Thursday, December 17, 2015

Windows 8 Surprise: Domain Membership Disables PIN Login

If you join a Windows 8 machine to a domain, you'll notice that you lose the ability to sign in with a four-digit PIN. If you want to re-enable PIN login, you'll need to enable a Group Policy setting:

Computer Configuration\Administrative Templates\System\Logon\Turn on PIN sign-in

There is a good reason, however, for not allowing PINs. Even if you log in with a PIN, the domain controller needs your full password to let you touch domain services. So, the machine on which you configured the PIN has to store your password and give it to the domain controller when you log in with a PIN.

Since the local system needs access to the password (because you don't enter it), it has to keep it unhashed, using reversible encryption. An attacker with physical access to the machine could find the encrypted password and decrypt it with the machine's key, which also has to be stored somewhere. There are only ten thousand possible PINs, so offline cracking of the password would not be hard. It is generally considered A Bad Thing for access to a single workstation granting access to a domain secret.

You might not want to allow PIN sign-in for your domain.

No comments:

Post a Comment