June 19, 1999 1:00 GMT
Revised: June 23, 1999 1:00 GMT
Revised: June 23, 1999 20:00 GMT
Revised: June 25, 1999 20:00 GMT
Revised: July 23, 1999 20:00 GMT
Revised: July 26, 1999 20:00 GMT
Revised: August 4, 1999 20:00 GMT
Revised: September 29, 1999 20:00 GMT
Revised: May 9, 2000 20:00 GMT
Revised: February 11, 2004 20:00 GMT
PROBLEM: A requirement for successfully prosecuting those unauthorized users who improperly use a government computer is that the computer must have a warning banner displayed at all access points. That banner must warn authorized and unauthorized users 1) about what is considered the proper use of the system, 2) that the system is being monitored to detect improper use and other illicit activity, 3) that there is no expectation of privacy while using this system. The technical details for implementing banners is dependent on the particular operating system and access point. PLATFORM: Macintosh, Windows NT/2K/XP, Windows 95/98/ME, Windows 3.11, DOS, and UNIX systems. DAMAGE: Failure to have notification might be used as a defense in the prosecution of a user or intruder for improper use of the system. SOLUTION: Make the modifications described here to add banners to all access points on your system. Where it is not possible to implement automatic electronic banners, a printed banner should be attached where it can be read by the user of the system.
VULNERABILITY A new requirement from the Department Of Energy is that every ASSESSMENT: computer system owned by the Department must have a warning banner on all access points. Every computer will require changes to its system files to ensure that a banner is displayed whenever the system is turned on or a user logs on.
[Revised 6/23/99 Update Windows NT, 95, 98, and Web sections]
[Revised 6/25/99 Add more information about TCP Wrappers]
[Revised 7/23/99 Add NT 3.51 banner]
[Revised 7/26/99 Add Mac startup banner]
[Revised 8/4/99 Change WindowsNT to Windows NT in reg key.]
[Revised 9/29/99 Revise TCP Wrappers and UNIX sections]
[Revised 5/9/2000 Add Windows NT FTP SErver Section]
[Revised 2/11/2004 Add Windows 2K and XP notes]
Creating/Installing Warning Banners The Department of Energy is requiring warning banners on all interactive access points (for example, console login, telnet, ftp, http) and on all non-interactive access points that provide a human readable response (for example, finger). The Department prefers that banners are displayed prior to access to system resources and that the user must acknowledge that compliance before the user can access those resources. In the event that the system does not support this pre-login capability, the system should display a warning at or immediately after login. In the event that electronic banners and warnings are not supported by a system, printed banners should be used that are clearly visible to the user as they use the system. NOTE: This document will change as CIAC determines new methods to add banners to other access loints; check the online version of this bulletin for additions at http://www.ciac.org. Warning Banner ============== The Department of Energy's Office of the General Council has approved the following banner for Federal Government computer systems. *************************************************************************** NOTICE TO USERS This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ***************************************************************************** Warning Banner Modification for Public Servers ============================================== Public servers such as public web servers and anonymous ftp servers that are available to the general public must also have a banner. Public servers are those that allow access by anyone who can connect to the server over a network through a normal access point without requiring any authentication. The banner must indicate to the user that they have no expectation of privacy while using the server and that all access to the server is logged. The banner below is an example of such a public banner for a public web server. This public banner is only for the public access points to a server. Nonpublic access points to a server must still display the Federal Government warning banner above. *************************************************************************** NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address. ***************************************************************************** Macintosh Startup Banners ========================= On Macintosh computers, you have two options, to replace the normal startup screen with a banner or to install the doesecwar startup banner dialog box. The doesecwar program was provided by Dave Moore of NAWCWD, China Lake. The program is installed as a system extension and displays a dialog box at startup showing the DOE warning and two buttons. If you press I Accept, startup continues normally. If you press I Decline, the system shuts down. To install doesecwar, download it here, uncompress the file and drag the doesecwar program to the system folder. A dialog box informs you that this program belongs in the extensions folder. Click OK and when you reboot your computer the banner will be displayed at system startup. Alternately, you can change the normal Macintosh startup banner with a different banner. The banner is in the form of a bitmap image named StartupScreen and placed in the System folder. To create and install a startup warning banner on Macintosh systems, perform these steps: 1. Create the banner as a picture with a drawing program or download the sample from the ciac web site. 2. Save the banner with the name StartupScreen and with the type StartupScreen. Note that the SuperPaint program, among others, can create startup screens and that the GraphicConverter shareware utility can convert images created in other picture formats into startup screens. 