Would changing Windows Ctrl+Alt+Del provide any security benefits?

Question

Ctrl+Alt+Del is the path to the Secure attention key on Windows computers.

Some of the answers on related questions imply it is possible to modify the this.

My thinking is that a password does not do you any good, if you can't get to the screen to enter it. If you changed the key combination required to access Winlogon and don't publish the change, would there be a measurable change in your system security?

Presumably it would be possible to send users of Ctrl+Alt+Del to a sandbox, and begin security containment activities. While users with the correct different combination go to the production system.

Security implications aside, you can't change the key combination. It's hard-coded in winlogon. — Steve, Oct 26 '16 at 19:51
other combos would be less protected, maybe possible to spoof — dandavis, Oct 26 '16 at 19:54
What do you want to accomplish with all this? What threats do you want to mitigate? What benefits do you not have by not doing this? You don't explain the purpose of this proposal. — schroeder, Oct 26 '16 at 21:24
@schroeder I was thinking hands on machine, your answer about all the other ways to gain access, points out why the idea has little merit. — James Jenkins, Oct 26 '16 at 22:37
@Steve the top answer here says you can "patch the kernel and override this behaviour for other purposes" which I read to mean you can change the key combination. — James Jenkins, Oct 26 '16 at 22:45
@JamesJenkins that's not quite accurate. You still can't tell winlogon to listen to something else. Best you can do is raise CAD when you do another combo, and try and block real CADs from getting raised. With all that said, patching the kernel to introduce this sort of behavior is guaranteed to introduce god-knows-what security problems, and to cause more problems than its worth. You're trading reliability for obfuscation. — Steve, Oct 27 '16 at 13:32

score 3 · Accepted Answer · answered Oct 26 '16 at 20:28

3

To my knowledge, you cannot change the SAS (Secure Attention Sequence) keystroke combination (Ctrl + Alt + Del). But even if you can, only the valid SAS key combination would invoke the login procedure (LogonUI). An invalid key combination cannot direct user to some kind of sandbox, it'll do nothing.

So overall, this idea of changing SAS key combination might only be good for preventing unaware users from getting to LogonUI.

answered Oct 26 '16 at 20:28

PrashantKumar96

68
3

1

Most critically, Ctrl+Alt+Del has a special meaning to the IBM PC architecture, and triggers a specific interrupt which operating systems can handle. – Polynomial Oct 26 '16 at 21:08
@Polynomial: I thought so as well, but could not find evidence to support it. Do you have a "normative" reference? It's quite impossible to trigger a hardware interrupt. How shall a USB keyboard trigger a special hardware interrupt? Therefore I'd say it must be a software interrupt. And then again, the OS could trigger a software interrupt for any key combination. – Thomas Weller Oct 27 '16 at 19:26
I disagree with "An invalid key combination cannot direct user to some kind of sandbox": if the key combination would not have special OS handling (after changing it, that would be the case), you could write a hotkey handler for it and implement anything you want - i.e. a sandbox – Thomas Weller Oct 27 '16 at 19:29

score 2 · Answer 2 · answered Oct 26 '16 at 21:23

It sounds like you want to invoke security by obscurity. Yes, you might eke out some measure of confusion, but all benefits evaporate if your users discover the 'real' sequence.

It's also of note that this only affects local users who have physical access to the machine. Playing games at the UI level is not worth the effort when you consider the potential access your target users already have.

Would changing Windows Ctrl+Alt+Del provide any security benefits?

2 Answers2