Hide last user name in AnyConnect 4.3 SBL prompt?

webabc123 · ‎03-29-2017

I noticed that the last VPN user name is not displayed when the user logs into Windows and then launches AnyConnect, but the last user name is displayed if AnyConnect is launched pre-login using SBL.

We would want either opposite so that nobody can see the user name before logging into Windows, but the user name is displayed after a user with Windows credentials logs in or else we would want it suppressed in both places.

Having a laptop thief be able to see the last user name via SBL, but at the same time requiring an authorized user who fully logs into Windows to manually type in this information makes no sense.

How can we fix this?

Rahul Govindan · ‎03-30-2017

You should be able to disable the username caching by changing the Local Policy XML file on the client machine:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/administration/guide/b_AnyConnect_Administrator_Guide_4-3/anyconnect-profile-editor.html

Restrict Preference Caching <RestrictPreferenceCaching>

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

    Credentials—The user name and second user name are not cached.

    Thumbprints—The client and server certificate thumbprints are not cached.

    CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

    All—No automatic preferences are cached.

    false—All preferences are written to disk (default)