3. Place a copy in the System folder of each Macintosh computer. Whenever the computer is booted, the banner is displayed, replacing the Macintosh OS or Welcome to Macintosh banners. This works on all versions of the Macintosh operating system through version 8.5. Windows NT/2K/XP and Windows 95/98/ME Login Banners =================================================== The Windows 95/98/ME/NT/2K/XP operating systems allow a login with a username and password before the system can be used. The following method causes a dialog box with the warning banner and an OK button to be displayed before the system displays the login dialog box on Windows 95/98/ME and after pressing Ctrl-Alt-Del on Windows NT/2K/XP. To create a login banner on these Windows systems you must add two keys to the Windows registry. There are two ways to edit the registry. One is to edit it directly; the second is to create a .reg file containing the required changes and to execute the file with regedit. The following registry key and values set the local login banner. Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon Values: LegalNoticeCaption = "The caption text." LegalNoticeText = "The body of the banner." Starting with Windows 2000, there is a second registry key and values associated with Login banners. These keys are set with active directory. If these active directory local policy values are defined, they take precedence over the local settings in the WinLogon key above. Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system Values: LegalNoticeCaption = "The local policy caption text." LegalNoticeText = "The local policy body of the banner." Perform these steps to create a login banner on Windows systems. For Windows 95/98/ME substitute Windows for Windows NT in the registry keys below. For Windows NT 3.51, shorten the original banner slightly by changing the words "United States" in the first line of the banner to "U. S." If you are using Active Directory, set the banner values there instead of setting them locally. 1. Use regedit or regedit32 to edit the Windows registry. 2. To set the login banner caption, create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\LegalNoticeCaption 2.1 Using regedit, scroll down to the Winlogon key. 2.2 With the Winlogon key selected choose the Edit, New, String Value command. 2.3 Type the name of the new string value as: LegalNoticeCaption and press Enter. 2.4 With the new string value selected, choose the Edit, Modify command. 2.5 In the dialog box that is displayed, type: NOTICE TO USERS and press Enter. 3. To set the banner text, create the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\LegalNoticeText 3.1 With the Winlogon key selected choose the Edit, New, String Value command. 3.2 Type the name of the new string value as: LegalNoticeText and press Enter. 3.3 With the new string value selected, choose the Edit, Modify command. 3.4 In the dialog box that is displayed, type the body of the legal notice and press Enter. Note that the notice appears as a single paragraph because you can not type returns in the regedit key editor. This banner appears as a dialog box just before the system displays the login dialog box. After editing the key with RegEdit, you can save the entries as a .reg file (a copy is available from the CIAC web site (95/98/ME, NT/2K/XP, NT 3.51). To create the file, select the two keys you just created and choose the Registry, Export Registry File command, give the file a name and click Save. Edit this .reg file with a text editor and remove all the keys but "LegalNoticeCaption" and "LegalNoticeText". You can copy this .reg file to other machines and simply double clicking it makes the same edits to the registries of the other machines. If you have created a Widows NT/2K/XP .reg file, you can convert it to a Windows 95/98/ME .reg file by editing it with a text editor and changing "Windows NT" in the two keys to "Windows" and saving the file with a different name. You can also convert the Windows NT banner to a Windows NT 3.51 banner by shortening the banner text slightly. Replace the words "United States" in the first line of the banner text to "U. S." and save the .reg file with a different name. You can edit these keys with RegEdit, RegEdit32 or the system policy editor (poledit.exe). A difficulty is your inability to type a return in these editors, which causes the body of the warning to be a single paragraph. If you are so inclined, you can edit the key with RegEdit32 in binary mode and insert a 0D wherever you want a return to appear. The easiest way to do this is to edit the key in text mode and insert a ~ (7E Hex.) wherever you want a new paragraph to start (use ~~ to create a new paragraph and space it down one line). Open the key again in binary mode and replace each 7E with 0D (Return). A difficulty with a key created in this way is that it cannot be saved in a .reg file and copied from machine to machine. You must edit each machine's registry separately with RegEdit32.
The hex version of the "LegalNoticeText" key is available on the CIAC server. This hex mode key contains two Returns at the end of each paragraph and can be copied and pasted into the RegEdit32 binary editor window.
If this is a public web page, you may put the public banner at the top of the home page instead of putting it on a separate page and add a button to the top or bottom of each page that also displays the public banner. HTML Banner ----------- The following web page implements the DOE banner in a box with the title centered at the top. Below the banner is a link to the sites normal home page.
<HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"> <TITLE>Notice To Users</TITLE> </HEAD> <BODY> <CENTER> <TABLE BORDER=1 CELLSPACING="1" WIDTH=80%> <TR><TD VALIGN="center"> <CENTER> <H2>NOTICE TO USERS</H2> </CENTER> <FONT size=2> <P>This is a Federal computer system and is the property of the United States Government. It is for authorized use only. <B>Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.</B> <P>Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. <B>By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel.</B> <P><B>Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. <U>By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.</U></B> </FONT> </TD> </TR> </TABLE> <A HREF="myhomepage.html">To Home Page</A> </CENTER> </BODY> </HTML>
Voice: +1 866-941-2472 (7 x 24) E-mail: firstname.lastname@example.org World Wide Web: http://www.doecirc.energy.gov/