11

I recently saw the following security tip on my company's intranet:

When you are done using a computer, always Log Off, Restart, or Shut Down. If you only lock your computer, your account becomes an easy target to be hijacked.

This is in an environment where we all use Windows primarily Windows 10.

While it seems plausible that it might be slightly harder to hijack my account if I'm not logged in, my research seems to show that anyone with physical access can do almost whatever they want anyway.

Does logging off provide significant security improvements compared to locking the machine? Why/Why not?

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
Daniel
  • 215
  • 2
  • 6
  • Define `safe` ... if someone has physical access to your computer they might as well have root on the local machine ... though logging out might prevent someone from using your access to the network. – CaffeineAddiction Jun 08 '16 at 17:02
  • 1
    @CaffeineAddiction I really don't care what safe means... I guess I'm wondering if there is any real concrete significant benefit to being logged out vs locked. – Daniel Jun 08 '16 at 17:03
  • The main difference is that logging out shuts down processes being run by your user and locking allows them to keep running. I also suspect that lock also maintains your domain credentials but I can not find a reputable reference specifying that (circumstantial evidence you can still receive email while locked which means you have domain creds still). – CaffeineAddiction Jun 08 '16 at 17:10
  • 2
    Can you provide a citation for that quote? – Mike Ounsworth Jun 08 '16 at 17:14
  • I'm with @MikeOunsworth on this one. The question you asked is fine, but that quote is throwing me off by making much stronger statements than what you are asking. Where did the quote come from? – TTT Jun 08 '16 at 17:25
  • @MikeOunsworth I cannot. This quote came from my company intranet. I haven't been able to find it anywhere else. I am asking because it seems like nonsense, but I want to be certain. – Daniel Jun 08 '16 at 17:26
  • @Daniel Ah, that's useful. I'll edit that into your question. – Mike Ounsworth Jun 08 '16 at 17:30

1 Answers1

7

[The question "what could go wrong" is rather broad, so this is not a definitive answer. I am also not a Windows certified security professional, I'm just spitballing.]

@CaffeineAddiction points out that when you leave a computer locked, all your user-level processes are still running. Imagine that an attacker is able to plant a backdoor, like running an FTP server; this would remain running while you're locked, but would the process would get killed when you log out. (That said, this only really stops script kiddies since hacker groups with enough money to buy black market exploits will probably be able to do privilege escalation and run that FTP server as admin).

RAM, cache files and network access: I don't claim to be an expert here, but I would assume that when you log out, Windows clears RAM and tmp files of any processes and data owned by your user. This would thwart a cold boot attack, or any other attack that allows the user to take a dump of your RAM. Windows domains also typically load your Documents folder - and often a user-specific network drive - from a network share. Logging out will close down the connections to these network shares - both preventing an attacker reading your data from the server, or planting viruses to the server.

I do agree with your skepticism though: if an attacker has physical access, why not plant something that will do all of the above the next time you log in? The old trick of crawling under your desk and sticking a malicious USB device in the back, for example.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    My Windows knowledge is pretty limited, so I would be happy to accept suggestions or edits - or to upvote another answer if what I've said is wrong / incomplete. – Mike Ounsworth Jun 08 '16 at 17:33
  • 1
    +1. I was almost done with my answer about cold boot attacks, but you beat me to it. Since backdoors don't require the user to be *currently* logged in, the cold boot is the only example I can think of which works when a user is logged in and possible doesn't work when they aren't. And certainly a cold boot attack is a far cry from "an easy target to be hijacked." – TTT Jun 08 '16 at 17:38