Friday, January 07, 2005

Knowlege Transfer or Lack of Transfer

I think I actually taught a tech something today. I am not sure that she really took it in or cared about it though.

I got a note from her yesterday asking if I knew where a machine named ABC123XX was, as it showed that I was the last one that had logged on to it.

I definitely knew where it was. It is the name of my test machine. As I am not on the Support side of things anymore I don't have any say in what they do. I told her how she could easily tell where it was and what the naming convention had been. She stated that she disagreed with the new naming conventions that they came up with for machines, but that she did not win out. We are actually two removed from the way it use to be done.

Simply by looking at the old naming convention name I could tell where the machine was located. I did not have to cross reference anything as I would have to do now.

She said that she had to remove my machine from the domain and re-add it to get it to show up in the browse list. I told her that was not the case. As an additional security measure we use to hide PCs from the browse list on the network. Well, it appears that some products like McAfees e-Policy Orchestrator won't do their thing (or so I am told) unless your machine is in the browse list.

My machine was setup the old way. Hey, I set it up.

Here are the registry changes that we use to make.

The following two changes keep the machine from participating as a browser and from participating in a browser election.
--------------------------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Browser

Start

Change from 2 to 4.
--------------------------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Browser\Parameters

MaintainServerList

Change from Auto to No.
--------------------------

The following change keeps the machine from displaying in the browse list.

--------------------------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Lanmanserver\Parameters

Add Value

Value Name: Hidden
Data Type: REG_DWORD

Data: 1

It is my understanding that this is the equivalent of doing NET CONFIG SERVER /HIDDEN:YES from the command prompt.
--------------------------


I simply set the registry entries back and rebooted and there it was (after waiting for the browse list to update). No removing from the Domain and adding it back in. Like I said, I don't think she really cared. Oh well.

There were a few additional changes that we use to make. Not sure how many if any are still in use. Of course many items are simply setup as policies.

Changed the the default password reminder down to 3 from 15.
Changed a policy so the login script had the rights to set the time on the PC.

We would also blank out the last userid.

A hacker (generally speaking) needs two things to gain access to resources on your system: a username and a password. In case you haven't noticed, Windows NT/2000, by default, offers one of those for free. In order to prevent your system from displaying the last username to log in, you can make the following change (or create the following entry) to the registry

For NT
Hive: HKEY_LOCAL_MACHINE

Key: \Software\Microsoft\WindowsNT\
CurrentVersion\Winlogon

Name: DontDisplayLastUserName
Data Type: REG_SZ
Value: 1
Now when a user presses Ctrl-Alt-Del to logon, the username and password fields are both blank. As always, use caution and frequent backups when editing the registry.


For 2000

In Windows 2000, there is another place in the Registry where this can also be controlled:
Hive: HKEY_LOCAL_MACHINE

Key: Software\Microsoft\Windows\
CurrentVersion\Policies\System

Name: DontDisplayLastUserName
Data Type: REG_DWORD
Value: 1
A value of 1 will clear the last username, a value of 0 leaves the last username in the login box.


I have not looked at the entry in XP, but would not be surprised if it is the same as it was in 2000.

No comments: