Solved

Is "Do not display last user name" in AD group policy a good idea?

Posted on 2009-04-13
7
1,566 Views
Last Modified: 2013-12-04
My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy.  Windows hardening guides that I have read usually suggest it as a best practice.  Additionally, it's built-into Microsoft's "secure workstation" GPO template.  Most sites I found via Google suggested it as best practice.

On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc.  Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned.  This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."

I humbly request the opinions of the experts on this topic.
0
Comment
Question by:capitaljpn
7 Comments
 

Assisted Solution

by:zaedi_ahmed
zaedi_ahmed earned 50 total points
ID: 24128458
Well there are two strong points that I want to make:
01. As you know username is the half of your cridential and you are giving away that freely which is not a good idea; moreover the names that are used in business cards and in other places is not same as your account in the domain.

02. It will be more secure against brute force attack, coz then the attacker must know the both ends or have to guess the username.

So, on the above those point why not we encrease security a little bit by not providing username freely. And typing username and password is not that time consuming i guess which could heart productivity.
0
 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 150 total points
ID: 24128508
Best practice is to not display it, never read a good hardening article/guide or policy that doesn't state it implicitly.

Therefore I would recommend you mask the name as you suggest and then chat to your security officer.

My other question to him would be "What's the benefit of leaving the username there?"

As the only one I can think of is it is easier to log in for the user.

Mike
0
 

Author Comment

by:capitaljpn
ID: 24128537
Below is our security officer's argument regarding the benefits of leaving the username there:

"Lets assume it takes an average employee three seconds to type their username.  Multiple this by 20 logons a month, and then by 11 months (we will allow one month for vacation).
(3 seconds X 20) X 11 = 11 Minutes.
So 11 minutes of time is wasted per employee per year in typing a username.  For 100 employees that is a total of around 18 hours a year.  Lets work smarter not harder.
The risks of remembering the username at login are so minute that the benefit of remembering out weighs it."
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 150 total points
ID: 24128541
Ok if it takes 18 hours a year then if the average salary is say £10 an hour then that is £180 in staff time.

Now compare £180 to someone breaking into the system and stealing critical company information or damaging systems.

The argument is very strange! Especially from a security officer.

If he wants to take the argument on from that then in theory why bother with any passwords as that slows it down...in fact why not have auto logon into every system you have.

Crazy! :-)
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24129670
Normally for stranger non-employee to attack your network with username and password(which I refer to AD domain credential to logon to Windows) they would have to attack from outside of your corporate network. As a security officer, that is his job to block it from breakthrough the internal network. But you could have stranger, non-employee such as consultants or vistior also plug into your internet network physically, and they could be the attacker. If you are talking about non-employee, not display last logon username help better secure your network, especially for stranger who have physical connection to your internal network and be able to walk up to a machine to see the last logon username, you are giving away almost half of the info to make attack.

I understand that sometime for a users to logon multiple times a day and input the username multiple times could be painful, I guess it just a matter security vs # of user complaints and who the user will be.  Good thing that this setting can it can be applied via GPO to specific machines if needed.

As far as secuirty best practice, people have worked in this field know that it's best practice not to display last logged username. It's know for a long time in all security best practice guideline. If it's not mentioned, than that guideline could be junk and waste of time to read.
0
 
LVL 4

Accepted Solution

by:
BillCarlin earned 200 total points
ID: 24132927
I am just like everyone else scratching their head on this one from a security manager.  They are in the position to provide a delicate balance between ease of use and system security.  However, the bean counting that was offered as justification not to disrupt the complacency of the end users against the simple security measure is inaccurate. Please see the referenced guides below as one is pulled from NSA and the other is DISA which typically have great input into the standard practices we all try to baseline from.  This practice has been in place at the Department of Defense for many years now and during the initial implementation phase required very little user training.  It is what is called a low hanging fruit, easy enough to implement and very little end user impact.  
 From NSAs own site...see page 82.
http://www.nsa.gov/ia/_files/os/win2003/MSCG-001R-2003.pdf
Defense Information Systems Agency (DISA) Field Security Operations Guide,
Windows 2003 Security checklist page 3-51 from the http://iase.disa.mil/stigs/checklist/index.html

Cheers
0
 

Author Closing Comment

by:capitaljpn
ID: 31569424
Thank you all very much for your input and advice!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question