June 19, 1999 1:00 GMT
Revised: June 23, 1999 1:00 GMT
Revised: June 23, 1999 20:00 GMT
Revised: June 25, 1999 20:00 GMT
PROBLEM: A requirement for successfully prosecuting those unauthorized users who improperly use a government computer is that the computer must have a warning banner displayed at all access points. That banner must warn authorized and unauthorized users 1) about what is considered the proper use of the system, 2) that the system is being monitored to detect improper use and other illicit activity, 3) that there is no expectation of privacy while using this system. The technical details for implementing banners is dependent on the particular operating system and access point. PLATFORM: Macintosh, Windows NT, Windows 95, 98 Windows 3.11, DOS, and UNIX systems. DAMAGE: Failure to have notification might be used as a defense in the prosecution of a user or intruder for improper use of the system. SOLUTION: Make the modifications described here to add banners to all access points on your system. Where it is not possible to implement automatic electronic banners, a printed banner should be attached where it can be read by the user of the system.
Windows NT and Windows 95, 98 Login Banners =========================================== The Windows NT and Windows 95 operating systems allow a login with a username and password before the system can be used. The following method causes a dialog box with the warning banner and an OK button to be displayed before the system displays the login dialog box on Windows 95 or 98 and after pressing Ctrl-Alt-Del on Windows NT. To create a login banner on Windows 95, 98, or Windows NT you must add two keys to the Windows registry. There are two ways to edit the registry. One is to edit it directly; the second is to create a .reg file containing the required changes and to execute the file with regedit. Perform these steps to create a login banner on Windows 95, 98, or Windows NT (for Windows95 or 98 substitute Windows for WindowsNT in the registry keys below): 1. Use regedit or regedit32 to edit the Windows registry. 2. To set the login banner caption, create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\LegalNoticeCaption 2.1 Using regedit, scroll down to the Winlogon key. 2.2 With the Winlogon key selected choose the Edit, New, String Value command. 2.3 Type the name of the new string value as: LegalNoticeCaption and press Enter. 2.4 With the new string value selected, choose the Edit, Modify command. 2.5 In the dialog box that is displayed, type: NOTICE TO USERS and press Enter. 3. To set the banner text, create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\LegalNoticeText 3.1 With the Winlogon key selected choose the Edit, New, String Value command. 3.2 Type the name of the new string value as: LegalNoticeText and press Enter. 3.3 With the new string value selected, choose the Edit, Modify command. 3.4 In the dialog box that is displayed, type the body of the legal notice and press Enter. Note that the notice appears as a single paragraph because you can not type returns in the regedit key editor. This banner appears as a dialog box just before the system displays the login dialog box. After editing the key with RegEdit, you can save the entries as a .reg file. <...snip...> To create the file, select the two keys you just created and choose the Registry, Export Registry File command, give the file a name and click Save. Edit this .reg file with a text editor and remove all the keys but "LegalNoticeCaption" and "LegalNoticeText". You can copy this .reg file to other machines and simply double clicking it makes the same edits to the registries of the other machines.
If you have created a Widows NT .reg file, you can convert it to a Windows 95-98 .reg file by editing it with a text editor and changing "WindowsNT" in the two keys to "Windows" and saving the file with a different name. You can edit these keys with RegEdit, RegEdit32 or the system policy editor (poledit.exe). A difficulty is your inability to type a return in these editors, which causes the body of the warning to be a single paragraph. If you are so inclined, you can edit the key with RegEdit32 in binary mode and insert a 0D wherever you want a return to appear. The easiest way to do this is to edit the key in text mode and insert a ~ (7E Hex.) wherever you want a new paragraph to start (use ~~ to create a new paragraph and space it down one line). Open the key again in binary mode and replace each 7E with 0D (Return). A difficulty with a key created in this way is that it cannot be saved in a .reg file and copied from machine to machine. You must edit each machine's registry separately with RegEdit32.
Also available for Windows NT is the regini.exe program in the Windows NT Resource Kit. This program edits registry entries from a file and allows the insertion of Returns in the file and in the key. Note: Don't forget to have a different .reg file for Windows 95, 98 verses Windows NT. This is related to the substitution of Windows for WindowsNT in the editing instructions above.
UNIX Login Banners ================== The banners for UNIX machines depend on the particular vendor and service. For many recent systems (Sun, Linux), creating the file /etc/issue containing the banner text causes the banner text to be displayed before the console login and before all interactive logins such as telnet, rsh, and rlogin. For other systems and for services that do not respond to the /etc/issue file, put the banner text in the file /etc/motd. The contents of this file are displayed by the global /etc/.login and the /etc/profile files, depending on which shell you start (sh or csh), immediately after a successful login. Displaying the /etc/motd file immediately after login is also an option for the Secure Shell daemon (sshd) and is set in the /usr/local/etc/sshd_config file. Some versions of the FTP service have been modified to display, after login, the contents of the file .login_message found in the root directory of the FTP tree or in the users home directory. You will have to try this to see if it works. If it does not work, you must put a file named NOTICE_TO_USERS containing the warning text into the root directory of the anonymous ftp tree and the file or a link to the file into each user's home directory. For machines that do not use these methods for displaying banners, consult the man pages for each service to see if there is a banner mechanism available. NOTE: An important thing to note here is that if you remove a service from a UNIX machine, your machine will be more secure and you will not have to worry about placing a banner on that service. If you have open services that you do not need simply remove them.
CIAC wishes to acknowledge the contributions of Connie Soto and John Dias of Lawrence Livermore National Laboratory for the TCPwrappers information contained in this bulletin.
For additional information or assistance, please contact CIAC:
Voice: +1 925-422-8193 (8:00 - 18:00 PST, 16:00 - 2:00 GMT) Emergency (DOE, DOE Contractors, and NIH ONLY): 1-800-759-7243, 8550070 (primary), 8550074 (secondary) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: firstname.lastname@example.org World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov/ (same machine -- either one will work) Anonymous FTP: ftp://ftp.ciac.org/ ciac.llnl.gov (same machine -- either one will work) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud)
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Notice To Users]