CIAC INFORMATION BULLETIN

J-043c: Creating Login Banners

June 19, 1999 1:00 GMT
Revised: June 23, 1999 1:00 GMT
Revised: June 23, 1999 20:00 GMT
Revised: June 25, 1999 20:00 GMT


PROBLEM:       A requirement for successfully prosecuting those unauthorized
               users who improperly use a government computer is that the
               computer must have a warning banner displayed at all access
               points. That banner must warn authorized and unauthorized users 
                   1) about what is considered the proper use of the system,
                   2) that the system is being monitored to detect improper 
                      use and other illicit activity,
                   3) that there is no expectation of privacy while using 
                      this system. 
               The technical details for implementing banners is dependent on
               the particular operating system and access point.
PLATFORM:      Macintosh, Windows NT, Windows 95, 98 Windows 3.11, DOS, and 
               UNIX systems. 
DAMAGE:        Failure to have notification might be used as a defense in the 
               prosecution of a user or intruder for improper use of the 
               system. 
SOLUTION:      Make the modifications described here to add banners to all 
               access points on your system. Where it is not possible to
               implement automatic electronic banners, a printed banner should
               be attached where it can be read by the user of the system.

<...snip...>
Windows NT and Windows 95, 98 Login Banners
===========================================

The Windows NT and Windows 95 operating systems allow a login with a username 
and password before the system can be used. The following method causes a 
dialog box with the warning banner and an OK button to be displayed before the 
system displays the login dialog box on Windows 95 or 98 and after pressing 
Ctrl-Alt-Del on Windows NT.

To create a login banner on Windows 95, 98, or Windows NT you must add two 
keys to the Windows registry. There are two ways to edit the registry. One is 
to edit it directly; the second is to create a .reg file containing the 
required changes and to execute the file with regedit.

Perform these steps to create a login banner on Windows 95, 98, or Windows NT 
(for Windows95 or 98 substitute Windows for WindowsNT in the registry keys 
below):

1.  Use regedit or regedit32 to edit the Windows registry.
2.  To set the login banner caption, create the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
        CurrentVersion\Winlogon\LegalNoticeCaption

    2.1 Using regedit, scroll down to the Winlogon key.
    2.2 With the Winlogon key selected choose the Edit, New, String Value 
        command.
    2.3 Type the name of the new string value as: LegalNoticeCaption and press 
        Enter.
    2.4 With the new string value selected, choose the Edit, Modify command.
    2.5 In the dialog box that is displayed, type: NOTICE TO USERS and press 
        Enter.

3.  To set the banner text, create the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
        CurrentVersion\Winlogon\LegalNoticeText

    3.1 With the Winlogon key selected choose the Edit, New, String Value 
        command.
    3.2 Type the name of the new string value as: LegalNoticeText and press 
        Enter.
    3.3 With the new string value selected, choose the Edit, Modify command.
    3.4 In the dialog box that is displayed, type the body of the legal notice 
        and press Enter. Note that the notice appears as a single paragraph 
        because you can not type returns in the regedit key editor.

This banner appears as a dialog box just before the system displays the login 
dialog box.

After editing the key with RegEdit, you can save the entries as a .reg file.
<...snip...> To create the file, select the two 
keys you just created and choose the Registry, Export Registry File command, 
give the file a name and click Save. Edit this .reg file with a text editor and
remove all the keys but "LegalNoticeCaption" and "LegalNoticeText". You can copy
this .reg file to other machines and simply double clicking it makes the same 
edits to the registries of the other machines. 
If you have created a Widows NT .reg file, you can convert it to a Windows 95-98
.reg file by editing it with a text editor and changing "WindowsNT" in the two
keys to "Windows" and saving the file with a different name.

You can edit these keys with RegEdit, RegEdit32 or the system policy editor
(poledit.exe). A difficulty is your inability to type a return in these editors, 
which causes the body of the warning to be a single paragraph. If you are so 
inclined, you can edit the key with RegEdit32 in binary mode and insert a 
0D wherever you want a return to appear. The easiest way to do this is to edit
the key in text mode and insert a ~ (7E Hex.) wherever you want a new paragraph 
to start (use ~~ to create a new paragraph and space it down one line). Open the 
key again in binary mode and replace each 7E with 0D (Return). A difficulty
with a key created in this way is that it cannot be saved in a .reg file and
copied from machine to machine. You must edit each machine's registry separately
with RegEdit32. 
 <...snip...>
Also available for Windows NT is the regini.exe program in the Windows NT 
Resource Kit. This program edits registry entries from a file and allows the 
insertion of Returns in the file and in the key. 

Note: Don't forget to have a different .reg file for Windows 95, 98 verses 
Windows NT. This is related to the substitution of Windows for WindowsNT in
the editing instructions above.   
 <...snip...>
UNIX Login Banners
==================

The banners for UNIX machines depend on the particular vendor and service. For 
many recent systems (Sun, Linux), creating the file /etc/issue containing the 
banner text causes the banner text to be displayed before the console login 
and before all interactive logins such as telnet, rsh, and rlogin. 

For other systems and for services that do not respond to the /etc/issue file, 
put the banner text in the file /etc/motd. The contents of this file are 
displayed by the global /etc/.login and the /etc/profile files, depending on 
which shell you start (sh or csh), immediately after a successful login. 
Displaying the /etc/motd file immediately after login is also an option for 
the Secure Shell daemon (sshd) and is set in the /usr/local/etc/sshd_config 
file. 

Some versions of the FTP service have been modified to display, after login, 
the contents of the file .login_message found in the root directory of the FTP 
tree or in the users home directory. You will have to try this to see if it 
works. If it does not work, you must put a file named NOTICE_TO_USERS 
containing the warning text into the root directory of the anonymous ftp tree 
and the file or a link to the file into each user's home directory.

For machines that do not use these methods for displaying banners, consult the 
man pages for each service to see if there is a banner mechanism available.

NOTE: An important thing to note here is that if you remove a service from a 
UNIX machine, your machine will be more secure and you will not have to worry 
about placing a banner on that service. If you have open services that you do 
not need simply remove them.
 <...snip...>

CIAC wishes to acknowledge the contributions of Connie Soto and John Dias of Lawrence Livermore National Laboratory for the TCPwrappers information contained in this bulletin.


For additional information or assistance, please contact CIAC:

    Voice:          +1 925-422-8193 (8:00 - 18:00 PST, 16:00 - 2:00 GMT)

    Emergency (DOE, DOE Contractors, and NIH ONLY):
                     1-800-759-7243, 8550070 (primary),
                                     8550074 (secondary)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp://ftp.ciac.org/
                     ciac.llnl.gov
                     (same machine -- either one will work)
    Modem access:   +1 (925) 423-4753 (28.8K baud)
                    +1 (925) 423-3331 (28.8K baud)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.


UCRL-MI-119788
[Disclaimer]
[Notice To Users]