Home / server / Questions / 24376
Accepted
JayC
Asked: 2009-06-12 13:03:30 +0800 CST

Should I use a login banner and if so, what should it say?

  • 772

Are interactive login banners worth having?
The general consensus is that they are, but what should the banner say?

Some things that are being considered (no particular order):

  • ownership of the equipment
  • no expectation of privacy
  • Monitoring may be done
  • authorized use only
  • don't use words like "Welcome"
  • in the local language if possible
  • length of the banner: short and terse, long and wordy
  • don't identify the use of the equipment
  • vague or specific
windows unix security login

7 Answers

  1. Best Answer

    From Prosecuting Computer Crimes, a publication of the United States Department of Justice:

    Best Practices for Victim Response and Reporting

    A. Steps Before Confronting an Intrusion

    Consider Using Banners - Real-time monitoring of attacks is usually lawful, if prior notice of this monitoring is given to all users. For this reason, organizations should consider deploying written warnings, or "banners," on the ports through which an intruder is likely to access the organization's system and on which the organization may attempt to monitor an intruder's communications and traffic. If a banner is already in place, it should be reviewed periodically to ensure that it is appropriate for the type of potential monitoring that could be used in response to a cyberattack. More information on this topic can be found on CCIPS' website at http://www.cybercrime.gov.

    Also, here are some sample NETWORK BANNER language as recommended by USDOJ and explanation for their functions, from Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, also by the U.S. Department of Justice:

    APPENDIX A: Sample Network Banner Language

    Network banners are electronic messages that provide Notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment "reasonable expectation of privacy" that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator's "common authority" to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).

    This is definitely a legal matter that shouldn't be so easily overlooked. More than likely, you SHOULD consult with your legal department (if you have one), or corresponding decision makers. Also, whatever is implemented in the banners, that being said for internal and external should probably not be redundant with already agreed Network Use Policies (probably don't want to constantly alert people about something they have already agreed on)

    • 6

  2. Speak to your legal people, it's not up to the techies to decide what goes into it, this is a policy matter, not a technical one. Depending which country you're in there will be government recommendations that will relate to local computer misuse laws.

    • 5

  3. It really depend on who is logging in, and why. If you are running a server to provide shell accounts, you probably want a pretty strong interactive login banner to remind people not to run spambots. On the other hand, if your servers are only accessed by fellow members of your Operations team, of which there are only 8, you probably don't need a banner. Really this boils down to a matter of policy, because the banner will not make a noticeable difference in behavior, and has no effect in many legal venues.

    • 2

  4. Here is what we use:

    -----------------------------------------------------------------
Warning: This system is restricted to ABC Company
authorized users for business purposes only. Unauthorized access
or use is a violation of company policy and the law. This system
may be monitored for administrative and security reasons. By
proceeding, you acknowledge that (1) you have read and understand
this notice and (2) you consent to the system monitoring.
-----------------------------------------------------------------
    • 1

  5. Just something like "usage of this resource is subject to the terms of our AUP" should be all you need; no need to write an essay on it. The legal and HR folks can then put their stuff into the AUP.

    You'll want to ensure that everyone has a paper copy of the AUP before logging in though. IANAL but I would smell a rat if you were asking users to agree to something they hadn't even read yet.

    • 1

  6. My login banners simple say. "Everything is logged, so don't break shit" but im pretty much the only tech who ssh's into our servers.

    • 0

  7. In my mind it's another CYA item which you seem to not be able to get enough of these days.... Don't make a pre-login banner that includes any kind of "Welcome to..." statement.

    • 0