From: Mark O. Kaletka [kaletka@fnal.gov] Sent: Tuesday, August 24, 1999 4:31 PM To: CPPM Registered Managers Cc: Computer Security Subject: System Banner FAQ There have been some questions on what is and is not required as far as system banners. It is not necessary to do more than required! Here are some guidelines based on recent questions: * The wording of the banner must be used . No other wording may be used. Formatting should be preserved if technically reasonably feasible, otherwise variance in formatting and line breaks is permitted to accomodate OS peculiarities; * Macintosh and Windows 95/98 systems to display an electronic banner, nor is one recommended. These systems are covered by the exemption and will use a banner sticker on the monitor frame, when they are available; * Similarly, other "self-managed" systems (regardless of the OS) to display an electronic banner. "Self-managed" means managed by individual users who are not required to register as system managers under the "Policy on Computing" (i.e. do not have "root" access to three or more systems or a major cluster). These systems are also covered by the exemption and will use a banner sticker on the monitor frame, when they are available; * UNIX systems (those "self-managed") required to display an electronic banner, just before or after login. In most cases placing the banner in the message-of-the-day file (/etc/motd or wherever required by the OS version) will be sufficient and easiest. TCPwrappers can also be configured to display the banner message for specific ports. This is . If TCPwrappers is used, should be taken in configuring which ports will display banners and the format of the banner, since the banner may interfere with handshaking on the port. There have been specific problems with SMTP, ssh and rsh ports, for e.g.; * WindowsNT systems (those "self-managed", in most cases this means they belong to an NT domain) required to display an electronic banner. Modifying the system registry will allow WindowsNT to display the banner before login (specifically the keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText); Refer to the guidance at http://www-dcd.fnal.gov/computersecurity/banners/ and if there are technical questions, mailto:kaletka@fnal.gov. -- Mark K.