Hiding last logon, all MS platforms, why or why not to do

Discussion in 'Security Software' started by NewSecTech, Oct 24, 2006.

  1. NewSecTech

    NewSecTech Guest

    I'd like to know the cons of hiding last user name in the logon dialog. The
    pros are obvious...why give away half the key to the castle? I'll be darned
    if I can think of one GOOD reason to leave it displayed. My company has rec'd
    a policy change recommendation, to blank it out, and they want the P's and
    C's of it. Hit me with both arguments if you wish...

    Thanks much.
     
    NewSecTech, Oct 24, 2006
    #1
    1. Advertisements

  2. The cons of this are more intellectual than technical - and you are
    exhibiting the cons already.

    You have a tendency to think of the username as "half the key". It is not.
    It is a claim of identity. The password is a proof of that claim. The
    username is a label on the key, to identify who it belongs to, if you must
    use that analogy.

    The operating system is designed with the requirement that the password is
    secret, and with the assumption that the username is public.

    Do not make any changes that make the assumption that your username is
    secret, because you will give the impression that usernames are sufficient
    as claim _and_ proof of identity - not for the Windows logon, obviously,
    because that will require the password - but what about a user-designed
    application or web service? Someone educated in a culture that assumes the
    username to be secret may be tempted to act as if the username is secret,
    and is therefore sufficient as an identifier and an authenticator.

    Don't pretend that usernames are secret. They are public. Display them
    every so often to remind people of this fact.

    Alun.
    ~~~~
     
    Alun Jones [MS-MVP - Windows Security], Oct 24, 2006
    #2
    1. Advertisements

  3. The largest con I have previously come up with is user
    inconvenience and time needed to reenter username, often
    at a workstation to which no one else, save rarely, would
    log into.

    Alun has clarified that the often used analogy of keys to
    the kingdom is in ways incorrect. If your machines are
    exposed in ways so that those without accounts in the
    forest (or its trusted realms) then exposing user names
    would provide them with information that they would
    otherwise not obtain, at least not without significant
    hurdles (social engineering, etc.). However, if they do
    have an account, then they can already list out all of the
    usernames in the forest, including whether those are
    members of sensitive groups.

    So, if exposing the usernames does provide information
    otherwise unobtainable, as Alun correctly terms it the
    claim of identity, then you would have a real "pro" rather
    than just an inconvenience for sake of a preceived "pro".
     
    Roger Abell [MVP], Oct 25, 2006
    #3
  4. Believe it or not, but when we had the last username displayed in the
    logon box, some users payed so little attention, they didn't know their
    own username when they had to log on to a different workstation.

    And you wondered where the BOFH got their material from?
     
    Michael Bednarek, Oct 25, 2006
    #4
  5. NewSecTech

    NewSecTech Guest

    Thanks Alun,

    I should apologize for playing the fool, as I'm a former consultant and
    have held a MCSE cert for over 10 years, and work for a State IT division in
    security.

    Among the 3 replies, I have gotten the 3 acceptable answers, from 3
    perspectives, but I needed other credentialed and similar opinions to pass on
    to higher ups.

    Much appreciated!!
     
    NewSecTech, Oct 26, 2006
    #5
  6. NewSecTech

    NewSecTech Guest

    Thanks Roger

     
    NewSecTech, Oct 26, 2006
    #6
  7. NewSecTech

    NewSecTech Guest

    Michael,

    Exactly my findings!!! That, and repeated tries, til lockout thresholds
    reached, which of course generates helpdesk tickets......

    Thanks for the confirmation!!
     
    NewSecTech, Oct 26, 2006
    #7
  8. As Alun mentions, identity is public. This is a fundamental concept of computer science. To attempt to treat it as private will create problems for you.

    My article "Is me and here's my proof: Why identity and authentication must remain distinct" covers this concept in some detail. There's also a bit of discussion on my blog.

    Article: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx

    Blog post: http://blogs.technet.com/steriley/archive/2006/02/16/It_2700_s-me_2C00_-and-here_2700_s-my-proof_3A00_-why-identity-and-authentication-must-remain-distinct.aspx

    ______________________________________________________
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    Thanks Alun,

    I should apologize for playing the fool, as I'm a former consultant and
    have held a MCSE cert for over 10 years, and work for a State IT division in
    security.

    Among the 3 replies, I have gotten the 3 acceptable answers, from 3
    perspectives, but I needed other credentialed and similar opinions to pass on
    to higher ups.

    Much appreciated!!
     
    Steve Riley [MSFT], Nov 4, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.