Re: Show user's last login time

From: *Vanguard* (no-email_at_no-spam.invalid)
Date: 02/06/04 

Date: Fri, 6 Feb 2004 17:55:46 -0600

"Mark" said in news:a87201c3ec33$0506e110$a101280a@phx.gbl:
> Thanks, but apparently what is required is some sort of
> screen upon login stating the user's last login date and
> time and not some searching for it.
>
> For some reason these darn auditors think that's a good
> step to take for further security, though I don't really
> agree with it, but I don't have much of a choice.
>
>> -----Original Message-----
>> "Mark" said in news:b34a01c3ec25$de32eb90
> $a501280a@phx.gbl:
>>> I took a quick look through Group Policy today trying to
>>> find some way to force a user's last login time/date
>>> information to appear when they login each time but
>>> couldn't find a setting.
>>>
>>> Does anyone know if there's a way to do this in Windows or
>>> if a 3rd party software product is needed?
>>>
>>> Any information would be appreciated.
>>>
>>> Thanks!
>>
>> Enable auditing. Check the Security log in Event Viewer.
>>
>> --
>> __________________________________________________________ __
>> *** Post replies to newsgroup. E-mail is not accepted. ***
>> __________________________________________________________ __
>>
>>
>> .

Your auditor's obviously do NOT understand security. Displaying the last
logged on user is NOT secure. It provides half of the login information so
only the password has to be guessed. Duh! You need to have those auditors
prove their credentials and probably also need to talk to their superiors
along with yours.

In fact, to improve security, you set a security option to NOT show the last
user that was logged on:

- Run secpol.msc.
- Browse to the Security Settings -> Local Policies -> Security Options.
- Enable the "Do not display last user name" option.

You can also find this option using Group Policy Editor (gpedit.msc).
Presumably there would be a domain security option equivalent to prevent
seeing the last logged on user.

This is one of the first tweaks I do after installing an NT-based version of
Windows. I don't need to be providing non-admin users with half of my login
information. (I also rename the Administrator account to something else so
they don't have half of that admin login already known.)

If your auditors have legal control over how you implement security (or they
are just very good at bullshitting your superiors) then make damn you
lengthen the passwords and make them very strong. If the username for a
login is going to be easily revealed then the password field has to do
double duty. It will have to perform the same level of protection that the
username and password field did together. If your username was 8 characters
long and your password was 10 characters long then you'll have to change
your password to be 18 characters long since obviously the login username
will no longer be secure.

This only matters for logging on. If the user is using a screen saver or
locks out their session (define a shortcut to
"%windir%\system32\rundll32.exe user32.dll,LockWorkStation"), the screen
presented when you wake the system will show the currently logged on
username. Pretty stupid of Microsoft to have an option to not show the last
logged on username but then show the currently logged on username when
waking from a screen saver or to unlock a locked session. Another reason
you should have long and strong passwords, anyway.

However, if someone is trying to boot my system to use it without my
permission, I would still like to NOT display the last logged on username.

If these oh-so-wise auditors so learned in security want to see the last
logged on username on the login screen then why don't they already know how
this is achieved?

Obviously I have already told you how to display the last logged on user.
Above I told you how to prevent seeing it. So ... just do the opposite and
disable the "Do not display last user name" option. This works for the
login screen seen in Windows 2000. For Windows XP, you have to configure it
to stop using the Welcome screen and switch to the classic login screen (but
that's only needed if the host is in a workgroup since that only when the
Welcome screen is used; in a domain, the classic login screen is supposed to
get used, as I've read). 

-- 
____________________________________________________________
*** Post replies to newsgroup.  E-mail is not accepted. ***
____________________________________________________________