Locking down a server

[Christopher McCulloch]

I have a question for you all. I'm running Windows 2000
Advanced Server as my domain controller, whenever I leave
this machine I always lock it, and have the screensaver to
lock the computer.

My problem is, that I have group policy on the DC set to
not show the last use who logged onto a machine so idle
glances cant pick up a user name. But when I lock my
computer it says in plain text

"This computer has been locked by /MyDomain/MyUsername"

I'd really love a way to remove this feature. I dont need
people who dont belong on my DC to know my administrator
username and make them try and crack the password.

Thank you,

Chris

 

[Danny Sanders]

If you don't find a way to remove the username,
I would suggest you make the password contain upper and lower case letters,
numbers, and special characters.
At least you can make it hard enough to where it will take them a long time
to hack it if they get it at all.


hth
DDS W 2k MVP MCSE

 

[Christopher McCulloch]

Thanks Danny,

I already use both upper and lower case and numbers within
my password, but was hoping for some extra security in
hiding my username.

-Christopher

 

[Scott Harding - MS MVP]

Never seen a way to do this. I think your only option is to not lock the
machine or turn off the monitor or cover the monitor on/off switch with a
lock or something. Realistically this really should not be too big of a
concern for you from internal users. They can easily search through you
network and find your name other ways. Especially if you have email they
will probably see this username right in the global address lists.

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

scrockel@***No_SPAM***hotmail.com

 

[Hank Arnold]

My first comment would be "Why can such a person access the machine?".....
In fact, "Why can *ANYONE* except admins access the machine?"

A DC (or any production server) on a network ***MUST*** be behind a locked
door with restricted access. I'd be more concerned about someone walking in
and just turning off the DC. Not good.

My second comment would be that if your concern is a real one, you have
major security issues in your company.

Simplest policy is to have secure passwords. It's not hard to generate easy
to remember passwords that are, for all intents, impossible to crack. For
example, a common technique is to use a word and replace the "oh" with
"zero" and the "eye" with "one". There are plenty of others.

I think you have other issues to deal with that are more important than this
one...

 

[Jason Meyer]

Agreed whole heartedly, but to answer your question no there isn't a way.
Atleast not a way that I can think of. I would just log off since you
already have that policy set. Its not like there is a huge difference in the
amount of key strokes to get back to the desktop. Some other good practices
are to rename the administrator account to something else, the more
non-administrative sounding the better. Never logon to DCs with your
personal account, only workstations. Keep your workstation secure by logging
out or locking out. You can also set the local policy on your workstation to
only allow you for interactive logon. But first off get that DC in a secure
room.....then do the other stuff....and if you really want to go nuts
locking down your servers, the NSA has a ton of docs/how-tos to really
tighten things up in Win2k and AD.

Jason