Is "Do not display last user name" in AD group policy a good idea?

My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy.  Windows hardening guides that I have read usually suggest it as a best practice.  Additionally, it's built-into Microsoft's "secure workstation" GPO template.  Most sites I found via Google suggested it as best practice.

On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc.  Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned.  This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."

I humbly request the opinions of the experts on this topic.
capitaljpnAsked:
Who is Participating?
 
BillCarlinConnect With a Mentor Commented:
I am just like everyone else scratching their head on this one from a security manager.  They are in the position to provide a delicate balance between ease of use and system security.  However, the bean counting that was offered as justification not to disrupt the complacency of the end users against the simple security measure is inaccurate. Please see the referenced guides below as one is pulled from NSA and the other is DISA which typically have great input into the standard practices we all try to baseline from.  This practice has been in place at the Department of Defense for many years now and during the initial implementation phase required very little user training.  It is what is called a low hanging fruit, easy enough to implement and very little end user impact.  
 From NSAs own site...see page 82.
http://www.nsa.gov/ia/_files/os/win2003/MSCG-001R-2003.pdf
Defense Information Systems Agency (DISA) Field Security Operations Guide,
Windows 2003 Security checklist page 3-51 from the http://iase.disa.mil/stigs/checklist/index.html

Cheers
0
 
zaedi_ahmedConnect With a Mentor Commented:
Well there are two strong points that I want to make:
01. As you know username is the half of your cridential and you are giving away that freely which is not a good idea; moreover the names that are used in business cards and in other places is not same as your account in the domain.

02. It will be more secure against brute force attack, coz then the attacker must know the both ends or have to guess the username.

So, on the above those point why not we encrease security a little bit by not providing username freely. And typing username and password is not that time consuming i guess which could heart productivity.
0
 
mlscottConnect With a Mentor Commented:
Best practice is to not display it, never read a good hardening article/guide or policy that doesn't state it implicitly.

Therefore I would recommend you mask the name as you suggest and then chat to your security officer.

My other question to him would be "What's the benefit of leaving the username there?"

As the only one I can think of is it is easier to log in for the user.

Mike
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
capitaljpnAuthor Commented:
Below is our security officer's argument regarding the benefits of leaving the username there:

"Lets assume it takes an average employee three seconds to type their username.  Multiple this by 20 logons a month, and then by 11 months (we will allow one month for vacation).
(3 seconds X 20) X 11 = 11 Minutes.
So 11 minutes of time is wasted per employee per year in typing a username.  For 100 employees that is a total of around 18 hours a year.  Lets work smarter not harder.
The risks of remembering the username at login are so minute that the benefit of remembering out weighs it."
0
 
mlscottConnect With a Mentor Commented:
Ok if it takes 18 hours a year then if the average salary is say £10 an hour then that is £180 in staff time.

Now compare £180 to someone breaking into the system and stealing critical company information or damaging systems.

The argument is very strange! Especially from a security officer.

If he wants to take the argument on from that then in theory why bother with any passwords as that slows it down...in fact why not have auto logon into every system you have.

Crazy! :-)
0
 
AmericomConnect With a Mentor Commented:
Normally for stranger non-employee to attack your network with username and password(which I refer to AD domain credential to logon to Windows) they would have to attack from outside of your corporate network. As a security officer, that is his job to block it from breakthrough the internal network. But you could have stranger, non-employee such as consultants or vistior also plug into your internet network physically, and they could be the attacker. If you are talking about non-employee, not display last logon username help better secure your network, especially for stranger who have physical connection to your internal network and be able to walk up to a machine to see the last logon username, you are giving away almost half of the info to make attack.

I understand that sometime for a users to logon multiple times a day and input the username multiple times could be painful, I guess it just a matter security vs # of user complaints and who the user will be.  Good thing that this setting can it can be applied via GPO to specific machines if needed.

As far as secuirty best practice, people have worked in this field know that it's best practice not to display last logged username. It's know for a long time in all security best practice guideline. If it's not mentioned, than that guideline could be junk and waste of time to read.
0
 
capitaljpnAuthor Commented:
Thank you all very much for your input and advice!
0
All Courses

From novice to tech pro — start learning today.