Network vs. interactive logon

Windows recognizes different types of logon with subtly different security implications. Bitvise SSH Server can be configured, on a per-account or per-group basis, to use either of the following two logon types:

  • Interactive logon. By default, this logon type is configured in SSH Server Advanced settings for all Windows group entries. This logon type is therefore used, by default, for all Windows accounts - except those logging in with GSSAPI (Kerberos or NTLM) authentication.

    Use of the 'interactive' logon type requires a Windows account to be granted the right to 'Log on locally' in the Windows Security Policy at the server. This is not usually a problem, since by default all users are granted this logon type - except on domain controllers. On domain controllers, the right to 'log on locally' is granted by default only to administrators. To enable regular Windows accounts to log in with this logon type on a domain controller, the right to 'log on locally' must be granted to the relevant groups or accounts in Domain Controller Security Policy, found in Administrative Tools.

  • Network logon. By default, this logon type is configured in SSH Server Advanced settings for all virtual group entries. This logon type is therefore used, by default, for all virtual accounts. This logon type is also used when a Windows user authenticates with GSSAPI (Kerberos or NTLM) - a limitation imposed by Windows.

    Use of the 'network' logon type allows the user to log in via SSH even if the underlying Windows account is not granted the right to 'Log on locally' in the Windows Security Policy at the server. However, on Windows 2003 servers, the default filesystem permissions normally block access to cmd.exe and other command line tools when a logon session does not have the 'interactive' logon type. On such servers, the terminal shell can only be accessed with this logon type if the default filesystem permissions for cmd.exe and other command line tools are modified.

Selecting the right logon type

We recommend that users who require terminal shell access use the 'interactive' logon type. It will usually also make sense for them to log in via SSH as Windows users, not as virtual accounts.

On the other hand, we recommend that users who will use only file transfer and/or tunneling use the 'network' logon type. If this use is outside of a domain environment, it may also make sense (less overhead) to create for these users virtual accounts, which are internal to Bitvise SSH Server, instead of creating a separate account in Windows for each user.