Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, it's a bad idea as it's adding an extra step in getting access.
Does it improve security in any way, and if so, how?
This combination is called a Secure attention key. The Windows kernel is "wired" to notify Winlogon and nobody else about this combination. In this way, when you press Ctrl+Alt+Del, you can be sure† that you're typing your password in the real login form and not some other fake process trying to steal your password. For example, an application which looks exactly like the windows login.
In Linux, there's a loosely-defined equivalent which is Ctrl+Alt+Pause. However, it doesn't exactly do the same thing. It kills everything except where you're trying to input your password. So far, there's no actual equivalent that would work when running X.
† This implies a trust in the integrity of the system itself, it's still possible to patch the kernel and override this behaviour for other purposes (malicious or completely legitimate)
Ctrl-Alt-Del is the Secure Attention Key on Windows. The operating system enforces a strong non-interception policy for this key combination.
You could make an application which goes full-screen, grabs the keyboard, and displays something which looks like the normal login screen, down to the last pixel. You then log on the machine, launch the application, and go away until some unsuspecting victim finds the machine, tries to log on, and gives his username and password to your application. Your application then just has to simulate a blue screen of death, or maybe to actually log the user on, to complete the illusion.
This attack is defeated by the SAK. Your application can grab the keyboard and redirect all keypresses to itself, without needing administrative rights, except the Ctrl-Alt-Del, which the OS never allows to be redirected. Pressing Ctrl-Alt-Del ensures that you get the genuine logon screen, not an imitation.
The answer to this can actually be found on our sister site, ServerFault. How does CTRL-ALT-DEL to log in make Windows more secure?
To quote the accepted answer by Oskar Duveborn,
The Windows (NT) kernel is designed to reserve the notification of this key combination to a single process: Winlogon. So, as long as the Windows installation itself is working as it should - no third party application can respond to this key combination (if it could, it could present a fake logon window and keylog your password ;)
Some additional questions have been raised regarding Windows 8 SAS support, and a later deleted by owner separate question was posted about it, too. Since I've already started writing my answer to that question, and Windows 8 has also been mentioned in this thread, I'm thus posting it here. If that deleted question reappears, I'll move my answer there. Hopefully, it will help those that were wondering where SAS went on Windows 8 phones and tablets.
According to Windows 8 Hardware Certification Requirements as mandated by Microsoft:
For Windows 8, the SAS signal is sent when the combination of the Windows Key button and the Power Button is pressed.
So this is not a case of Secure Attention Key disappearing altogether (on keyboardless devices, others can still use SAS as before), and a combination of two standard hardware buttons Win+Pwr was merely added to the still exisiting Ctrl+Alt+Del combination to better support devices without a hardware keyboard, which is what Windows 8 was also designed for.
Of course, since it's not merely an operating system for portable devices without a physical keyboard, but also desktop computers that wouldn't have these Win+Pwr physical buttons (but they do have a keyboard), the old SAS method was still kept. If, for whatever reasons, you'd like to disable/re-enable this support, this blog (or this) explains how you could achieve that in a few simple steps.
Another related question (or more of a request really) was raised by @Iszi in the Requests for Question of The Week blog posts discussion on IT Security Meta: "I find it especially interesting to discover that Windows & Linux don't necessarily use the same Secure Attention Key. It would be nice if someone could expand a little upon that.". Since I'm already a late-to-the-party bottom feeder on this question here, and nobody can really accuse me of hijacking the rep train [1][2] it turned up to be - well, here it goes:
Main difference between the two implementations that I could find is, that the Linux SAK (yes, this is the acronym used in Linux in contrast to the SAS (Secure Attention Sequence) used in Windows) is that the Linux SAK never earned the National Computer Security Center's (NCSC) C2 security rating. Windows NT has:
When NT earned its C2 security rating, NCSC also recognized NT as meeting two requirements of B-level security: Trusted Path functionality and Trusted Facility Management functionality. Trusted Path functionality prevents Trojan horse programs from intercepting a user's name and password as the user logs on. NT's Trusted Path functionality exists in the form of its Ctrl+Alt+Del logon-attention sequence. This sequence of keystrokes, the Secure Attention Sequence (SAS), causes an NT logon dialog box to pop up, which initializes a process that helps NT recognize would-be Trojan horses. NT bypasses any Trojan horse that presents a fake logon dialog when a user enters the attention sequence.
