2

Does anyone know of a simple and secure method of logging into a Windows 10 domain PC without having to type ANYTHING?

I have remote workstations that I'd like to access using NVIDIA'S Gamestream protocol. The problem is the GeForce streaming service doesn't start until after login and I can't find the service in order to make it run before login.

My solution was to securely pass through a USB port on a thin client (over the network) to the remote workstation, using a program that runs as a daemon on both machines. In this way I'm able to scan a smart card at a thin client and the remote workstation recognizes that the card has been swiped. The only problem is that this doesn't perform a full login of the user as a PIN is still needed. I'd like to avoid the PIN if possible while maintaining the security of my single factor authentication.

TheFunk
  • 123
  • 5
  • You mean if someone steal one of your smartcard he can log anywhere without any PIN ? you see the error, be ready to simply educate the user to type their PIN please. A PIN typed can be passed to a remote session, but it depend on the technology you use (RDP, Citrix, etc..) – yagmoth555 Sep 27 '17 at 01:41
  • @yagmoth555 Please reread the question, thank you. – TheFunk Sep 27 '17 at 02:22
  • Well, the title ask for smartcard auth without pin, and the text talk about loginless pc. Its unclear please edit. As yes you can pass a smartcard to a remote host without pin, and that will be used inside the session, not at the login, but inside the session a pin will be asked – yagmoth555 Sep 27 '17 at 02:40
  • So the PIN can be disabled if I'm using something like hello for business and a PIV smartcard? – TheFunk Sep 27 '17 at 03:25
  • Are you sure you're really interested in smart cards and such, and not actually looking for ways to turn Windows 10 into a kiosk? There's some info on how to do that over at https://docs.microsoft.com/en-us/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions – bobmagoo Sep 29 '17 at 03:09
  • @bobmagoo Yes I'm sure. I guess I should go into more detail about what I'm doing. I have a KVM hypervisor with multiple VMs. Some of those VMs have passed through GPUs. In order to get the best performance out of this setup I needed hardware assisted video encoding server side and decoding client side. My users have thin clients for connecting to these performance VMs and they use an application built around the NVIDIA protocol. In order for the clients to connect to their assigned VMs, the VM must be signed in. I'd rather not have to remote over with RDP or whatever and then reconnect. – TheFunk Sep 29 '17 at 12:44
  • @bobmagoo So I'm trying to find a not too hacky way of signing in remotely without typing. I came up with the idea of yubikeys and that worked for local accounts on the VMs as I could implement that with Windows Hello. Now I want to use this same functionality with domain accounts. So can I disable the login pin somehow? – TheFunk Sep 29 '17 at 12:46

1 Answers1

1

There is Rohos Logon Key app that allows to auto login based on connected USB stick or PKCS#11 token, rfid card, yubikey in AD or standalone computers, RDP login is also supported with a key. You can set it to 1FA mode (password replacement). There is a free version also that support only USB drive as a key device.

AleSil
  • 26
  • 3
  • PERFECT!!! This is exactly what I needed. I needed a "what you have" or "what you are" style authentication for a domain based machine that I'm not sitting in front of, so that there is at least some security to establish the logon with the remote machine. By pairing my clients with my servers and using USB redirection I can establish this with the tool you have suggested. I guess I could have been clearer in my wording but kudos to you sir! – TheFunk Feb 08 '19 at 02:10