| VID |
28046 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows system is configured not to display a legal notice at log on. This feature can be useful for any legal warnings you want to give regarding the use of the computer. If you want to add a warning to be displayed when a user attempts to log on to a Windows NT/2000/2003/XP system, you must use this feature.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.cert.org/advisories/CA-1992-19.html
http://www.ciac.org/ciac/bulletins/a-22.shtml
http://www.ciac.org/ciac/bulletins/j-043.shtml
* Platforms Affected:
Windows NT Any version
Windows 2000 Any version |
| Recommendation |
Configure the system to display a legal notice at logon. In Windows NT, this can be set using System Policy Editor or by editing the registry. In Windows 2000, set the "Message title for user attempting to log on" and the "Message text for user attempting to log on" options. Follow the steps below appropriate for your platform.
For Windows NT:
If you have access to System Policy Editor, use it to set a notice banner on your system. Otherwise, add your banner in the registry.
1. Open Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
3. Add text to both the LegalNoticeCaption and LegalNoticeText values (LegalNoticeText value is limited to 255 characters).
4. Reboot the computer for the changes to take effect.
For a Windows 2000 domain:
1. Start Microsoft Management Console (MMC).
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
6. Set the "Message title for user attempting to log on" and the "Message text for user attempting to log on" options to the desired text.
For a stand-alone Windows 2000 computer:
1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
3. Set the "Message title for user attempting to log on" and the "Message text for user attempting to log on" options to the desired text.
For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019:
1. Go to Start menu -> Run and Type 'gpedit.msc'
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
3. Set the "Message title for user attempting to log on" and the "Message text for user attempting to log on" options to the desired text. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1320 (ISS) |
|
