TrenchTales (Part 5) - Logon Banners

by [Published on 9 Aug. 2012 / Last Updated on 9 Aug. 2012]

The fifth article in this series of real-world stories deals implementing logon banners in Windows environments.

If you would like to read the other parts in this article series please go to:

Introduction

This series of articles leverages the expertise of IT pros from around the world who have shared their stories me through my role as editor of WServerNews, the world's largest newsletter focused on system admin and security issues for Microsoft Windows Servers, and also through several other channels such as my connections with IT pros through my activities as a Microsoft Most Valuable Professional (MVP). These stories have been edited for length and clarity where needed.

Tip:
If you haven't subscribed yet to WServerNews you should do so today!

Using KiXtart to display rotating logon banners

KiXtart is a free-format scripting language for Windows platforms. It has rich built-in functionality that makes for easy scripting, and it supports Windows scripting interfaces like ADSI and WMI. KiXstart.org is the official home where you can download KiXstart and get free online support through the community bulletin board.

A reader named Colin who is the Computer System Coordinator for a university in Canada shared a solution he created that uses KiXstart to display different informational messages whenever users log on to their computers:

We do use Kixtart to run a series of rotating informational messages, immediately after logon. The messages only pop-up every few days and are always different. Topics include internet safety, policy, computer tips etc. I know from conversations with clients that they do read them…at least if they’re not in a real hurry.

My scripting is pretty crude but I’m happy to share. The following is in our main logon script and just gives the appearance of the popup messages a random appearance:

 

;--------------------

;ONE IN TEN TRIGGER

;--------------------

;runs approximately 1 in 10 logons

? " "

? "--- 1in10 selector ---"

$dayLDgt = SUBSTR("@MDAYNO", LEN("@MDAYNO"),1)       ;last digit of date

$wksno = SUBSTR(@WKSTA,7,1)                               ;digit from the sequential part of our host names

IF (($dayLDgt = $wksno) and ($SysType="Wks"))

        ? " Call 1 in 10 kixtart batch"

        IF INGROUP("TS")

                $1in10 = MessageBox("Run 1in10.kix", "1 in 10", 292, 15)

                IF $1in10 = 6

                        ? " 1 in 10 called as Technical Support"

                        CALL "1in10\1in10.kix"

                ENDIF

        ELSE

                CALL "1in10\1in10.kix"

                ? " 1 in 10 called as regular user"

        ENDIF

ENDIF

 

The script above, calls the following child script (just a sample of the most recent), which I simply update every two weeks. I simply remark-out the last message, then re-use old messages or create a new one:

 

;2011.09.20 - 2011.10.04

;$man=MESSAGEBOX('In Windows 7, Microsoft added a variety of features that make use of your computer more efficient, than with previous versions of Windows. They include Jump Lists, Libraries and some new Keyboard Shortcuts. Would you like to be taken to a web page of these features, now?@CRLF @CRLFhelp.desk@@company.ca 604-123-4567', '7 ways to work faster in Windows 7', 292, 60)

;IF $man=6

;  CD "C:\program files\internet explorer"

;  RUN "iexplore.exe http://www.computerworld.com/s/article/9216902/7_ways_to_work_faster_in_Windows_7?taxonomyId=125&pageNumber=1"

;ENDIF

;2011.10.04 - 2011.10.18

;MESSAGEBOX("Fake antivirus software is now actively targeting both Macintosh and PC users.@CRLFHere’s how it works. A fake antivirus message warns users that their system has a virus, usually via a pop-up notification. These notifications appear authentic, right down to logos and certifications that the scammers stole from legitimate antivirus vendors.@CRLFThe scam succeeds by convincing users that their computer has been infected by a virus. A pop-up urges users to get rid of the virus by purchasing antivirus software to remove the threat. Of course, paying for this software doesn’t protect you — it only pays the bad guys and in many cases, the cybercriminals are installing additional malware on your machine and taking your credit card information Recently (early 2011), the FBI busted a cybergang that tricked nearly a million people into buying its fraudulent software. With a price point ranging from $50 to $130. The scam netted more than $72 million.@CRLF@CRLFhelp.desk@@company.ca 604-123-4567.", "Fake Antivirus Software", 64, 120)

;2011.10.18 - 2011.11.01

;MESSAGEBOX("Once you hit the send button, your email is 'live'. Take a moment to read your message and make any adjustments for clarity, brevity, grammar, and spelling. With email, less is usually more—efficient and effective.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Proof your e-mail", 64, 120)

;2011.11.01 - 2011.11.15

;MESSAGEBOX("With over 600 devices, being supported by two IT staff, it is very important that we stay organized. To speed up our response, please let us know the asset number of your computing equipment (front of desktop tower or bottom of laptop), at the outset of your request.@CRLF@CRLFPlease help us by submitting all requests directly to our Help Desk system by e-mailing help.desk@@company.ca. If you are unable send e-mail, telephone us and we'll enter your request manually. If you do not receive an e-mail with 'Ticket #' in it's subject line, we did not receive your request.@CRLF @CRLF Technical Support help.desk @@company.ca 604-827-5695", "Requesting computer help", 64, 120)

