If I RDP to a Windows Server 2008 box without proving any username or password information I get to see a list of the users on the computer. In Windows Server 2003 this list was not broadcasted. How can I make WS2008 not advertise what users are on the system? Thanks.
UPDATE: More specifically, this is Windows Server 2008 Web Edition 64 bit.
-
I think this reghack still works in 2008.
I'm curious as how to reproduce this, I cannot get the RDP client in Vista to connect to a Server 2008 at all without first providing the login credentials manually... the server's I've tried are all in a domain though. Perhaps the old RDP client does that though?
pbz : I don't have that registry key in WS2008 (specifically SpecialAccounts\UserList). A simple way is to connect without providing the password or provide the wrong password. After you click cancel you'll see a list of possible users much like in the Vista screen shot in that article. I can't believe they even have this for a server OS.Oskar Duveborn : You can just create the key. I do not get such a list, the RDP dialog just rethrows the credentials box if I pass it the wrong ones - I never get to actually init an RDP Window without a correct username and password. If it's a domain thing or if it's just that I use the latest RDP client (think that's it) I dunno ^^pbz : I know the article claims it works for WS2008, but for me it doesn't. I followed the instructions and triple checked, but they don't have an effect. Not sure why it behaves differently for you. I use Windows Server 2003 to connect with RDP v6. Are you using NLA by any chance?Oskar Duveborn : Hmm NLA could be it, yes. I'm afraid I don't have any more ideas to the original problem though - atleast not until I've had time to try it from a 2003 server outside of this environment :/Zoredache : @I'm curious as how to reproduce this -- login via rdesktop from a Linux box.pbz : For now, as a workaround, I decided to rename the Administrator account (I was planning on doing that anyway). If I rename the Administrator account to let's say XXX on the login screen I can still see the "Administrator" user, but you can't login if you just provide the password. You don't get to see XXX though. Looks to me like they hardcoded in the UI expecting to always have an account called Administrator. If I switch to "Other User" and type XXX and the password it works. Pretty stupid IMO.pbz : Well, it turns out this doesn't really work. After a reboot I see XXX as an option.pbz : And that, seeing XXX as an option should've clued me in... I feel so stupid, I'm gonna go and sit in the corner now. Thanks for your help.From Oskar Duveborn -
This was written for Vista, but it works fine on my Server 2008 development server:
"This is possible via the Windows Local Security Policy Editor, or “secpol” tool. To launch the Local Security Policy Editor click start, Control Panel, System Maintenance, Administrative Tools, local Security Policy. Click “Continue” to the prompt presented by the User Account Control. If you are not presented with one, it's fine, just move on.
In the Local Security Policy editor you will see two panes, one on the left with tree-view navigation and one on the right which will have the actual definitions and items to edit. On the left hand side, expand (either by clicking on the arrow or double clicking) the "Local Policies" section, and then click on "Security Options". On the right hand side, scroll down until you see "Interactive logon: Do not display last user name". Double click on this entry and you will be presented with a dialog box that has two options - "Enabled" and "Disabled", with Disabled being selected as default. Change this setting to "Enabled", and then click on the OK button.
After double clicking “Interactive logon: Do not require CTRL+ALT+DEL” select the Disable option and hit OK. Next, close the Local Security Policy editor, as you are done. Log off. When you are prompted by a request to press CTRL-ALT-DEL do so, and you will get the classic style logon screen you have been labored so hard to achieve."
There also seems to be another way. I have not tested that one.
Oskar Duveborn : +1 I look forward to a report by the pbz if this works... it's interesting if this option somehow how become enabled ^^pbz : I actually came across this setting while searching the net. Unfortunately it doesn't have any effect :( I have "Do not display last user name" to enable and "Do not require CTRL+ALT+DEL" to disable. Thanks.pbz : The second link seems to deny the ability to login, which would lock me out of the box :) I'll make a new account and try that as well; I'll keep you posted.David Collantes : I will keep looking as well 'til I find a proper solution.pbz : OK guys, sorry about the storm in the teacup. Please read the updated comment on the top of the page. It actually occurred to me what was going on when I tried to login with a random non-existing account and notice it was displayed in the list. My guess is that their intention was to save me time for retyping the last username, but in my case it was a huge time waster until I figured out what was going on. Thanks for your help!From David Collantes -
I misunderstood how the logon process works. Please read the question comments for details.
From pbz
0 comments:
Post a Comment