NT meets the Trusted Facility Management requirement by supporting separate account roles for administrative functions. For instance, NT provides separate accounts for administration (Administrators), user accounts charged with backing up the computer (Backup Operators), and standard users (Users). Microsoft is reportedly working on a B-level version of NT, but the company has not made a public statement about when it might release this version.
But this still doesn't really explain why SAK!=SAS. OK, lets dig a little deeper. From Linux 2.4.2 Secure Attention Key (SAK) handling by Andrew Morton we get the following:
From the PC keyboard, Linux has two similar but different ways of providing SAK. One is the Alt+SysRq+K sequence. You shouldn't use this sequence. It is only available if the kernel was compiled with
sysrqsupport.The proper way of generating a SAK is to define the key sequence using
loadkeys. This will work whether or notsysrqsupport is compiled into the kernel.SAK works correctly when the keyboard is in raw mode. This means that once defined, SAK will kill a running
X server. If the system is in run level 5, theX serverwill restart. This is what you want to happen.What key sequence should you use? Well, Ctrl+Alt+Del is used to reboot the machine. Ctrl+Alt+Backspace is magical to the
X server.
It goes on explaining how to create a custom SAK handler, but the main takeaway is that the implementation differs greatly from what can be found in Windows as SAS, and that they might not be implemented at the kernel level, depending on what whether sysrq support was enabled for the build.
Does this explain the differences in Windows and Linux handling of SAS/SAK? I would say that it does. User tialaramex from LWN.net explains it neatly:
Linux has some rudimentary low-level support for this capability but it never seems to have ascended into an end user feature of any consequence. No application can trap the SAK combination because long before any code runs that lets userspace applications fiddle with the key presses, the kernel has noticed that the SAK has been pressed and short-circuited to a path that just handles this special case.
Whereas:
In Windows when you press the SAK it forcibly summons a separate desktop, which you can think of as being kind of like a separate X server process. This desktop is "owned" by the System user, roughly equivalent to Unix root, so anyone with permission to tamper with it could just have replaced the entire OS kernel or whatever they wanted.
Does it explain why different keyboard sequences were chosen? I'm not sure. It shows why there is more than a single such keyboard sequence in Linux and what the differences between them are (see Andrew Morton's explanation), but I couldn't find a clear answer on why was one chosen over the other and why different kernel builds might use different SAK combinations. I can only suspect that it boils down to personal preference of their respected authors.
The idea is that a trusted Windows process called Winlogon, and only Winlogon, can read the Ctrl+Alt+Del key sequence. This key sequence is called the secure attention sequence (SAS). By entering this key sequence, you are basically "proving" to yourself that it is Windows that is accepting your input. This guards against a malicious program intercepting your login credentials by creating a fake username and password form. Of course, this assumes that Winlogon is not compromised, and it may so happen that Winlogon has been tampered with so that this measure can be bypassed.
If you're presented with a login prompt without being required to press Ctrl+Alt+Del on a system configured to do so, do not enter your login credentials, because this means that a program has hijacked the login prompt. If you own the computer, reboot it into safe mode and clean up any malware on it. If your company owns the computer, contact your system administrator.
The same applies with Windows 8, only that there is an additional SAS, Win+Power, for tablets which do not have a physical keyboard (Surface comes to mind).
Ctrl+Alt+Del was around way before Windows Logon, originally it simply did a soft reset on the system. The same combination is on other systems/OSs too (Atari ST springs to mind).
If the question is "why these three keys" then I would say because they are hard to push and a mistake is therefore hard (as people have said).
If the question is "why does Windows (now) use it" then I do not know, maybe because user where familiar with it it was chosen. You will need to ask the person(s) that made that decision, I am fairly sure the actual keys pressed are arbitrary (but now I am thinking it may be a low level hardware interrupt).
Another part of the reason - AFAIK - is to be found when considering the choice of key combination: It is very difficult to press all of Ctrl, Alt and Del at the same time with a single hand; and it is also very unlikely that all 3 keys will be pressed at the same time by something hitting the keyboard, or by you sort of banging on it etc. As David Bradley choose this combination to trigger a soft reboot (Wikipedia), it was important for it not to be triggered by mistake. This caught on for things like bringing up a user login prompt; the idea is to make you demonstrate your intention by explicitly deciding to press an "difficult" key combination (e.g. before logging in).
Of course, that's not about Windows but all PC software and firmware which utilizes Ctrl+Alt+Del.
