Privacy and Legal Notice

 

CIAC INFORMATION BULLETIN

J-043h: Creating Login Banners

June 19, 1999 1:00 GMT
Revised: June 23, 1999 1:00 GMT
Revised: June 23, 1999 20:00 GMT
Revised: June 25, 1999 20:00 GMT
Revised: July 23, 1999 20:00 GMT
Revised: July 26, 1999 20:00 GMT
Revised: August 4, 1999 20:00 GMT
Revised: September 29, 1999 20:00 GMT
Revised: May 9, 2000 20:00 GMT
Revised: February 11, 2004 20:00 GMT


PROBLEM:       A requirement for successfully prosecuting those unauthorized
               users who improperly use a government computer is that the
               computer must have a warning banner displayed at all access
               points. That banner must warn authorized and unauthorized users 
                   1) about what is considered the proper use of the system,
                   2) that the system is being monitored to detect improper 
                      use and other illicit activity,
                   3) that there is no expectation of privacy while using 
                      this system. 
               The technical details for implementing banners is dependent on
               the particular operating system and access point.
PLATFORM:      Macintosh, Windows NT/2K/XP, Windows 95/98/ME, Windows 3.11, DOS, and 
               UNIX systems. 
DAMAGE:        Failure to have notification might be used as a defense in the 
               prosecution of a user or intruder for improper use of the 
               system. 
SOLUTION:      Make the modifications described here to add banners to all 
               access points on your system. Where it is not possible to
               implement automatic electronic banners, a printed banner should
               be attached where it can be read by the user of the system.


VULNERABILITY  A new requirement from the Department Of Energy is that every
ASSESSMENT:    computer system owned by the Department must have a warning  
               banner on all access points. Every computer will require 
               changes to its system files to ensure that a banner is 
               displayed whenever the system is turned on or a user logs on.

[Revised 6/22/99 Change one word in banner text. Change JavaScript banner]
[Revised 6/23/99 Update Windows NT, 95, 98, and Web sections]
[Revised 6/25/99 Add more information about TCP Wrappers]
[Revised 7/23/99 Add NT 3.51 banner]
[Revised 7/26/99 Add Mac startup banner]
[Revised 8/4/99 Change WindowsNT to Windows NT in reg key.]
[Revised 9/29/99 Revise TCP Wrappers and UNIX sections]
[Revised 5/9/2000 Add Windows NT FTP SErver Section]
[Revised 2/11/2004 Add Windows 2K and XP notes]

Creating/Installing Warning Banners

The Department of Energy is requiring warning banners on all interactive 
access points (for example, console login, telnet, ftp, http) and on all 
non-interactive access points that provide a human readable response (for 
example, finger). The Department prefers that banners are displayed prior to 
access to system resources and that the user must acknowledge that compliance 
before the user can access those resources. In the event that the system does 
not support this pre-login capability, the system should display a warning at 
or immediately after login. In the event that electronic banners and warnings 
are not supported by a system, printed banners should be used that are clearly 
visible to the user as they use the system. 

NOTE: This document will change as CIAC determines new methods to add banners 
to other access loints; check the online version of this bulletin for 
additions at http://www.ciac.org.

Warning Banner
==============

The Department of Energy's Office of the General Council has approved the 
following banner for Federal Government computer systems.


***************************************************************************
                            NOTICE TO USERS


This is a Federal computer system and is the property of the United 
States Government. It is for authorized use only. Users (authorized or 
unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be 
intercepted, monitored, recorded, copied, audited, inspected, and disclosed to 
authorized site, Department of Energy, and law enforcement personnel, 
as well as authorized officials of other agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, 
recording, copying, auditing, inspection, and disclosure at the discretion of 
authorized site or Department of Energy personnel.

Unauthorized or improper use of this system may result in administrative 
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and 
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
stated in this warning.


