Traditional Three Finger Salute Logon

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Al Christoph - 19 Feb 2006 23:55 GMT

One of the things I've done to protect my client systems in my SBS Network
is to set the Policy that forces the standard three finger salute dialog box
for log on (not Fast User Switching) AND to set the policy that hides the
previously logged on user.

ASIDE: If MS is lurking I hope that released Vista will also make it
possible to hide the logged on user when prompting for the screen saver
password. It should be possible to force the user to always offer up two
pieces of information to get into the system when either there is no one
logged on or it is locked.

REQUEST: Please, what are the exact directions to get this type of behavior
in Vista? For those of us who are new to this please start with something
like Start | Administrative Tools ... or what have you. (I was appalled to
see the SBS style GPO dialog come up when I tried to do client stuff. I
still haven't figured that all out for the server. I sure didn't want to see
it on the client:-((

ASIDE: Lurkers from MS, you might ask your grandpa what it was like dealing
with IBM main frame OS's back in the 60's. You will then learn why PC's
caught on. You could get your work done while thumbing your nose at the
priesthood in MIS that tended the alter of the corporate mainframe and its
3270 terminals. Let's put the personal back in PC while keeping in mind
KISS.

Again I want to get rid of Fast User Switching style logon. (I don't care
whether FUS goes away, just that style of logon.) AND I want to make sure
that the last user ID is NOT displayed when logging in. In detail, how to I
do this.

Regards,
Al Christoph
Three Bears Software, LLC
just right software @ just right prices @ 3bears.biz

Reply to this Message

Zack Whittaker (R2 Mentor) - 20 Feb 2006 00:47 GMT

OK, the screenshot you are referring to is the blue background with the
different coloured verticla streaks - this is the logon window. That's it,
that's how it's staying for the time being :o(

I don't prefer it at all to be honest - but I think that they'll bring it
back in... eventually. I should hope anyway :o)

Signature

Zack Whittaker
Microsoft Beta (Windows Server R2 Beta Mentor)
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: http://msblog.resdev.net
» ZackNET Forum: www.zacknet.co.uk/forum
» VistaBase: www.zacknet.co.uk/vistabase
» This mailing is provided "as is" with no warranties, and confers no
rights. All opinions expressed are those of myself unless stated so, and not
of my employer, best friend, mother or cat. Let's be clear on that one!

Reply to this Message

Al Christoph - 20 Feb 2006 01:44 GMT

Thanks for the prompt reply. Here's what I've learned since I wrote:

Thanks to the nice person in some other thread in the group who put me on to
SecPol.msc as the way to do local policy on the PC. Once SecPol.msc brought
up the appropriate window I was able to navigate to Security Settings |
Local Policies | Security Options and modify the properties of the policies
beginning with "Interactive logon:" that I had traditionally used.

Fixing those policies gave me everything I asked for in the Vista Way. It
got rid of the Fast User Switching screen and gave me user id and password
fields to type in. (I'll have to get used to having the label in the
field:-( This was also true of unlocking after the screen saver had at it.
(I really didn't want the exact visual look just the functionality.)

My only remaining gripes are two fold:
1. The domain drop down box is lost. This may save a lot of confusion and
improve security but I will have to get used to typing domainname\userid.
2. MS LURKERS TAKE NOTE: The message displayed when the screen is locked
gives away the user id! This is a big security no-no!!! It gives the
information needed to unlock the screen. I strongly suspect that such
information is provided so that folk can track down who is hogging the only
computer in the office and has walked away from it for a coffee break
leaving it locked. (Yeah, right. But years ago that might have mattered.) At
any rate the Display Name of the user rather than the user ID is what should
be in that message. And if Domain Admins build their user list appropriately
than THAT would allow you to track down the right person.

This issue is resolved. What I want to do is doable as documented above. The
improvement I wanted is there if slightly flawed. Good Show MS Development
team.

Regards,\
Al

> OK, the screenshot you are referring to is the blue background with the
> different coloured verticla streaks - this is the logon window. That's it,
> that's how it's staying for the time being :o(
>
> I don't prefer it at all to be honest - but I think that they'll bring it
> back in... eventually. I should hope anyway :o)

Reply to this Message

Zack Whittaker (R2 Mentor) - 20 Feb 2006 12:13 GMT

But when the user locks the screen in XP, there username is displayed on
screen as well. You may think this is a security-no-no, but there's no other
pheasable way round it I don't think :o)

Signature

Reply to this Message

Al Christoph - 20 Feb 2006 14:33 GMT

Just because XP and previous systems do it that way doesn't make it right,
especially not in an OS that is going to be sold partially based on enhanced
security.