;2011.11.15 - 2011.11.29

;MESSAGEBOX("The search engine is our gateway to the web. That’s why cybercriminals manipulate search results from sites such as Google, Bing and Yahoo to lure victims to their malicious pages. Search engine optimization, or SEO, is a standard Internet marketing technique used by most companies to draw people to their sites, but it can also be abused When the bad guys exploit SEO, it’s known as SEO poisoning, or Black Hat SEO.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Search Engine Poisoning", 64, 120)

;2011.11.29 - 2011.12.13

;MESSAGEBOX("Some messages are easier to deal with than others. But the best way to keep your inbox under control is to deal with messages as you read them. Whether you reply, delegate, or delete, try to deal with each one. You probably can’t avoid deferring a few emails, but if you always try for closure your inbox will stay much more manageable.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Do it now", 64, 120)

;2011.12.13 - 2012.01.03

;MESSAGEBOX("Here are some tried and true security lessons that work online too:@CRLF- If it sounds too good to be true, it is.@CRLF- Don’t take candy from strangers. (99.999% of the people on the Internet are strangers.)@CRLF- Your inbox is just like your mailbox, anyone can put anything in there. Just because they know your address doesn’t mean you should trust them.@CRLF- There is no such thing as a free lunch. Somebody somewhere is paying and whoever pays the piper calls the tune, such is the case with Facebook or Google advertisers.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Security", 64, 120)

;2012.01.03 - 2012.01.10

;MESSAGEBOX("Instead of retyping repetitive information in emails, automate it with templates. You can create multiple signatures and templates in Microsoft Outlook. If you need instructions, search the online Help to learn how to create, edit, and use these productive tools.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Create messages faster with templates", 64, 120)

;2012.01.10 - 2012.01.24

;MESSAGEBOX('We use Vector Asset Management software to distribute, upgrade and apply security patches to your computer. All computers must be connected to our wired LAN and logged on with your CompanyDomain account, at least monthly, to receive these security patches. If you fail to do so, the status of your computer will become "SelfSupported" and you will no-longer have access to P: or U: drives or our other networked services. We will not support your computer again, until it has undergone a rigorous security check, which we may charge you for.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.', 'Regular connection to CompanyDomain', 64, 120)

;2012.01.24 - 2012.02.06

;MESSAGEBOX("In Outlook, a great method to keep track of emails is to flag them. Right-click on the flag icon of an email to mark it with a coloured flag. Use a different coloured flag for Action Items, Projects, or other categories. Then you can sort your emails by flag colours to quickly find the one(s) you need.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Use flags to categorize emails", 64, 120)

;2012.02.06 - 2012.02.23

;$man=MESSAGEBOX("Microsoft offers free online self-paced training on Office products at http://office.microsoft.com/en-us/training/default.aspx  Would you like to see them now?@CRLF@CRLFhelp.desk@@company.ca 604-123-4567", "Online training", 292, 60)

;IF $man=6

;  CD "C:\program files\internet explorer"

;  RUN "iexplore.exe http://office.microsoft.com/en-us/training/default.aspx"

;ENDIF

;2012.02.23 - 2012.03.07

;MESSAGEBOX("If you frequently send messages to the same group of people, you’ll save time and effort if you set them up in a distribution list. If you need instructions, search the online Help of your email application to learn how to create, edit, and use distribution lists.@CRLF@CRLFTechnical Support help.desk@@company.ca 604-123-4567.", "Create e-mail distribution lists", 64, 120)

And so on. Readers should feel free to take the script that Colin has shared and adapt it for use in their own environments, especially if they are already familiar with KiXstart.

Legal basis for requirement of logon banners

A reader named Tom from Portland, Oregon provided some good background on why US government agencies are required to display logon banners on users' computers:

In the Government area, the laws for banners are / were written such that people have to be warned / informed before they access the system - or else the Government cannot charge the person with a crime if they are accessing a computer either knowingly / unknowingly when they are not supposed to.

This came about, if I remember correctly, in the late 1990s when someone accessed over the network a government computer and copied items from it, then was charged with breaking and entering a government computer. His defense was that there was NO way for him to "know" that it was a government computer based on the signon screen (standard Windows server system if I remember correctly) since nothing showed up before get got into it. The government lost its case since the law specifically stated that people knowingly breaking into Government computer could be charged - since this person had no way of knowingly knowing that it was a government owned computer, he was acquitted.

Then they imposed the rule that all government computers must have a legal pre-logon notice that it is a Government computer so they can charge people who access it without a proper paper / electronic trail authorization.