*****************************************************************************

Warning Banner Modification for Public Servers
==============================================

Public servers such as public web servers and anonymous ftp servers that are
available to the general public must also have a banner. Public servers are 
those that allow access by anyone who can connect to the server over a network 
through a normal access point without requiring any authentication. The banner 
must indicate to the user that they have no expectation of privacy while using 
the server and that all access to the server is logged. The banner below is an 
example of such a public banner for a public web server. This public banner is 
only for the public access points to a server. Nonpublic access points to a 
server must still display the Federal Government warning banner above.


***************************************************************************
	                    NOTICE TO USERS

Use of this system constitutes consent to security monitoring and testing. 
All activity is logged with your host name and IP address.


*****************************************************************************
Macintosh Startup Banners
=========================

On Macintosh computers, you have two options, to replace the normal startup 
screen with a banner or to install the doesecwar startup banner dialog box.
The doesecwar program was provided by Dave Moore of NAWCWD, China Lake. The
program is installed as a system extension and displays a dialog box at startup
showing the DOE warning and two buttons. If you press I Accept, startup continues
normally. If you press I Decline, the system shuts down.

To install doesecwar, download it here, uncompress the file and drag the doesecwar
program to the system folder. A dialog box informs you that this program belongs
in the extensions folder. Click OK and when you reboot your computer the banner
will be displayed at system startup. 

Alternately, you can change the normal Macintosh startup banner with a different
banner. The banner is in the form of a bitmap image named StartupScreen and 
placed in the System folder.

To create and install a startup warning banner on Macintosh systems, perform 
these steps:

1.  Create the banner as a picture with a drawing program or download the 
    sample from the ciac web site. 
2.  Save the banner with the name StartupScreen and with the type 
    StartupScreen.  Note that the SuperPaint program, among others, can create 
    startup screens and that the GraphicConverter shareware utility can 
    convert images created in other picture formats into startup screens.
3.  Place a copy in the System folder of each Macintosh computer. 

Whenever the computer is booted, the banner is displayed, replacing the 
Macintosh OS or Welcome to Macintosh banners. This works on all versions of 
the Macintosh operating system through version 8.5.


Windows NT/2K/XP and Windows 95/98/ME Login Banners
===================================================

The Windows 95/98/ME/NT/2K/XP operating systems allow a login with a username 
and password before the system can be used. The following method causes a 
dialog box with the warning banner and an OK button to be displayed before the 
system displays the login dialog box on Windows 95/98/ME and after pressing 
Ctrl-Alt-Del on Windows NT/2K/XP.

To create a login banner on these Windows systems you must add two 
keys to the Windows registry. There are two ways to edit the registry. One is 
to edit it directly; the second is to create a .reg file containing the 
required changes and to execute the file with regedit.

The following registry key and values set the local login banner.

Key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

Values:
  LegalNoticeCaption = "The caption text."
  LegalNoticeText = "The body of the banner."

Starting with Windows 2000, there is a second registry key and values associated
with Login banners. These keys are set with active directory. If these active
directory local policy values are defined, they take precedence over the local 
settings in the WinLogon key above.

Key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

Values:
  LegalNoticeCaption = "The local policy caption text."
  LegalNoticeText = "The local policy body of the banner."

Perform these steps to create a login banner on Windows systems.
For Windows 95/98/ME substitute Windows for Windows NT in the registry keys 
below. For Windows NT 3.51, shorten the original banner slightly by changing the
words "United States" in the first line of the banner to "U. S." If you are
using Active Directory, set the banner values there instead of setting them
locally.

1.  Use regedit or regedit32 to edit the Windows registry.
2.  To set the login banner caption, create the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
        CurrentVersion\Winlogon\LegalNoticeCaption

    2.1 Using regedit, scroll down to the Winlogon key.
    2.2 With the Winlogon key selected choose the Edit, New, String Value 
        command.
    2.3 Type the name of the new string value as: LegalNoticeCaption and press 
        Enter.
    2.4 With the new string value selected, choose the Edit, Modify command.
    2.5 In the dialog box that is displayed, type: NOTICE TO USERS and press 
        Enter.

