still reading after the warning above.  Excellent.  Unless you are physically controlling access to your server, and aren’t worried in the least about theft or any other loss of server, or access to server, then please continue reading.

Last year, I wrote a post about using my Home Server for more than just storage, backup and remote access.  This is not condoned by Microsoft or supported for Windows Home Server, as Windows Home Server licensing doesn’t enable you to run Line of Business Applications on your server, just security type applications.  This also depends on your EULA you’ve entered with your hardware OEM as well as Microsoft, so be careful you’re not voiding a warranty or locking yourself out of support here.  That might be more important to you than this little hack.  You should also see if your application can be run as a service, either by contacting the app provider, or by testing with the SRVANY.EXE command you can find from here. This wouldn’t reduce the security of your server, but still get you the end result.

Now that we’re through all the warnings, let’s get started.

I have some end-user applications that I want to run (as the different, non-admin user), that aren’t services.  This means that if the box reboots for patches, or a power-outage, the apps don’t start until I connect into the server and kick them off.  Naturally I put all the apps that need to start in the start-up group, this includes my iOS printing app, among others.  So ultimately I just need to log-in, and then I’m good to go. 

But… I can automate the logon with the System Internals (sysinternals). 

STEP 1: I simply download the AutoLogon tool.  When I launch it, I elevate it to the administrator account (ie UAC), and then accept the EULA.  I’m then presented with the simple UI:

Autologon - Sysinternals

I simply enter the username, domain and password I want to auto-login as, and hit enable. To disable this in the future, run the tool again and hit disable.image

STEP 2: This is the most important step, to secure things again.  It’s super simple, you simply enable the screensaver (I chose the “Blank” screen saver), and On resume, display logon screen is checked, and the screen saver will come on after 1 minute.

This of course will get irritating if you’re working on the server.  So in those cases I change the wait time up to 15 minutes, and then back down to 1 minute when I’m finished working.  I never turn off the screensaver, because if I forget to turn it back on, then the server will be indefinitely unlocked, which is bad of course. 

That’s all there is to it.  Use this wisely and only if needed.  You’d also be wise to see if your application can be turned into a service.  Microsoft has a tool for that too, it’s called SRVANY.EXE.


8 comments:

Taho said...

if you don't want to keep your password in plain text in registry look at LogonExpert tool. It keeps your credentials AES 256bit encrypted.

Anonymous said...

Um why not use control userpasswords2?

Anonymous said...

Check MiscSoft's Login Helper. This tool configures the windows autologon and has in addition autolock and few basic energy saving features.

Sean Daniel said...

I try to stay away from 3rd party installers. SysInternals is owned by Microsoft and thus will have gone through the Microsoft rigor. But yes, these other two apps appear to advertise similar things, I just use what i trust on my server.

Unknown said...

to increase security i dont use screensaver as it is too annoying.
Simply create shortcut in startup folder "rundll32.exe user32.dll, LockWorkStation"

Neil said...

Just trying to setup my WHS 2011. Any idea what I should be putting in the domain box. Leaving it blank doesn't work. I'm new to WHS after migrating from UnRAID. Thanks for any help.

Sean Daniel said...

Sorry for the delay, the domain box can be blank, or is the server name in WHS. on SBS it would be the domain

scharf said...

This program has pretty much destroyed a server as it will not disable in anyway or how. After 4 hours trying to get it to work, I had to delete the server and rebuild.