Solved

Windows Logon Response Change

Posted on 2014-12-08
14
236 Views
Last Modified: 2014-12-29
Hello,

Is it possible to change the behavior of the Windows 7 logon screen to respond generically when a user enters the wrong username or password?  Instead of telling the user specifically that their password is wrong or the username is not recognized, just tell them "username and/or password incorrect."

Or something like that.

We're a Windows 08 domain with AD.

Thanks,
Mike
0
Comment
Question by:cheesebugah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40487359
I get "username or password is incorrect" - what do you get?
0
 

Author Comment

by:cheesebugah
ID: 40487379
I get "The password is incorrect. Please retype your password. Letters in passwords must be typed in using the correct case."
0
 
LVL 1

Expert Comment

by:THAFUSE
ID: 40487387
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:cheesebugah
ID: 40487465
Hmmm...looks interesting.  Now if I only knew how to use this?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40487489
Well, it rather confirms again that the default is what you want already...
What you see has a reason. Please read http://windowsitpro.com/windows/jsi-tip-6238-you-cannot-unlock-your-workstation which shows when this very message that you quoted appears.
0
 

Author Comment

by:cheesebugah
ID: 40500794
That is all well and good, but can it be changed?

Thanks,
Mike
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40501539
Look, if your machine is locked, then anyone can see who is logged on anyway. There's no reason to hide the username if we mistype the password. if however no one is logged on and you enter either the wrong password or a non-existent username, you get "username or password is incorrect" which is perfectly alright.

If, in that last scenario, windows would give a hint "hey, your name is correct, but the password is wrong", that would be bad security-wise - but it doesn't do that.
What do i miss, it behaves just as it should in my opinion.
0
 

Author Comment

by:cheesebugah
ID: 40501592
If you are at the logon screen and you type in an unknown username and password, you are given "The specified account does not exist."

If you are at the logon screen and you type in a known username with a bad password, you are given "The system could not log you on.  Make sure your user name and domain are correct, then type your password again.  Letters in passwords must be typed using the correct case."

In the financial institution world, this is considered user enumeration as the system is responding differently to a legitimate user name, giving the supposed hacker he has stumbled upon a valid username.

I apologize if I am upsetting you as this is not my intention at all.  I have been given a task to remediate these responses, if possible, to be more generic.  Your opinion is respected and not taken lightly I assure you.  Your help is greatly appreciated.

Thanks,
Mike
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40501667
You give two examples. Both don't benefit an attacker, both don't provide additional info.    You see a difference where there is none - if we know UserA exists, then neither message A nor B does provide additional info. If we assume that UserA exists, we cannot be sure with method one nor with method 2. It does not provide additional info to an attacker, no enumeration is taking place.
0
 

Author Comment

by:cheesebugah
ID: 40501692
Well, obviously the assessment company we hired to do a penetration test on our network disagrees with you.  I am not going to argue with you, I will simply try to find my answer some place else.  Once again, I apologize for wasting your time and your help is greatly appreciated.  Have a great day.

Thanks,
Mike
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40521853
Good morning Mike,

What you are wanting is not impossible as Microsoft has provided a way based upon the operating system of the client computers.

These are the supported ways:

For Windows Vista/Windows Server 2008 and above you would build a Custom Credential Provider.

For Windows 2000, Windows XP and Windows Server 2003; you would build a GINA (Graphical Identification and Authentication) Wrapper.

In either case it does require knowledge of programming.

There are also unsupported methods such as:

http://www.makeuseof.com/tag/how-to-change-the-windows-logon-screen-message-and-font/

Finally, there is the commercial route:

http://www.safenet-inc.com/

-saige-
0
 

Author Closing Comment

by:cheesebugah
ID: 40522829
Just what I was looking for.  Thank you Saige.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40522844
cheesebugah, I would be delighted if you gave feedback on what you could achieve with this in the future.
Still I miss to see any issue, but I am interested in what you were able to change.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question