Setting Logon Policies
Windows XP Professional defines a number of security policies related to the logon process. You can get to these policies in two ways:
- In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
- In the Local Security Settings editor, select Security Settings, Local Policies, Security Options.
Most of the logon options are listed in the Interactive Logon group of policies. Here's a list of the most useful options (note that all of these options apply to the Classic logon):
- Do Not Display Last User Name Enable this option to clear the User Name text box each time the Log On To Windows dialog box appears. Although it adds a bit of inconvenience to the logon, this is a good security feature because it denies an intruder an important piece of information: a legitimate system user name. (This is particularly true if you rename the Administrator account, as we'll describe later in this tutorial in the "Setting Account Policies" section.) This policy modifies the following registry key (0 = disable; 1 = enable):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system\dontdisplaylastusername
- Do Not Require CTRL+ALT+DEL Enable this policy to bypass the initial Welcome To Windows dialog box (the one that prompts you to press Ctrl+Alt+Delete) and go directly to the Log On To Windows dialog box. This can save you a startup step, but it decreases the security of the logon. The main concern here is that your system might get infected with a virus or Trojan horse program that displays a fake Log On To Windows dialog box as a ruse to capture your user name and password. If you decide to enable this policy, make sure you have a good anti-virus program and that you use it often. This policy modifies the following registry key (0 = disable; 1 = enable):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system\DisableCAD
- Message Text For User Attempting To Log On Use this option to specify a text message that appears in a dialog box after any user presses Ctrl+Alt+Delete (but before the Log On To Windows dialog box appears). This policy modifies the following registry setting:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system\legalnoticetext
- Message Title For Users Attempting To Log On Use this option to set the title of the dialog box that contains the message to the user that you specified in the previous setting. This policy modifies the following registry setting:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system\legalnoticecaption
- Number of Previous Logons To Cache (In Case Domain Controller Is Not Available) Use this option to set the number of previous domain logons (user name, password, and domain) that Windows XP will retain. By retaining a logon, Windows XP enables that user to log on to Windows XP even if a domain controller isn't present (for example, on a notebook that isn't always connected to the network at startup). This policy modifies the following registry setting:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount
- Prompt User To Change Password Before Expiration Use this option to set the number of days prior to password expiration that a message forewarning the expiration will be displayed. (We'll show you how to set an expiration date for a password later in this tutorial.) This policy modifies the following registry setting:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarning
In this tutorial:
- Managing Logons and Users
- Useful Windows XP Logon Strategies
- Setting Up an Automatic Logon
- Setting Logon Policies
- More Logon Registry Tweaks
- Getting the Most Out of User Accounts
- Control Panel's User Accounts Icon
- The Local Users And Groups Snap-In
- Setting Account Policies
- Working with Users and Groups from the Command Line
- Creating and Enforcing Bulletproof Passwords
- User Account Password Options
- Recovering a Forgotten Password
- Sharing Your Computer Securely