Is "Do not display last user name" in AD group policy a good idea?
Posted on 2009-04-13
My collegues and I are having a debate with our security officer regarding the "Do not display last user name" in group policy. Windows hardening guides that I have read usually suggest it as a best practice. Additionally, it's built-into Microsoft's "secure workstation" GPO template. Most sites I found via Google suggested it as best practice.
On the other hand, our security officer argues that it's doesn't provide additional security as company usernames are easily found and researched via Internet, business cards, etc. Having to type the username also wastes productivity time.
Finally, he stated:
"In all the standards, best practices, and IT control frameworks I have read, this item has never been mentioned. This includes publications from the National Institute of Standard & Technologies, International Standards Organization (Information Security Management System) 27001, Control Objectives for Information Technology (COBIT) and security publications from the National Security Agency."
I humbly request the opinions of the experts on this topic.