Email address should not contain Windows user name

22 Apr 2009 10:26 PM

RIMikeG

Hi,
I've been told that as a general security best practice that the windows
user ID should NEVER be included in the user's email address

e.g.
if the Windows User ID is
jbloggs
the email address should NOT be :
jblo***@mydomain.com.au

Rather the better solution is to have
Windows User ID: jbloggs
Email Address : joe.blo***@mydomain.com.au

What I need is some reference to this actually being best practice or some
sort of standard to improve security / hide information.

Does anyone know of anything ?

22 Apr 2009 10:41 PM

Mark Arnold [MVP]

On Wed, 22 Apr 2009 15:26:02 -0700, RIMikeG
<RIMi***@discussions.microsoft.com> wrote:

Show quoteHide quote

>Hi,
>I've been told that as a general security best practice that the windows
>user ID should NEVER be included in the user's email address
>
>e.g.
>if the Windows User ID is
>jbloggs
>the email address should NOT be :
>jblo***@mydomain.com.au
>
>Rather the better solution is to have
>Windows User ID: jbloggs
>Email Address : joe.blo***@mydomain.com.au
>
>
>What I need is some reference to this actually being best practice or some
>sort of standard to improve security / hide information.
>
>Does anyone know of anything ?

First I've heard of it. Well, ok, it's not the first and all it does
is tell someone who knows your email address what your logon ID might
be. The attacker still has to get your pass phrase/word.

Who told you and where did they point you at to tell you what they
told you? The burden of proof is on the other person, not you.

22 Apr 2009 10:52 PM

RIMikeG

Mark,
Thats right - whilst it does make perfect sense from a security / obscurity
point of view I've yet to find any actual concrete justification for it.

I was told this in my last job by the IT security manager and Windows
manager as justification for why the Windows User ID was different to the
email address standard.

So question remains - does anyone know of an actual standard or security
justification for this or is it just a 'nice to have' security practice ?

Regards
Michael Green

Show quoteHide quote

"Mark Arnold [MVP]" wrote:

> On Wed, 22 Apr 2009 15:26:02 -0700, RIMikeG
> <RIMi***@discussions.microsoft.com> wrote:
>
> >Hi,
> >I've been told that as a general security best practice that the windows
> >user ID should NEVER be included in the user's email address
> >
> >e.g.
> >if the Windows User ID is
> >jbloggs
> >the email address should NOT be :
> >jblo***@mydomain.com.au
> >
> >Rather the better solution is to have
> >Windows User ID: jbloggs
> >Email Address : joe.blo***@mydomain.com.au
> >
> >
> >What I need is some reference to this actually being best practice or some
> >sort of standard to improve security / hide information.
> >
> >Does anyone know of anything ?
>
> First I've heard of it. Well, ok, it's not the first and all it does
> is tell someone who knows your email address what your logon ID might
> be. The attacker still has to get your pass phrase/word.
>
> Who told you and where did they point you at to tell you what they
> told you? The burden of proof is on the other person, not you.
>

23 Apr 2009 12:43 AM

Martin Blackstone [MVP]

Like Mark, Ive heard people talk about it but have never seen it documented
as a best practice.

Show quoteHide quote

"RIMikeG" <RIMi***@discussions.microsoft.com> wrote in message
news:0C006206-F37B-4451-8575-2E7DC43AD2FC@microsoft.com...
> Mark,
> Thats right - whilst it does make perfect sense from a security /
> obscurity
> point of view I've yet to find any actual concrete justification for it.
>
> I was told this in my last job by the IT security manager and Windows
> manager as justification for why the Windows User ID was different to the
> email address standard.
>
> So question remains - does anyone know of an actual standard or security
> justification for this or is it just a 'nice to have' security practice ?
>
> Regards
> Michael Green
>
>
>
> "Mark Arnold [MVP]" wrote:
>
>> On Wed, 22 Apr 2009 15:26:02 -0700, RIMikeG
>> <RIMi***@discussions.microsoft.com> wrote:
>>
>> >Hi,
>> >I've been told that as a general security best practice that the windows
>> >user ID should NEVER be included in the user's email address
>> >
>> >e.g.
>> >if the Windows User ID is
>> >jbloggs
>> >the email address should NOT be :
>> >jblo***@mydomain.com.au
>> >
>> >Rather the better solution is to have
>> >Windows User ID: jbloggs
>> >Email Address : joe.blo***@mydomain.com.au
>> >
>> >
>> >What I need is some reference to this actually being best practice or
>> >some
>> >sort of standard to improve security / hide information.
>> >
>> >Does anyone know of anything ?
>>
>> First I've heard of it. Well, ok, it's not the first and all it does
>> is tell someone who knows your email address what your logon ID might
>> be. The attacker still has to get your pass phrase/word.
>>
>> Who told you and where did they point you at to tell you what they
>> told you? The burden of proof is on the other person, not you.
>>

23 Apr 2009 12:53 AM

Andy David {MVP}

On Wed, 22 Apr 2009 17:43:18 -0700, "Martin Blackstone [MVP]"
<mart***@myrealbox.com> wrote:

>
>Like Mark, Ive heard people talk about it but have never seen it documented
>as a best practice.

probably the same people who want to remove the ip address of the
server from the headers.

23 Apr 2009 3:08 AM

Martin Blackstone [MVP]

"Andy David {MVP}" <ada***@pleasekeepinngcheesebucket.com> wrote in message
news:hrevu4dcmvlplpsecjg7bfbs71b00thsnv@4ax.com...
> On Wed, 22 Apr 2009 17:43:18 -0700, "Martin Blackstone [MVP]"
> <mart***@myrealbox.com> wrote:
>
>>
>>Like Mark, Ive heard people talk about it but have never seen it
>>documented
>>as a best practice.
>
>
> probably the same people who want to remove the ip address of the
> server from the headers.
>

Oh, those people!

23 Apr 2009 12:54 PM

Mark Arnold [MVP]

Yeah, because you can cause havoc if you know that the exchange server
is a 10.x.x.x address. If only you could breach the firewall to reach
that address.
Muppets.