First the behind-the-scene story: We have a high number of shared workstations that do not rely on Windows Authentication for security but instead opt for Application specific authentication. These are kiosk stations where person after person needs to walk up, log into the application, read or post medical information and walk away. Medical standards require us to use application specific authentication for tracking access to patient records. Most of these devices are just Citrix windows into the medical applications.
We are currently using a text file to comma-delimited the username, the password, and the computer name. We then have a login script that uses that parses that text file and populates the correct registry key for AutoLogin and ForceLogin.
Here is what I brainstormed as a possible application that we could build in-house or outsource. I couldn't find any comparable application on the market. If anyone wants to run with this idea, just let me know so that our hospital can buy it :)
- Switch to using Microsoft's AD Lightweight database (LDAP) or some other SQL application
- encrypt and salt the password field with sha256 hash
- No person ever needs to know the password so the passwords should be randomly generated
- the passwords should change every 30 days
- The username can be randomly generated but needs to have some pattern (ie. auto-FF342D)
- The table would be basic computername, username, and hashed password
- This application should have the AD rights to create usernames and modify passwords
- If a password gets lost in transit, just recreate a new password
Right now the client uses the login script to read from the text file and create the correct registry changes so an equivalent program or script would need to be run on the workstations.
- Read content from the database and query based on the computername
- Modify the local registry if it finds a match
- AutoLogon = 1
- ForceLogon = 1 or 0
- My understanding from SysInternals Autologon application that there is a better way to store passwords in the registry
- When no match is found in the database, the local app should reset AutoLogon = 0