While reading about some of the new enhancements in Windows Vista, this struck me as a potentially useful feature.
Essentially, it provides a way to display certain logon statistics to the logged on user after a successful interactive logon to the workstation.
These statistics include:
- Date and time of the last successful logon by that user
- Date and time of the last unsuccessful logon attempt with the same user name
- The number of failed logon attempts since the last successful logon with the same user name
I believe the purpose is to make the end user aware that someone/something is attempting to use their credentials with the user’s knowledge if it doesn’t match their known personal usage history. This could alert the user to someone who might be using their account without their knowledge, and make them aware of such activity. This information has always existed in Active Directory in various attributes, but it’s not easily visible to an end user for them to compare to their own usage.
Unfortunately, this feature is only available when using a Vista machine, which is authenticating to a Windows 2008 Functional Level Domain. If this setting is on, and the domain is not in Windows 2008 mode, it will block the user from being able to logon since this information is not available in the domain to be retrieved by Vista. The message given to the user will be "Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance". An example of this can be found here.
When the forest is prepped for the Windows 2008 schema extensions, the previous logon information will be stored in the following new attributes to be used by Vista:
In order to allow this information to be recorded, a specify GPO must be set on the domain controllers to preserve this information.
Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Logon OptionsDisplay information about previous logons during user logon = ENABLED
Information can be collected for administrative use, and not have the Vista client enabled to display it as well, but having the Vista GPO not configured or disabled.
This feature also has the potential to cause fear and confusion to your end users, as they may not remember the last time they miss-typed their password, and may interpret the statistics as a security issue. I also can see how this would be seen as a user hindrance, and users would just clicking through it while ignoring the information. I am also not sure what kind of training, as suggested by the MS link, would be adequate at quelling false alarms, but still add value at identifying potential attacks. I suppose if you could also provide some help text to convey to the user who is logging in instructions, it might be more useful.
You can see a screen shot of what the post logon dialog box that displays the information here
You will notice, that it is specific about "interactive Logon", which differentiates from the logon types available. I am going to take this as a replicated version of the lastLogon attribute based upon the attributes reference to a "C-A-D logon" which is a Ctrl-Alt-Delete logon process.
So since this is may not not record application logons which may use LDAP simple binds, more like lastLogonTimestamp, it might give limited visibility to the accounts actual usage.
I also wonder what the replication impact of this attribute will have in large environments since it doesn’t appear to have the update damper that lastLogonTimestamp has. I suppose a common user has less CAD logons in a day than application/network logons, which may not mean the attribute is updated as frequently to be replicated compared to lastLogonTimestamp. But if so, why not have just replicated the original lastLogon in windows 2000?
I guess I will see more once I play with this in the lab, but overall adding the ability to better track account usage is definitely a good thing.