1. The time has passed when PC's were scarce resources in a group
environment. As I pointed out the only reason for displaying anything about
who has the PC locked is for some other user to track down the rude culprit.
Advertising who has the PC locked should at best be an option to be turned
on. MS LURKERS TAKE NOTE of that last sentence.

2. In group environments, it's quite likely that there is a source of
displayable names i.e. the Active Directory. That display name should be
what is in the message if display of user info in the message is turned on.

3. It should not be a great effort on MS's part to add a displayable name to
the user attributes for use in a non-active directory environment i.e. in
peer-to-peer networks.. (Sure they have to be able to translate Display Name
to a gazillion leagues and write help explaining what's going on, but the
rest of it is or should be an hour or two's work for someone.)

4. If you review the literature - I came across a good paper on the subject
last week - you will see that two piece entry schemes are the best. You
should have to be able to identify yourself uniquely (user id) and provide
proof that it is you (your password, not necessarily unique.) IMHO both
should be secrets.

Incidentally, thumb print scanners are the rage now as an alternative to
passwords. BAD IDEA. There is a wonderful paper from Japan I came across
describing how to make gummy fingers (as in gummy bears) that fooled then
current technology (2003) a remarkably high percentage of the time. You
could even lift fingerprints and make a successful fake finger! And all with
readily available and inexpensive technology. Give me a memorable but strong
password any day!

Regards,
Al

> But when the user locks the screen in XP, there username is displayed on
> screen as well. You may think this is a security-no-no, but there's no
> other pheasable way round it I don't think :o)

Reply to this Message

Al Christoph - 21 Feb 2006 21:57 GMT

Will wonders never cease. I stumbled across exactly the setting I want:

Interactive Logon: Display user information when session is locked. It has a
variety of options from saying nothing to spilling the beans.

Unfortunately this is only in ES 2003 and Windows SBS 2003.

Hey LURKERS on the Vista development team: If it's important in the server
world where the boxes tend to be under tight security, how much more
important this is in the client world where things are hanging out in the
open. Let's get this some future set of bits before final release to
manufacturing.

Incidentally, i consider this important enough that I almost wrote a screen
saver to be able to do it in Windows XP.

Regards,
Al

> But when the user locks the screen in XP, there username is displayed on
> screen as well. You may think this is a security-no-no, but there's no
> other pheasable way round it I don't think :o)

Reply to this Message

Zack Whittaker (R2 Mentor) - 21 Feb 2006 23:59 GMT

Look, I promise you that they will *not* remove the current logged on user
from the locked workstation screen. OK it might well be secure, but what if
it was locked and nobody knows who's using it? What if someone went home
early and left their machine on? It's not going to change - I bet my left
kidney on it.

Signature

> Will wonders never cease. I stumbled across exactly the setting I want:
>
[quoted text clipped - 18 lines]
>> screen as well. You may think this is a security-no-no, but there's no
>> other pheasable way round it I don't think :o)

Reply to this Message

muxster - 21 Mar 2006 11:46 GMT

Word brother! One hand on the budwiser and the other on the F12 hotkey =
Reboot.exe
Office 12 str8 sucks!!! Crashes left and right...! Beta Release 2007
XPS is hurtin me!

= )

> One of the things I've done to protect my client systems in my SBS Network
> is to set the Policy that forces the standard three finger salute dialog
[quoted text clipped - 30 lines]
> Three Bears Software, LLC
> just right software @ just right prices @ 3bears.biz

Reply to this Message

Zack Whittaker (R2 Mentor) - 21 Mar 2006 16:51 GMT

Oookay... thanks Muxster...

Signature

Zack Whittaker
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: www.msblog.org
» Vista Knowledge Base: www.vistabase.co.uk
» This mailing is provided "as is" with no warranties, and confers no
rights. All opinions expressed are those of myself unless stated so, and not
of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
that up!

--- Original message follows ---

> Word brother! One hand on the budwiser and the other on the F12 hotkey =
> Reboot.exe
[quoted text clipped - 37 lines]
>> Three Bears Software, LLC
>> just right software @ just right prices @ 3bears.biz

Reply to this Message