3.  To set the banner text, create the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
        CurrentVersion\Winlogon\LegalNoticeText

    3.1 With the Winlogon key selected choose the Edit, New, String Value 
        command.
    3.2 Type the name of the new string value as: LegalNoticeText and press 
        Enter.
    3.3 With the new string value selected, choose the Edit, Modify command.
    3.4 In the dialog box that is displayed, type the body of the legal notice 
        and press Enter. Note that the notice appears as a single paragraph 
        because you can not type returns in the regedit key editor.

This banner appears as a dialog box just before the system displays the login 
dialog box.

After editing the key with RegEdit, you can save the entries as a .reg file (a 
copy is available from the CIAC web site (95/98/ME, NT/2K/XP, NT 3.51). To create the 
file, select the two keys you just created and choose the Registry, Export 
Registry File command, give the file a name and click Save. Edit this .reg file 
with a text editor and remove all the keys but "LegalNoticeCaption" and 
"LegalNoticeText". You can copy this .reg file to other machines and simply 
double clicking it makes the same edits to the registries of the other machines. 

If you have created a Widows NT/2K/XP .reg file, you can convert it to a Windows 
95/98/ME .reg file by editing it with a text editor and changing "Windows NT" in the 
two keys to "Windows" and saving the file with a different name. You can also
convert the Windows NT banner to a Windows NT 3.51 banner by shortening the banner
text slightly. Replace the words "United States" in the first line of the banner text
to "U. S." and save the .reg file with a different name.

You can edit these keys with RegEdit, RegEdit32 or the system policy editor
(poledit.exe). A difficulty is your inability to type a return in these editors, 
which causes the body of the warning to be a single paragraph. If you are so 
inclined, you can edit the key with RegEdit32 in binary mode and insert a 
0D wherever you want a return to appear. The easiest way to do this is to edit
the key in text mode and insert a ~ (7E Hex.) wherever you want a new paragraph 
to start (use ~~ to create a new paragraph and space it down one line). Open the 
key again in binary mode and replace each 7E with 0D (Return). A difficulty
with a key created in this way is that it cannot be saved in a .reg file and
copied from machine to machine. You must edit each machine's registry separately
with RegEdit32. 
The hex version of the "LegalNoticeText" key is available on the CIAC server. 
This hex mode key contains two Returns at the end of each paragraph and can be 
copied and pasted into the RegEdit32 binary editor window.
Also available for Windows NT is the regini.exe program in the Windows NT 
Resource Kit. This program edits registry entries from a file and allows the 
insertion of Returns in the file and in the key. 

Note: Don't forget to have different .reg files for Windows 95/98/ME, Windows NT 3.51,
and Windows NT/2K/XP. This is related to the substitution of Windows for Windows NT in
the editing instructions above and for a slightly shortened banner for Windows NT 3.51.   

DOS and Windows 3.11 Startup Banners
====================================

In DOS and versions of Windows up to Windows 3.11 you can create a startup 
banner by editing the Autoexec.bat file. The text is available on the CIAC
web site.

To create the DOS/Windows startup banner, perform these steps:

1.  Open the autoexec.bat file in a text editor.
2.  At the end of the file, just before the win command if it exists, type the 
text of the banner with each line of banner text preceded with an echo 
command.

    cls
   @echo off
   echo
   echo                       NOTICE TO USERS
   echo
   echo This is a Federal computer system and is the property of the
   echo United States Government. It is for authorized use only. Users
   echo (authorized or unauthorized) have no explicit or implicit expectation
   echo of privacy.
   echo
   echo Any or all uses of this system and all files on this system may be
   echo intercepted, monitored, recorded, copied, audited, inspected, and
   echo disclosed to authorized site, Department of Energy, and law
   echo enforcement personnel, as well as authorized officials of other
   echo agencies, both domestic and foreign. By using this system, the user
   echo consents to such interception, monitoring, recording, copying,
   echo auditing, inspection, and disclosure at the discretion of authorized
   echo site or Department of Energy personnel.
   echo
   echo Unauthorized or improper use of this system may result in
   echo administrative disciplinary action and civil and criminal penalties.
   echo By continuing to use this system you indicate your awareness of and
   echo consent to these terms and conditions of use. LOG OFF IMMEDIATELY if
   echo you do not agree to the conditions stated in this warning.
   pause

This message is displayed until you press any key.

