Microsoft Windows legal notice display not enabled (Legal Notice)

Vuln ID: 1320
Risk Level: Medium risk vulnerability  Medium Legal Notice
Platforms: Microsoft Windows NT: 4.0, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003 Server, Microsoft Windows 7, Microsoft Windows Server 2008, Microsoft Windows Server 2008: R2, Microsoft Windows: Vista, Microsoft Windows Server 2012, Microsoft Windows 8
Description:

The legal notice is not enabled at logon. Your security policy may require a warning notice that details site security policy.

Remedy:

Configure the system to display a legal notice at logon. Suggestions about text for notice banners can be found in CERT Advisory CA-92.19. See References. In Windows NT, this can be set using System Policy Editor or by editing the registry. In Windows 2000, set the Message title for user attempting to log on and the Message text for user attempting to log on options. Follow the steps below appropriate for your platform.

Note: If the computer is a member of a Domain, the domain policy has to be changed on the Domain Controller, or the policy at the Domain Controller takes precedence over the changes made on the computer.

For Windows NT:

If you have access to System Policy Editor, use it to set a notice banner on your system. Otherwise, add your banner in the registry.

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. Open Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
  2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
  3. Add text to both the LegalNoticeCaption and LegalNoticeText values.
    Note: The LegalNoticeText value is limited to 255 characters. Both values must be set, or the notice will not be displayed.
  4. Reboot the computer for the changes to take effect.

For a Windows 2000 domain:

  1. Start Microsoft Management Console (MMC).
  2. Add Group Policy Snap-in.
  3. Browse Group Policy Objects.
  4. Select the Domain Policy of interest.
  5. Traverse the following path:
    Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options,
    Message title for user attempting to log on and Message text for user attempting to log on options
  6. Set the Message title for user attempting to log on and the Message text for user attempting to log on options to the desired text, according to your administration policy.

Note: If you set both the message title and text at the same time, there have been reported cases where one of them was not retained (saved). You may want to repeat this procedure, verifying that both changes were applied.

For a stand-alone Windows 2000 computer:

  1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
  2. Traverse the following path:
    Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options,
    Message title for user attempting to log on — AND — Message text for user attempting to log on options
  3. Set the Message title for user attempting to log on and the Message text for user attempting to log on options to the desired text, according to your administration policy.
Required Permission: Windows login
Additional Information:

References:

CERT Advisory CA-1992-19
Keystroke Logging Banner
http://www.cert.org/advisories/CA-1992-19.html

CIAC Information Bulletin A-22
Logon Messages and Hacker/Cracker Attacks
http://www.ciac.org/ciac/bulletins/a-22.shtml

CIAC Information Bulletin J-043g
Creating Login Banners
http://www.ciac.org/ciac/bulletins/j-043.shtml

ISS X-Force
Microsoft Windows legal notice display not enabled
http://www.iss.net/security_center/static/1320.php


X-Force Logo
Know Your Risks
Mitre.org CVE Logo
Common Vulnerabilties & Exposures