Telling your Firewall to Trust Novell Login Scripts with WinLogon
Novell Cool Solutions: Tip
By Holly Newman
Digg This -
Posted: 13 Jul 2007
Looking for an executable to add to a firewall's trusted applications so Novell login scripts are trusted? Try WINLOGON.EXE.
During the system boot process the subsystem calls Winlogon. Winlogon is responsible for all security aspects involving user interaction, namely logon, logoff, and locking the workstation. Winlogon in turn calls other processes that assist in these functions, particularly NWGINA.DLL and LSASS, as well as the network providers. The modularization of these processes allow for 3rd party value-adds such as biometrics, or Novell's NDS capabilities such as workstation manager and ZENworks policy management.
When Winlogon starts it is responsible for security in the desktop environment. The three types of desktop security environments are the Winlogon (secure) desktop, application desktop, and screen saver desktop. When you start the machine it creates the security desktop where the only services anyone can access is the screen, the keyboard, and the mouse. These three items comprise what is called a windows station, a virtualized machine, to which Winlogon attaches a unique security identifier to prevent other processes from accessing it without Winlogon's permission. Applications such as Terminal Server can allow multiple concurrent instances of windows stations. With this condition any user or process is strictly isolated from the desktop - everything must go through Winlogon. As Winlogon is initializing and preparing this environment it calls the APIs WlxNegotiate() and WlxInitialize(). This is where the GINA comes into play because it is responsible for these functions. In the case of NWGINA all it does is check the version of Winlogon; initialize some environmental tables, and load the welcome screen.
For more information about NWGINA and WINLOGON, see TID 10059511
Some of the Novell functionalities that may be affected by this configuration are Novell Client login, ZFDagent login, and ZENworks Middle Tier login, and subcomponents of those. This not an extensive list so if there is any question, test adding WINLOGON.EXE.
One firewall/filter application that has been tested and proven to be successful was ZONE ALARM / CHECKPOINT INTEGRITY Client.
Steps to add the .exe:
If the ZoneAlarm or Checkpoint Integrity client is running, add an exception for the WinLogon process.
- Open the Integrity client
- Access Program Control -> Programs
- Click Add and enter (or browse for) c:\<windir>\system32\winlogon.exe and click Open.
- Scroll down the list and find Windows NT Logon Application - change the first two columns to Allow.
OPEN CALL: Have you tried this on other firewall/filter applications? Let us know how you did it and we'll add it to the list and give you Novell Rewards points for your trouble. Fire when ready!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com