You can get fancier by using line draw characters and colors (assuming
ansi.sys is loaded in the config.sys file). 

UNIX Login Banners
==================

The banners for UNIX machines depend on the particular vendor and service. For 
many recent systems (Sun, Linux), creating the file /etc/issue containing the 
banner text causes the banner text to be displayed before the console login 
and before all interactive logins such as telnet, rsh, and rlogin. Linux 
systems use two such files, /etc/issue for console logins and /etc/issue.net
for telnet logins so be sure to place the banner text in both. 

For other systems and for services that do not respond to the /etc/issue file, 
put the banner text in the file /etc/motd. The contents of this file are 
displayed by the global /etc/.login and the /etc/profile files, depending on 
which shell you start (sh or csh), immediately after a successful login. 
Displaying the /etc/motd file immediately after login is also an option for 
the Secure Shell daemon (sshd) and is set in the /usr/local/etc/sshd_config 
file. 

Some versions of the FTP service have been modified to display, after login, 
the contents of the file .login_message found in the root directory of the FTP 
tree or in the users home directory. You will have to try this to see if it 
works. If it does not work, you must put a file named NOTICE_TO_USERS 
containing the warning text into the root directory of the anonymous ftp tree 
and the file or a link to the file into each user's home directory.

For machines that do not use these methods for displaying banners, consult the 
man pages for each service to see if there is a banner mechanism available.

NOTE: An important thing to note here is that if you remove a service from a 
UNIX machine, your machine will be more secure and you will not have to worry 
about placing a banner on that service. If you have open services that you do 
not need simply remove them.

Windows NT FTP Servers
======================

The following method adds a login banner to a Windows NT FTP server. The banner
apepars immediately after login.

  1. Open the Microsoft Management Console and select the Default FTP site.
  2. Click properties and select the Messages tab.
  3. Type or paste the banner text into the Welcome window.
  4. Click OK.

Web Pages
=========

For web pages you have two options. One is to replace your default home page 
with a page that contains only the warning notice and a button to take you to 
your real home page. The second is to add a JavaScript program to your home 
page that is executed whenever the page is loaded. No matter which initial 
banner you use, each page should contain a button in the header or footer 
labeled "Notice To Users" that takes the user to a page that displays the 
banner or that runs the JavaScript banner.  
If this is a public web page, you may put the public banner at the top of the 
home page instead of putting it on a separate page and add a button to the top 
or bottom of each page that also displays the public banner.

HTML Banner
-----------

The following web page implements the DOE banner in a box with the title 
centered at the top. Below the banner is a link to the sites normal home page.
<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
<TITLE>Notice To Users</TITLE>
</HEAD>
<BODY>
<CENTER>
<TABLE BORDER=1 CELLSPACING="1" WIDTH=80%>
<TR><TD VALIGN="center">
<CENTER>
<H2>NOTICE TO USERS</H2>
</CENTER>
<FONT size=2>
<P>This is a Federal computer system and is the property of the United 
States Government. It is for authorized use only. <B>Users (authorized or 
unauthorized) have no explicit or implicit expectation of privacy.</B>

<P>Any or all uses of this system and all files on this system may be 
intercepted, monitored, recorded, copied, audited, inspected, and disclosed to 
authorized site, Department of Energy, and law enforcement personnel, 
as well as authorized officials of other agencies, both domestic and foreign.
<B>By using this system, the user consents to such interception, monitoring, 
recording, copying, auditing, inspection, and disclosure at the discretion of 
authorized site or Department of Energy personnel.</B>

<P><B>Unauthorized or improper use of this system may result in administrative 
disciplinary action and civil and criminal penalties. <U>By continuing to use
this system you indicate your awareness of and consent to these terms and 
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
stated in this warning.</U></B>

</FONT> 
</TD>
</TR>
</TABLE>
<A HREF="myhomepage.html">To Home Page</A>
</CENTER>
</BODY>
</HTML>
The following link should be added to the header or footer of each web page to 
display the banner above. This link has the title "Notice To Users" and opens 
the banner in a new window named "Notice To Users". If you want it to open in 
the same window, remove the TARGET attribute. Here we assume that the banner 
web page above is in a file named banner.htm in the root directory of the web. 

