Transcript UserLock Overview

Enforcing Concurrent Logon
Policies with UserLock
Why does the Concurrent
Logon Policy exist?
“The more times a user is logged in to the network, the harder it is to
determine if that user was really the person who logged in. Limiting the
number of concurrent connections to two or even one makes tracking
users’ network access easier and provides an additional level of security
by reducing the number of logged in but unattended workstations.
Administrator accounts, in particular, should have limited concurrent
connections. If an administrator should receive a denied login due to a
current connections limit she would immediately know that her account
had been compromised, or that another login had been inadvertently
left active.”
- Protecting Your Network Against Known Security Threats
Novell Research, November/December 1997
Concurrent Logon Policy
Problems in Windows
NT/2000/XP cannot prevent multiple
logons
Users do not have secure behavior
patterns
Users can logon to any subnet
Tracking users is difficult
Problem 1: NT/2000/XP does
not prevent multiple logons
Novell, IBM, SUN, HP, and others consider limiting concurrent
connections to be a required security option
It has been considered standard policy for years by others; Microsoft’s
recent emphasis on security shows that Microsoft acknowledges
security weakness in their products
All Servers do not know when and where your users logged on
Distributed authentication system by design (replication delays
aside, logon history is spread across multiple servers)
Windows OS does not have a single location for logon & logoff
history
Problem 2: Users do not have
secure behavior patterns
They often forget to logoff from their workstations
 Example : They move to another computer without logging
out of the first
Keep in mind that most security breaches come from the
intranet and are done by novices simply guessing passwords
The Policy Problem restated : Being logged on as someone else
means a user has the permissons of that user. He may read
messages or send e-mail on behalf of someone else. He could
access sensitive files that he has no permission to access.
Problem 3: Users can logon to
any subnet
Windows NT only allows administrators to
limit users to 10 computers where they may
logon.
 This rule comes from Lan Manager’s days
(early 1990’s)
 Setting applied to users individually
Problem 4: Tracking users is
difficult
Logon events are stored across all domain
controllers
No notification mechanism for immediate
action
The Answer: UserLock
Runs on NT4/2000/XP Servers and
Workstations
UserLock limits the number of simultaneous
connections under the same username
Tracks the activity of interactive logons and
logoffs in a single file
Restricts the computers where users
can logon by computer name or by IP
ranges
UserLock Feature 1:
Single Logon
Forbid specific accounts from being used concurrently on more
than a specified number of computers
 This feature helps to change your users’ behavior by forcing
them to logoff from their computers before logging on to
another computer
Prevents users from guessing someone else’s password
While the real user is logged on, intruders are unable to hack
data even if they have the password!
Restrictions can be placed on groups
Reduces management overhead
UserLock Feature 2:
User Activity Tracking
All logon/logoff history is stored in a single database,
as opposed to Windows Audit information which is
spread across multiple domain controllers
Administrators may be notified by UserLock each
time someone tries to logon after account limits have
been reached
Administrators can also track the activity of
« suspicious » users by looking at the built-in reports
or by receiving a notification
UserLock provides a simple report showing an
overview of the network situation: who is logged on
where, the last workstation used, etc.
UserLock Feature 3: Restrict
Users to Specific Computers
UserLock allows you to create complex rules
governing where users can logon

For example, you can restrict your users to logon
to the workstations in their department only
Restrictions can be placed on groups

Reduces management overhead
UserLock also allows logons to all computers
except those in a given group
UserLock Architecture
Security is computed by a single computer, the « UserLock
Primary Server », and runs as a secure Windows NT Service
Agents are automatically distibuted by the service to all domain
workstations
Agent is a GINA DLL extension


Authentication restriction occurs before logon (unlike Microsoft’s
Cconnect). No unnecessary entries made to the security log
Customizable messages
 « You are already logged in too many times. Call 555-1212 for help. »
Logon requests from sub-networks may be forwarded by
UserLock Relay servers installed on each domain sub-network

Compliant with firewalls
Restrictions can be combined to provide very tight security
Conclusions About UserLock
Solves Problem 1: NT/2000/XP cannot prevent multiple logons

You can implement a process to limit or eliminate simulataneous
logons on NT/2000/XP
Solves Problem 2: Users do not have secure behavior patterns


It will protect your network from internal attacks
UserLock forces them to log off their previous machine before
beginning a new session, increasing security awareness
Solves Problem 3: Users can logon to any subnet

You can completely control which machines are logged onto
Solves Problem 4: Tracking users is difficult



Logon history is stored in a single location
A single report shows current logon status for all users
You can be notified when users logon, logoff, or fail to logon
Q&A