Enforcing Concurrent Logon Policies with UserLock

Why does the Concurrent Logon Policy exist? “The more times a user is logged in to the network, the harder it is to determine if that user was really the person who logged in. Limiting the number of concurrent connections to two or even one makes tracking users’ network access easier and provides an additional level of security by reducing the number of logged in but unattended workstations. Administrator accounts, in particular, should have limited concurrent connections. If an administrator should receive a denied login due to a current connections limit she would immediately know that her account had been compromised, or that another login had been inadvertently left active.” - Protecting Your Network Against Known Security Threats Novell Research, November/December 1997

Concurrent Logon Policy Problems in Windows NT/2000/XP cannot prevent multiple logons Users do not have secure behavior patterns Users can logon to any subnet Tracking users is difficult

Problem 1: NT/2000/XP does not prevent multiple logons Novell, IBM, SUN, HP, and others consider limiting concurrent connections to be a required security option It has been considered standard policy for years by others; Microsoft’s recent emphasis on security shows that Microsoft acknowledges security weakness in their products All Servers do not know when and where your users logged on Distributed authentication system by design (replication delays aside, logon history is spread across multiple servers) Windows OS does not have a single location for logon & logoff history

Problem 2: Users do not have secure behavior patterns They often forget to logoff from their workstations Example : They move to another computer without logging out of the first Keep in mind that most security breaches come from the intranet and are done by novices simply guessing passwords The Policy Problem restated : Being logged on as someone else means a user has the permissons of that user. He may read messages or send on behalf of someone else. He could access sensitive files that he has no permission to access.

Problem 3: Users can logon to any subnet Windows NT only allows administrators to limit users to 10 computers where they may logon. This rule comes from Lan Manager’s days (early 1990’s) Setting applied to users individually

Problem 4: Tracking users is difficult Logon events are stored across all domain controllers No notification mechanism for immediate action

The Answer: UserLock Runs on NT4/2000/XP Servers and Workstations UserLock limits the number of simultaneous connections under the same username Tracks the activity of interactive logons and logoffs in a single file Restricts the computers where users can logon by computer name or by IP ranges

UserLock Feature 1: Single Logon Forbid specific accounts from being used concurrently on more than a specified number of computers This feature helps to change your users’ behavior by forcing them to logoff from their computers before logging on to another computer Prevents users from guessing someone else’s password While the real user is logged on, intruders are unable to hack data even if they have the password! Restrictions can be placed on groups Reduces management overhead

UserLock Feature 2: User Activity Tracking All logon/logoff history is stored in a single database, as opposed to Windows Audit information which is spread across multiple domain controllers Administrators may be notified by UserLock each time someone tries to logon after account limits have been reached Administrators can also track the activity of « suspicious » users by looking at the built-in reports or by receiving a notification UserLock provides a simple report showing an overview of the network situation: who is logged on where, the last workstation used, etc.

UserLock Feature 3: Restrict Users to Specific Computers UserLock allows you to create complex rules governing where users can logon For example, you can restrict your users to logon to the workstations in their department only Restrictions can be placed on groups Reduces management overhead UserLock also allows logons to all computers except those in a given group

UserLock Architecture Security is computed by a single computer, the « UserLock Primary Server », and runs as a secure Windows NT Service Agents are automatically distibuted by the service to all domain workstations Agent is a GINA DLL extension Authentication restriction occurs before logon (unlike Microsoft’s Cconnect). No unnecessary entries made to the security log Customizable messages  « You are already logged in too many times. Call for help. » Logon requests from sub-networks may be forwarded by UserLock Relay servers installed on each domain sub-network Compliant with firewalls Restrictions can be combined to provide very tight security

Conclusions About UserLock Solves Problem 1: NT/2000/XP cannot prevent multiple logons You can implement a process to limit or eliminate simulataneous logons on NT/2000/XP Solves Problem 2: Users do not have secure behavior patterns It will protect your network from internal attacks UserLock forces them to log off their previous machine before beginning a new session, increasing security awareness Solves Problem 3: Users can logon to any subnet You can completely control which machines are logged onto Solves Problem 4: Tracking users is difficult Logon history is stored in a single location A single report shows current logon status for all users You can be notified when users logon, logoff, or fail to logon

Q & A