Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcing Concurrent Logon Policies with UserLock.

Published byKory Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "Enforcing Concurrent Logon Policies with UserLock."— Presentation transcript:

1 Enforcing Concurrent Logon Policies with UserLock

2 Why does the Concurrent Logon Policy exist? “The more times a user is logged in to the network, the harder it is to determine if that user was really the person who logged in. Limiting the number of concurrent connections to two or even one makes tracking users’ network access easier and provides an additional level of security by reducing the number of logged in but unattended workstations. Administrator accounts, in particular, should have limited concurrent connections. If an administrator should receive a denied login due to a current connections limit she would immediately know that her account had been compromised, or that another login had been inadvertently left active.” - Protecting Your Network Against Known Security Threats Novell Research, November/December 1997

3 Concurrent Logon Policy Problems in Windows NT/2000/XP cannot prevent multiple logons Users do not have secure behavior patterns Users can logon to any subnet Tracking users is difficult

4 Problem 1: NT/2000/XP does not prevent multiple logons Novell, IBM, SUN, HP, and others consider limiting concurrent connections to be a required security option It has been considered standard policy for years by others; Microsoft’s recent emphasis on security shows that Microsoft acknowledges security weakness in their products All Servers do not know when and where your users logged on Distributed authentication system by design (replication delays aside, logon history is spread across multiple servers) Windows OS does not have a single location for logon & logoff history

5 Problem 2: Users do not have secure behavior patterns They often forget to logoff from their workstations Example : They move to another computer without logging out of the first Keep in mind that most security breaches come from the intranet and are done by novices simply guessing passwords The Policy Problem restated : Being logged on as someone else means a user has the permissons of that user. He may read messages or send e-mail on behalf of someone else. He could access sensitive files that he has no permission to access.

6 Problem 3: Users can logon to any subnet Windows NT only allows administrators to limit users to 10 computers where they may logon. This rule comes from Lan Manager’s days (early 1990’s) Setting applied to users individually

7 Problem 4: Tracking users is difficult Logon events are stored across all domain controllers No notification mechanism for immediate action

8 The Answer: UserLock Runs on NT4/2000/XP Servers and Workstations UserLock limits the number of simultaneous connections under the same username Tracks the activity of interactive logons and logoffs in a single file Restricts the computers where users can logon by computer name or by IP ranges

9 UserLock Feature 1: Single Logon Forbid specific accounts from being used concurrently on more than a specified number of computers This feature helps to change your users’ behavior by forcing them to logoff from their computers before logging on to another computer Prevents users from guessing someone else’s password While the real user is logged on, intruders are unable to hack data even if they have the password! Restrictions can be placed on groups Reduces management overhead

10 UserLock Feature 2: User Activity Tracking All logon/logoff history is stored in a single database, as opposed to Windows Audit information which is spread across multiple domain controllers Administrators may be notified by UserLock each time someone tries to logon after account limits have been reached Administrators can also track the activity of « suspicious » users by looking at the built-in reports or by receiving a notification UserLock provides a simple report showing an overview of the network situation: who is logged on where, the last workstation used, etc.

11 UserLock Feature 3: Restrict Users to Specific Computers UserLock allows you to create complex rules governing where users can logon For example, you can restrict your users to logon to the workstations in their department only Restrictions can be placed on groups Reduces management overhead UserLock also allows logons to all computers except those in a given group

12 UserLock Architecture Security is computed by a single computer, the « UserLock Primary Server », and runs as a secure Windows NT Service Agents are automatically distibuted by the service to all domain workstations Agent is a GINA DLL extension Authentication restriction occurs before logon (unlike Microsoft’s Cconnect). No unnecessary entries made to the security log Customizable messages  « You are already logged in too many times. Call 555-1212 for help. » Logon requests from sub-networks may be forwarded by UserLock Relay servers installed on each domain sub-network Compliant with firewalls Restrictions can be combined to provide very tight security

13 Conclusions About UserLock Solves Problem 1: NT/2000/XP cannot prevent multiple logons You can implement a process to limit or eliminate simulataneous logons on NT/2000/XP Solves Problem 2: Users do not have secure behavior patterns It will protect your network from internal attacks UserLock forces them to log off their previous machine before beginning a new session, increasing security awareness Solves Problem 3: Users can logon to any subnet You can completely control which machines are logged onto Solves Problem 4: Tracking users is difficult Logon history is stored in a single location A single report shows current logon status for all users You can be notified when users logon, logoff, or fail to logon

14 Q & A

Download ppt "Enforcing Concurrent Logon Policies with UserLock."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Module 2: Managing User and Computer Accounts

Module 2: Managing User and Computer Accounts
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Microsoft Distributed File System (Dfs) Brett O’Neill CSE 8343 – Group A6.

1 Microsoft Distributed File System (Dfs) Brett O’Neill CSE 8343 – Group A6.

Similar presentations

Ads by Google