Solved

Is "Do not display last user name" in AD group policy a good idea?

Posted on 2009-04-13
7
1,552 Views
Last Modified: 2013-12-04
My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy.  Windows hardening guides that I have read usually suggest it as a best practice.  Additionally, it's built-into Microsoft's "secure workstation" GPO template.  Most sites I found via Google suggested it as best practice.

On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc.  Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned.  This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."

I humbly request the opinions of the experts on this topic.
0
Comment
Question by:capitaljpn
7 Comments
 

Assisted Solution

by:zaedi_ahmed
zaedi_ahmed earned 50 total points
ID: 24128458
Well there are two strong points that I want to make:
01. As you know username is the half of your cridential and you are giving away that freely which is not a good idea; moreover the names that are used in business cards and in other places is not same as your account in the domain.

02. It will be more secure against brute force attack, coz then the attacker must know the both ends or have to guess the username.

So, on the above those point why not we encrease security a little bit by not providing username freely. And typing username and password is not that time consuming i guess which could heart productivity.
0
 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 150 total points
ID: 24128508
Best practice is to not display it, never read a good hardening article/guide or policy that doesn't state it implicitly.

Therefore I would recommend you mask the name as you suggest and then chat to your security officer.

My other question to him would be "What's the benefit of leaving the username there?"

As the only one I can think of is it is easier to log in for the user.

Mike
0
 

Author Comment

by:capitaljpn
ID: 24128537
Below is our security officer's argument regarding the benefits of leaving the username there:

"Lets assume it takes an average employee three seconds to type their username.  Multiple this by 20 logons a month, and then by 11 months (we will allow one month for vacation).
(3 seconds X 20) X 11 = 11 Minutes.
So 11 minutes of time is wasted per employee per year in typing a username.  For 100 employees that is a total of around 18 hours a year.  Lets work smarter not harder.
The risks of remembering the username at login are so minute that the benefit of remembering out weighs it."
0
 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 150 total points
ID: 24128541
Ok if it takes 18 hours a year then if the average salary is say £10 an hour then that is £180 in staff time.

Now compare £180 to someone breaking into the system and stealing critical company information or damaging systems.

The argument is very strange! Especially from a security officer.

If he wants to take the argument on from that then in theory why bother with any passwords as that slows it down...in fact why not have auto logon into every system you have.

Crazy! :-)
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24129670
Normally for stranger non-employee to attack your network with username and password(which I refer to AD domain credential to logon to Windows) they would have to attack from outside of your corporate network. As a security officer, that is his job to block it from breakthrough the internal network. But you could have stranger, non-employee such as consultants or vistior also plug into your internet network physically, and they could be the attacker. If you are talking about non-employee, not display last logon username help better secure your network, especially for stranger who have physical connection to your internal network and be able to walk up to a machine to see the last logon username, you are giving away almost half of the info to make attack.

I understand that sometime for a users to logon multiple times a day and input the username multiple times could be painful, I guess it just a matter security vs # of user complaints and who the user will be.  Good thing that this setting can it can be applied via GPO to specific machines if needed.

As far as secuirty best practice, people have worked in this field know that it's best practice not to display last logged username. It's know for a long time in all security best practice guideline. If it's not mentioned, than that guideline could be junk and waste of time to read.
0
 
LVL 4

Accepted Solution

by:
BillCarlin earned 200 total points
ID: 24132927
I am just like everyone else scratching their head on this one from a security manager.  They are in the position to provide a delicate balance between ease of use and system security.  However, the bean counting that was offered as justification not to disrupt the complacency of the end users against the simple security measure is inaccurate. Please see the referenced guides below as one is pulled from NSA and the other is DISA which typically have great input into the standard practices we all try to baseline from.  This practice has been in place at the Department of Defense for many years now and during the initial implementation phase required very little user training.  It is what is called a low hanging fruit, easy enough to implement and very little end user impact.  
 From NSAs own site...see page 82.
http://www.nsa.gov/ia/_files/os/win2003/MSCG-001R-2003.pdf
Defense Information Systems Agency (DISA) Field Security Operations Guide,
Windows 2003 Security checklist page 3-51 from the http://iase.disa.mil/stigs/checklist/index.html

Cheers
0
 

Author Closing Comment

by:capitaljpn
ID: 31569424
Thank you all very much for your input and advice!
0

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now