When I asked him what were the exact laws that required such banners, he replied:

Trying to figure out the which exact law that states to do this is impossible since they are buried all over! It is in all policies now that all government computer systems must have that message on them.

  • Public Law 99-474 (from 1986, as amended in 2005 and others) requires that a warning message be displayed, notifying unauthorized users that they have accessed a U.S. Government computer system
  • Jun 1, 2006 ... A Mandatory Reference for ADS Chapter 545
  • NIST publication 800-16

most seem to reference 99-474.

Since I've seen at least one company simply tape a warning message on users' monitors, I asked him what he thought of this approach:

As for just taping a message no way. Most server systems are virtual, and desktops are also and if not often are connectable via applications / services and thus also remotely connectable, and never physically seen - so the electronic method is thereby mandated.

Another reader (anonymous) compared logon banners with EULAs:

Their purpose is not necessarily to deter bad guys (although some may be deterred), but to provide a legal basis for prosecution or disciplinary action if users access systems without authorization or exceed authorized access. They also provide consent to monitoring. Whether users read the notifications or not, they have been notified, and have no basis for challenging any disciplinary or legal action on the basis they were not told.

It is no different than users clicking through EULAs terms of service when installing software or creating accounts on various Internet services; even if they did not read the EULA or terms of service, they are still considered bound by them.

He also mentioned that logon banners should deal not only with the issue of unauthorized access to the computers but also notify users that their use of the computers may be monitored:

Remember that monitoring is a big area of focus, and been a source of litigation in the past, and I think that the right to monitor comes not so much from specific statutes, as much as case law that has developed over the years, and has generally focused on the following principles:

1)      User have, with few exceptions, little expectations of privacy on government and employer networks.

2)      Monitoring is allowable as long as users are notified in advanced that monitoring may be employed on systems they access.

The usual disclaimers “I am not a lawyer” and “your mileage may vary” apply here!

Another reader named Steve who is involved in corporate IT infrastructure design in California added one more reason for displaying logon banners, namely to safeguard the company against malicious actions by disgruntled employees:

One use of logon banners, although not directly related to security, would be a legal statement regarding company policy about computer use. Thus, in the event of a split between employee and employer over IT resource misuse or abuse, the employee cannot claim ignorance about company IT use policy. It’s been presented, at least in some summary, at every login. Sometimes the Velociraptors live in your “house”.

A reader named Mike who works in the financial industry had an interesting response to an auditor that insisted on having logon banners implemented:

I’m in a banking environment and we had an outside company perform an IT audit a couple of years ago. The auditor indicated that we needed warning banners presented at logon, indicating that these were bank machines, that you could only logon with proper authorization, and that you would be subject to all manner of penalties if you violated the logon policy. Needless to say, I could not see the logic behind this performance in our environment. We have access to lots of confidential information, but we have far better controls on that access than a banner promising some vague punishments. The arguments “for” included some blather about “legal requirements”, ie, if we did not have the warning we would have a difficult time prosecuting the miscreants who violated the logon policy. My response to that logic was that perhaps we should have a banner sign on the front door warning would-be robbers that they would be subject to prosecution if they “logged-in” to our vault and made an illegal withdrawal. I didn’t see how that warning was going to deter the less thoughtful criminal, who may not read anyway. The intelligent criminals might consider the banner for a moment, and then plan accordingly to thwart the banner. Banners are a waste of resource and time, they will not enhance your security, and stealing or accessing information that you have not been given rights to is already either a crime or a breach of your employers infosec policy, and prosecution can or will follow regardless of the banner.

A reader named Kevin who has some background in the military suggested one more possible reason for implementing logon banners:

Probably applicable is if an employee uses the computer to commit a crime, the organization can claim immunity from lawsuits demonstrating the use was unlawful and NOT an authorized use of the equipment.

Finally, Kevin also suggested a few helpful links where more information and recommendations concerning logon banners can be found:

What are the lessons learned from these readers? Perhaps that a legally effective logon banner should include at least the following types of warnings:

  • This computer is owned and operated by...and all data or email that is created, stored or transmitted on the computer is the property of...
  • Unauthorized access or use of this computer is prohibited and violators are subject to criminal and civil penalties...
  • By using this computer you hereby automatically relinquish all expectation of privacy for any data or email that is created, stored or transmitted on the computer, and you automatically grant permission to monitor all actions you perform on the computer...
  • By clicking OK you acknowledge that you have read this warning message and cannot claim ignorance about company policy for computer use...

And maybe you should also tape a sign on the front door of your building that says something similar!

Conclusion

Send me an email if you'd like to contribute your own troubleshooting "trench tale" for an upcoming issue of WServerNews or for a future article here in my column on WindowsNetworking.com.

Cheers, Mitch Tulloch
Senior Editor, WServerNews

If you would like to read the other parts in this article series please go to:

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Featured Links