[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is "Do not display last user name" in AD group policy a good idea?

Posted on 2009-04-13
7
Medium Priority
?
1,579 Views
Last Modified: 2013-12-04
My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy.  Windows hardening guides that I have read usually suggest it as a best practice.  Additionally, it's built-into Microsoft's "secure workstation" GPO template.  Most sites I found via Google suggested it as best practice.

On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc.  Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned.  This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."

I humbly request the opinions of the experts on this topic.
0
Comment
Question by:capitaljpn
7 Comments
 

Assisted Solution

by:zaedi_ahmed
zaedi_ahmed earned 200 total points
ID: 24128458
Well there are two strong points that I want to make:
01. As you know username is the half of your cridential and you are giving away that freely which is not a good idea; moreover the names that are used in business cards and in other places is not same as your account in the domain.

02. It will be more secure against brute force attack, coz then the attacker must know the both ends or have to guess the username.

So, on the above those point why not we encrease security a little bit by not providing username freely. And typing username and password is not that time consuming i guess which could heart productivity.
0
 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 600 total points
ID: 24128508
Best practice is to not display it, never read a good hardening article/guide or policy that doesn't state it implicitly.

Therefore I would recommend you mask the name as you suggest and then chat to your security officer.

My other question to him would be "What's the benefit of leaving the username there?"

As the only one I can think of is it is easier to log in for the user.

Mike
0
 

Author Comment

by:capitaljpn
ID: 24128537
Below is our security officer's argument regarding the benefits of leaving the username there:

"Lets assume it takes an average employee three seconds to type their username.  Multiple this by 20 logons a month, and then by 11 months (we will allow one month for vacation).
(3 seconds X 20) X 11 = 11 Minutes.
So 11 minutes of time is wasted per employee per year in typing a username.  For 100 employees that is a total of around 18 hours a year.  Lets work smarter not harder.
The risks of remembering the username at login are so minute that the benefit of remembering out weighs it."
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 2

Assisted Solution

by:mlscott
mlscott earned 600 total points
ID: 24128541
Ok if it takes 18 hours a year then if the average salary is say £10 an hour then that is £180 in staff time.

Now compare £180 to someone breaking into the system and stealing critical company information or damaging systems.

The argument is very strange! Especially from a security officer.

If he wants to take the argument on from that then in theory why bother with any passwords as that slows it down...in fact why not have auto logon into every system you have.

Crazy! :-)
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 400 total points
ID: 24129670
Normally for stranger non-employee to attack your network with username and password(which I refer to AD domain credential to logon to Windows) they would have to attack from outside of your corporate network. As a security officer, that is his job to block it from breakthrough the internal network. But you could have stranger, non-employee such as consultants or vistior also plug into your internet network physically, and they could be the attacker. If you are talking about non-employee, not display last logon username help better secure your network, especially for stranger who have physical connection to your internal network and be able to walk up to a machine to see the last logon username, you are giving away almost half of the info to make attack.

I understand that sometime for a users to logon multiple times a day and input the username multiple times could be painful, I guess it just a matter security vs # of user complaints and who the user will be.  Good thing that this setting can it can be applied via GPO to specific machines if needed.

As far as secuirty best practice, people have worked in this field know that it's best practice not to display last logged username. It's know for a long time in all security best practice guideline. If it's not mentioned, than that guideline could be junk and waste of time to read.
0
 
LVL 4

Accepted Solution

by:
BillCarlin earned 800 total points
ID: 24132927
I am just like everyone else scratching their head on this one from a security manager.  They are in the position to provide a delicate balance between ease of use and system security.  However, the bean counting that was offered as justification not to disrupt the complacency of the end users against the simple security measure is inaccurate. Please see the referenced guides below as one is pulled from NSA and the other is DISA which typically have great input into the standard practices we all try to baseline from.  This practice has been in place at the Department of Defense for many years now and during the initial implementation phase required very little user training.  It is what is called a low hanging fruit, easy enough to implement and very little end user impact.  
 From NSAs own site...see page 82.
http://www.nsa.gov/ia/_files/os/win2003/MSCG-001R-2003.pdf
Defense Information Systems Agency (DISA) Field Security Operations Guide,
Windows 2003 Security checklist page 3-51 from the http://iase.disa.mil/stigs/checklist/index.html

Cheers
0
 

Author Closing Comment

by:capitaljpn
ID: 31569424
Thank you all very much for your input and advice!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question