<A HREF="/banner.htm" TARGET="Notice To Users">Notice To Users</A><br>

JavaScript Banner
-----------------

The following JavaScript program is run whenever the page containing it is 
loaded and displays the banner in a dialog box with an OK button. To add it to 
a web page, copy everything between the two SCRIPT tags, including the tags, 
into the HEAD of the web page. To make it run whenever the page is loaded, add 
the onLoad="do_banner()" attribute to the BODY tag. Note that if the users 
have JavaScript turned off for their browser, this JavaScript banner will not 
be displayed. 

<HTML>
<HEAD>
<TITLE>Home Page</TITLE>
<SCRIPT LANGUAGE="JavaScript">
function do_banner() {
var msg = "<HTML><HEAD><TITLE>NOTICE TO USERS</TITLE></HEAD>\n"+
"<BODY BGCOLOR=white><FONT FACE='Times' SIZE=2>\n"+
"<CENTER>NOTICE TO USERS</CENTER>\n"+
"<P>This is a Federal computer system and is the property of the\n "+
"United States Government. It is for authorized use only. <B>Users\n "+ 
"(authorized or unauthorized) have no explicit or implicit expectation\n "+ 
"of privacy. </B>\n "+
"<P>Any or all uses of this system and all files on this system may be\n "+ 
"intercepted, monitored, recorded, copied, audited, inspected, and\n "+ 
"disclosed to authorized site, Department of Energy, and law enforcement\n "+
"personnel, as well as authorized officials of other agencies, both\n "+ >
"domestic and foreign. <B>By using this system, the user consents to such\n "+ 
"interception, monitoring, recording, copying, auditing, inspection, \n "+ 
"and disclosure at the discretion of authorized site or Department\n "+ 
"of Energy personnel.</B>\n "+
"<P><B>Unauthorized or improper use of this system may result in\n "+ 
"administrative disciplinary action and civil and criminal penalties.\n "+ 
"<U>By continuing to use this system you indicate your awareness of and\n "+ 
"consent to these terms and conditions of use. LOG OFF IMMEDIATELY\n "+ 
"if you do not agree to the conditions stated in this warning.</U></B>\n "+
"<CENTER>\n"+
"<FORM>\n"+
"<INPUT TYPE=button VALUE='OK' onClick=window.close()>\n"+
"</FORM>\n"+
"</CENTER>"+
"</FONT></BODY></HTML>"; 
win1 = window.open("", "messageWindow", "toolbar=no,scrollbars=yes,width=600,height=500") 
win1.document.write(msg) 
} 
</SCRIPT> 
</HEAD> 
<BR> 
<!--The following line starts the body of the web page and runs the JavaScript 
banner program whenever the page is loaded. -->
<BODY onLoad="do_banner()"> 
 . 
 . <!---body of the home page--->
 .
</BODY>
</HTML>

The following two lines show two ways to add a link to a JavaScript banner 
program from within a web page. The first adds a button to the page with the 
text "Notice To Users" on it and runs the JavaScript banner program whenever 
the button is clicked. The second creates a link with the text "Notice To 
Users" that runs the JavaScript banner program whenever the link is clicked. 
In both cases, the JavaScript banner program must also be present on the web 
page.

