Windows Logon Response Change

Hello,

Is it possible to change the behavior of the Windows 7 logon screen to respond generically when a user enters the wrong username or password?  Instead of telling the user specifically that their password is wrong or the username is not recognized, just tell them "username and/or password incorrect."

Or something like that.

We're a Windows 08 domain with AD.

Thanks,
Mike
cheesebugahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
I get "username or password is incorrect" - what do you get?
0
cheesebugahAuthor Commented:
I get "The password is incorrect. Please retype your password. Letters in passwords must be typed in using the correct case."
0
THAFUSECommented:
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

cheesebugahAuthor Commented:
Hmmm...looks interesting.  Now if I only knew how to use this?
0
McKnifeCommented:
Well, it rather confirms again that the default is what you want already...
What you see has a reason. Please read http://windowsitpro.com/windows/jsi-tip-6238-you-cannot-unlock-your-workstation which shows when this very message that you quoted appears.
0
cheesebugahAuthor Commented:
That is all well and good, but can it be changed?

Thanks,
Mike
0
McKnifeCommented:
Look, if your machine is locked, then anyone can see who is logged on anyway. There's no reason to hide the username if we mistype the password. if however no one is logged on and you enter either the wrong password or a non-existent username, you get "username or password is incorrect" which is perfectly alright.

If, in that last scenario, windows would give a hint "hey, your name is correct, but the password is wrong", that would be bad security-wise - but it doesn't do that.
What do i miss, it behaves just as it should in my opinion.
0
cheesebugahAuthor Commented:
If you are at the logon screen and you type in an unknown username and password, you are given "The specified account does not exist."

If you are at the logon screen and you type in a known username with a bad password, you are given "The system could not log you on.  Make sure your user name and domain are correct, then type your password again.  Letters in passwords must be typed using the correct case."

In the financial institution world, this is considered user enumeration as the system is responding differently to a legitimate user name, giving the supposed hacker he has stumbled upon a valid username.

I apologize if I am upsetting you as this is not my intention at all.  I have been given a task to remediate these responses, if possible, to be more generic.  Your opinion is respected and not taken lightly I assure you.  Your help is greatly appreciated.

Thanks,
Mike
0
McKnifeCommented:
You give two examples. Both don't benefit an attacker, both don't provide additional info.    You see a difference where there is none - if we know UserA exists, then neither message A nor B does provide additional info. If we assume that UserA exists, we cannot be sure with method one nor with method 2. It does not provide additional info to an attacker, no enumeration is taking place.
0
cheesebugahAuthor Commented:
Well, obviously the assessment company we hired to do a penetration test on our network disagrees with you.  I am not going to argue with you, I will simply try to find my answer some place else.  Once again, I apologize for wasting your time and your help is greatly appreciated.  Have a great day.

Thanks,
Mike
0
it_saigeDeveloperCommented:
Good morning Mike,

What you are wanting is not impossible as Microsoft has provided a way based upon the operating system of the client computers.

These are the supported ways:

For Windows Vista/Windows Server 2008 and above you would build a Custom Credential Provider.

For Windows 2000, Windows XP and Windows Server 2003; you would build a GINA (Graphical Identification and Authentication) Wrapper.

In either case it does require knowledge of programming.

There are also unsupported methods such as:

http://www.makeuseof.com/tag/how-to-change-the-windows-logon-screen-message-and-font/

Finally, there is the commercial route:

http://www.safenet-inc.com/

-saige-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cheesebugahAuthor Commented:
Just what I was looking for.  Thank you Saige.
0
McKnifeCommented:
cheesebugah, I would be delighted if you gave feedback on what you could achieve with this in the future.
Still I miss to see any issue, but I am interested in what you were able to change.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.