EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
EarthWeb Events
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
Perl Journal
RoadCoders
SysOpt.com
Y2K Info

EarthWeb International

Select Language Japanese German Chinese Spanish Dev.com/Deutsch Dev.com/Español Dev.com/Français

Projects:
Practical Guide to System Security

The following section provides real-life examples and step-by-step instructions on how to administrate Windows NT security. As previously stated, the Windows NT security system cannot be separated from the total operating system, so examples on using and configuring security can be found in most chapters. Some of these examples use the Registry Editor REGEDT32 to directly change the Registry. Be careful when using REGEDT32; incor rect changes to the Registry can prevent Windows NT from functioning.

Removing The Last Logged On Username

You have a lot of general-user Windows NT workstations—in other words, systems not allocated to any particular user but available for anyone to use. You often find that users are trying to log on using the wrong username, and at the moment, the last logged on username is displayed. This isn’t a particular security issue for you, but it does mean that user accounts are getting locked by mistake. You decide to remove the last logged on username from the logon screen.

The last username is removed by changing the Registry. This can be done in one of three ways:

a.  Using the System Policy Editor in a domain to create a domain policy.

b.  Using the System Policy Editor to change the local Registry.

c.  Using the Registry Editor REGEDT32 to change the Registry.

Method A—Creating A Domain Policy

1.  Choose Start|Programs|Administrative Tools|System Policy Editor. The System Policy Editor window appears.

2.  Choose File|New Policy. The Policy window shows the Default Computer and Default User icons. Double click the Default Computer icon to display the Default Computer Properties window.

3.  Double click the Windows NT System icon, then the Logon Book icon.

4.  Select the Do not display last logged on user name option, as shown in Figure 2.2. Click OK. You are returned to the System Policy Editor window.

5.  Choose File|Save As, and save the policy file to the NetLogon folder of the Primary Domain Controller with a file name of NTCONFIG.POL.

Figure 2.2  Logon policy settings in the Default Computer Properties window.

Method B—Changing The Local Registry

1.  Choose Start|Programs|Administrative Tools|System Policy Editor. The System Policy Editor window appears.

2.  Choose File|Open Registry. The local Registry is opened.

3.  Double click the Local Computer icon. The Local Computer Properties window appears.

4.  Double click the Windows NT System icon, then double click the Logon Book. Check the Do not display last logged in user name option. Click OK. You are returned to the System Policy Editor window. Click File|Save to save the changes to the local Registry.

Method C—Changing The Registry Directly

1.  Choose Start|Run. The Run dialog box appears.

2.  Use the Browse button to select the Registry Editor REGEDT32, which is located in the SYSTEM32 subfolder, as shown in Figure 2.3. Click OK. The Registry Editor window appears.

3.  Select the HKEY_LOCAL_MACHINE hive. Select the SOFTWARE\Microsoft\Windows NT CurrentVersion\Winlogon subkey.

4.  If the DontDisplayLastUserName value entry doesn’t exist, you need to create it. Choose Edit|Add Value. The Add Value dialog box appears. Enter “DontDisplayLastUserName” into the Value Name field, and select REG_SZ in the Data Type field. Click OK. The String Editor dialog box appears. Enter “1” into the dialog box, and click OK. The Registry value entry will be created.

5.  If the DontDisplayLastUserName value entry does exist, double click the entry. The String Editor dialog box appears. Enter “1” into the dialog box, and click OK. The Registry value entry is updated.

Figure 2.3  The Run dialog box.

When the users now log on, the Username field in the Windows NT logon screen will be blank.

---

Note:  To change back to having the last username displayed, either change the DontDisplayLastUserName entry to 0 or delete the value completely.

---

Displaying A Logon Message

As a gentle reminder to all users, it has been decided that a logon message should be displayed informing users that they must not disclose their passwords to anyone and should only use their own accounts. The message can be set in two ways: the first uses the System Policy Editor and the second uses the Registry Editor.

Method A—Using The System Policy Editor

1.  Choose Start|Programs|Administrative Tools|System Policy Editor. The System Policy Editor window appears.

2.  Choose File|Open Registry. The Local Registry window appears.

3.  Double click the Local Computer icon to access the Local Computer Properties window. Double click the Windows NT System icon, and then double click the Logon Book icon. Select the Logon banner option box.

4.  The logon banner may now be set in the lower pane, as shown in Figure 2.4. Enter the title for the message into the Caption box and the actual message into the Text box. Click OK. You are returned to the System Policy Editor window.

5.  Choose File|Save to save the changes to the Registry.

Figure 2.4  Setting the logon banner.

Method B—Using The Registry Editor

1.  Choose Start|Run. The Run dialog box appears.

2.  Use the Browse button to select the Registry Editor REGEDT32, which is located in the SYSTEM32 subfolder. The Registry Editor window appears.

3.  Select the HKEY_LOCAL_MACHINE hive. Select the SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon subkey.

4.  If the LegalNoticeCaption value entry doesn’t exist, choose Edit|Add Value to access the Add Value dialog box. Enter “LegalNoticeCaption” into the Value Name field, and select REG_SZ in the Data Type field. Click OK. The String Editor dialog box appears. Enter the title message for the logon message. Click OK.

5.  If the LegalNoticeCaption value entry does exist, double click the entry. The String Editor dialog box appears. Enter the title message for the logon message. Click OK.

6.  If the LegalNoticeText value entry doesn’t exist, choose Edit|Add Value. The Add Value dialog box appears. Enter “LegalNoticeText” into the Value Name field, and select REG_SZ in the Data Type field. Click OK. The String Editor dialog box appears. Enter the text you want displayed. Click OK.

7.  If the LegalNoticeText value entry does exist, double click the entry. The String Editor dialog box appears. Enter the text you want to be displayed. Click OK.

The logon message will now be displayed to all users upon logon. The message must be acknowledged for the logon process to continue.