[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Is "Do not display last user name" in AD group policy a good idea?

Posted on 2009-04-13
7
Medium Priority
?
1,578 Views
Last Modified: 2013-12-04
My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy.  Windows hardening guides that I have read usually suggest it as a best practice.  Additionally, it's built-into Microsoft's "secure workstation" GPO template.  Most sites I found via Google suggested it as best practice.

On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc.  Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned.  This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."

I humbly request the opinions of the experts on this topic.
0
Comment
Question by:capitaljpn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Assisted Solution

by:zaedi_ahmed
zaedi_ahmed earned 200 total points
ID: 24128458
Well there are two strong points that I want to make:
01. As you know username is the half of your cridential and you are giving away that freely which is not a good idea; moreover the names that are used in business cards and in other places is not same as your account in the domain.

02. It will be more secure against brute force attack, coz then the attacker must know the both ends or have to guess the username.

So, on the above those point why not we encrease security a little bit by not providing username freely. And typing username and password is not that time consuming i guess which could heart productivity.
0
 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 600 total points
ID: 24128508
Best practice is to not display it, never read a good hardening article/guide or policy that doesn't state it implicitly.

Therefore I would recommend you mask the name as you suggest and then chat to your security officer.

My other question to him would be "What's the benefit of leaving the username there?"

As the only one I can think of is it is easier to log in for the user.

Mike
0
 

Author Comment

by:capitaljpn
ID: 24128537
Below is our security officer's argument regarding the benefits of leaving the username there:

"Lets assume it takes an average employee three seconds to type their username.  Multiple this by 20 logons a month, and then by 11 months (we will allow one month for vacation).
(3 seconds X 20) X 11 = 11 Minutes.
So 11 minutes of time is wasted per employee per year in typing a username.  For 100 employees that is a total of around 18 hours a year.  Lets work smarter not harder.
The risks of remembering the username at login are so minute that the benefit of remembering out weighs it."
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 600 total points
ID: 24128541
Ok if it takes 18 hours a year then if the average salary is say £10 an hour then that is £180 in staff time.

Now compare £180 to someone breaking into the system and stealing critical company information or damaging systems.

The argument is very strange! Especially from a security officer.

If he wants to take the argument on from that then in theory why bother with any passwords as that slows it down...in fact why not have auto logon into every system you have.

Crazy! :-)
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 400 total points
ID: 24129670
Normally for stranger non-employee to attack your network with username and password(which I refer to AD domain credential to logon to Windows) they would have to attack from outside of your corporate network. As a security officer, that is his job to block it from breakthrough the internal network. But you could have stranger, non-employee such as consultants or vistior also plug into your internet network physically, and they could be the attacker. If you are talking about non-employee, not display last logon username help better secure your network, especially for stranger who have physical connection to your internal network and be able to walk up to a machine to see the last logon username, you are giving away almost half of the info to make attack.

I understand that sometime for a users to logon multiple times a day and input the username multiple times could be painful, I guess it just a matter security vs # of user complaints and who the user will be.  Good thing that this setting can it can be applied via GPO to specific machines if needed.

As far as secuirty best practice, people have worked in this field know that it's best practice not to display last logged username. It's know for a long time in all security best practice guideline. If it's not mentioned, than that guideline could be junk and waste of time to read.
0
 
LVL 4

Accepted Solution

by:
BillCarlin earned 800 total points
ID: 24132927
I am just like everyone else scratching their head on this one from a security manager.  They are in the position to provide a delicate balance between ease of use and system security.  However, the bean counting that was offered as justification not to disrupt the complacency of the end users against the simple security measure is inaccurate. Please see the referenced guides below as one is pulled from NSA and the other is DISA which typically have great input into the standard practices we all try to baseline from.  This practice has been in place at the Department of Defense for many years now and during the initial implementation phase required very little user training.  It is what is called a low hanging fruit, easy enough to implement and very little end user impact.  
 From NSAs own site...see page 82.
http://www.nsa.gov/ia/_files/os/win2003/MSCG-001R-2003.pdf
Defense Information Systems Agency (DISA) Field Security Operations Guide,
Windows 2003 Security checklist page 3-51 from the http://iase.disa.mil/stigs/checklist/index.html

Cheers
0
 

Author Closing Comment

by:capitaljpn
ID: 31569424
Thank you all very much for your input and advice!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question