<INPUT type=Button VALUE="Notice To Users" onClick="do_banner()">
<A onClick="do_banner()">Notice To Users</A>


Adding Warning Banners With TCP Wrappers
========================================

Unix users can apply banners to services such as ftp, telnet, etc. using the 
TCPwrappers program. TCP Wrappers is a program for controlling who can connect
to the different services on your computer. In addition to controlling access to
your computer, the TCP Wrappers program has the capability to send a
banner to the connecting client whenever a connection to a service is 
requested. Care must be taken as to which services banners are added to, as 
many protocols are not meant to be read by humans and do not support text 
banners. Note also that this works only for those services that are controlled 
by TCPWrappers. 

The TCP Wrappers program must first be downloaded and installed on your system.
The source code for tcp wrappers is avilable from: 

ftp://ftp.cert.org/pub/tools/tcp_wrappers/

To add banners to your TCPwrappers program you have to recompile it with 
the -DPROCESS_OPTIONS flag. The flag, which is a language extension, is NOT on 
by default. In the hosts.allow file, add the text, ": banners /banner/path"
after the list of clients that you want the banner to be displayed to.
The string, /banner/path is the path to a directory that contains the banner
files. The banner files have the same names as the daemons they will apply to.
That is, the banner for the in.ftpd daemon is in a file named in.ftpd. 
It is possible to have a different banner for each rule in hosts.allow should 
you so desire. 

The make file below is available with the TCPWrappers distribution to make the
banner files for each of the services from a prototype banner. Simply place the
banner text in a file named prototype and run the make file to produce banner files
appropriate for each service. 

See the Banners.Makefile file, shown below and in the TCPWrappers directory for 
complete instructions on how to setup and use banners with TCPWrappers.
There is also a Linux Gazette article available that describes how to install
TCP Wrappers and add banners.

http://www.linuxgazette.com/issue15/tcpd.html


# @(#) Banners.Makefile 1.2 94/12/30 21:35:44
#
# Install this file as the Makefile in your directory with banner files.
# It will convert a prototype banner text to a form that is suitable for
# the ftp, telnet, rlogin, and other services. 
# 
# You'll have to comment out the IN definition below if your daemon
# names don't start with `in.'.
#
# The prototype text should live in the banners directory, as a file with
# the name "prototype". In the prototype text you can use %<character>
# sequences as described in the hosts_access.5 manual page (`nroff -man'
# format).  The sequences will be expanded while the banner message is
# sent to the client. For example:
#
#       Hello %u@%h, what brings you here?
#
# Expands to: Hello username@hostname, what brings you here? Note: the
# use of %u forces a client username lookup.
#
# In order to use banners, build the tcp wrapper with -DPROCESS_OPTIONS
# and use hosts.allow rules like this:
#
#       daemons ... : clients ... : banners /some/directory ...
#
# Of course, nothing prevents you from using multiple banner directories.
# For example, one banner directory for clients that are granted service,
# one banner directory for rejected clients, and one banner directory for
# clients with a hostname problem.
#
SHELL   = /bin/sh
IN      = in.
BANNERS = $(IN)telnetd $(IN)ftpd $(IN)rlogind # $(IN)fingerd $(IN)rshd
 
all:    $(BANNERS)
 
$(IN)telnetd: prototype
        cp prototype $@
        chmod 644 $@
 
$(IN)ftpd: prototype
        sed 's/^/220-/' prototype > $@
        chmod 644 $@
 
$(IN)rlogind: prototype nul
        ( ./nul ; cat prototype ) > $@
        chmod 644 $@
 
# Other services: banners may interfere with normal operation
# so they should probably be used only when refusing service.
 
$(IN)fingerd: prototype
        cp prototype $@
        chmod 644 $@
 
$(IN)rshd: prototype nul
        ( ./nul ; cat prototype ) > $@
        chmod 644 $@
 
# In case no /dev/zero available, let's hope they have at least
# a C compiler of some sort.
 
nul:
        echo 'main() { write(1,"",1); return(0); }' >nul.c
        $(CC) $(CFLAGS) -s -o nul nul.c
        rm -f nul.c

CIAC wishes to acknowledge the contributions of Connie Soto and John Dias of Lawrence Livermore National Laboratory for the TCPwrappers information contained in this bulletin.
DOE-CIRC can be contacted at:
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/