One should note that this is from the client's perspective, not the
server's. In other words, if you log on to Server1 as User1, and then to
Server2 as User2, and go back and log on to Server1 again, User2 will be
displayed, not User1, because that is the last user that the client logged
on as. The server itself won't display who last logged into it, so it is
not really a security concern (unless they are sitting at your box, in which
case the game is over anyway.)

AD

----- Original Message -----
From: "Rich Wilson" <wk633yahoo.com>
To: <focus-mssecurityfocus.com>
Sent: Tuesday, July 03, 2001 12:05 PM
Subject: DontDisplayLastUserName

> I just ran accross a 'gotcha' that I thought I'd share. There are
actually two
> registry keys which can disable the display of the last user name logged
on.
> My testing is on Win2K Server.
>
> Checking 'Do not display last user name in logon screen' in the MMC
Security
> Snap-in sets:
>
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername=4,1
> (that is, a DWORD=1)
>
> But that doesn't affect logins via terminal services! To do that, you
have to
> set:
> machine\software\microsoft\windows
> nt\currentversion\winlogon\DontDisplayLastUserName=1,1 (That is, a
string=1)
>
> Note that early versions of Stefan Norberg's 'Securing Windows NT/2000
Servers'
> had a typo for the 2nd entry (listed it as a DWORD, which doesn't work),
and
> didn't list the 1st entry. According to the book's web site, both issues
have
> been addressed.
>
> My recommendation, for whatever it's worth :-) if you're using Win2K, and
> Terminal Services, set both and sleep better.
>
> =====
> : __o
> : -\<,
> : 0/ 0
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]