deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
Brian Lich e9d723e3c5 adding ms.pagetype back
2016-05-10 12:12:23 -07:00

4.7 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Interactive logon Do not display last user name (Windows 10) Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. 98b24b03-95fe-4edc-8e97-cbdaa8e314fd security W10 deploy library brianlic-msft

Interactive logon: Do not display last user name

Applies to

  • Windows 10 Describes the best practices, location, values, and security considerations for the Interactive logon: Do not display last user name security policy setting.

Reference

This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the users logon tile displayed. Additionally, if the Switch user feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password. If this policy is disabled, the full name of the last user to log on is displayed, and the users logon tile is displayed. This behavior is the same when the Switch user feature is used.

Possible values

  • Enabled
  • Disabled
  • Not defined

Best practices

Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on users full names or domain account names might contradict your overall security policy. Depending on your security policy, you might also want to enable the Interactive logon: Display user information when the session is locked policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Default values

Server type or Group Policy object (GPO) Default value

Default domain policy

Disabled

Default domain controller policy

Disabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Disabled

Member server effective default settings

Disabled

Effective GPO default settings on client computers

Disabled
  ## Policy management This section describes features and tools that are available to help you manage this policy. ### Restart requirement None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. ### Policy conflict considerations None. ### Group Policy This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. ### Vulnerability An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. ### Countermeasure Enable the **Interactive logon: Do not display last user name** setting. ### Potential impact Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. ## Related topics [Security Options](security-options.md)