This document summarizes 8 holes in Windows login controls related to security and regulatory compliance. UserLock is a software that fills these holes by providing controls like concurrent login limits, logon/logoff reporting, session monitoring, remote logoff, time restrictions by group, workstation restrictions by group, forcible logoff after time expires, and displaying previous logon details. It was positively reviewed in PC Mag for providing tight user access control for organizations with mandatory security requirements.
8 Holes in Windows Login Controls and How UserLock Fills Them
1. 5 minute
presentation
8 Holes in Windows® Login Controls
and how UserLock®
fills them in …
2. Windows® lacks
important security controls
No concurrent login No logon time restrictions
control by group
No workstation restrictions
No logon/logoff reporting
by group
No logon session No forcible logoff when
monitoring allowed logon time expires
No previous logon time and No remote logoff of
computer display when user workstation logon
logs on sessions
3. These security controls are required for
an Information System to
comply with major regulatory constraints
and efficiently mitigate
insider threat
4. 2011 CyberSecurity Watch Survey
How bad is the insider threat?
Electronic crimes committed by
Insiders Outsiders Unknown
21% 21%
58%
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
5. 2011 CyberSecurity Watch Survey
How damaging is an insider incident?
Most costly or damaging electronic
crimes are committed by
Insiders Outsiders Unknown
29% 33%
38%
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
6. Best practices for the prevention of insider threat
recommended in the Common Sense Guide to
Prevention and Detection of Insider Threats
Log, monitor, and audit employee online actions
Collect and save usable evidence in order to preserve response options
Make all activity from any account attributable to its owner
Deactivate computer access following termination
7. Windows native login controls
do not enable efficient
implementation of such
practices.
8. Hole #1
No concurrent login control
There is no way in Windows to limit a given
user account from only logging on one
computer at a time.
9. Why is controlling concurrent logins
so important?
It increases the risk of users sharing their
credentials, as there is no consequence to their
own access on the network.
10. Why is controlling concurrent logins
so important?
It widens the attack surface of a network as a
hacker can seamlessly use valid credentials at the
same time as their legitimate owner.
11. Why is controlling concurrent logins
so important?
It means that several workstations can unduly be
blocked by one user, thus preventing proper
sharing of resources.
12. Why is controlling concurrent logins
so important?
It can very easily corrupt roaming profiles and
create versioning conflicts for offline files.
13. NOT CONTROLLING
CONCURRENT LOGINS
CREATES A REAL
ACCOUNTABILITY AND
NON-REPUDIATION ISSUE.
16. Hole #2
No logon/logoff reporting
There is no way in Windows to get a report
saying “John logged on at 8:00 and he
logged off at 11:00.”
17. Why is logon/logoff reporting
so important?
It gives the ability to answer crucial questions when
it comes to investigations following an incident.
How long did they remain
Who was really logged on?
logged on?
When did they log on? Where were they logged on?
At any given time, which people
When did they log off? were actually logged on at their
systems?
18. Logon/logoff reporting is required to
comply with major international regulations
Loi sur la Sécurité Financière
19. UserLock® records all session logging and
locking events
in an ODBC database
for reporting.
20. Hole #3
No logon session monitoring
Native Windows features do not allow
SysAdmins to answer the following questions
in real time:
Who is logged on at which computers?
Which computers are being used by a given user?
Who are the users currently logged on at this particular
computer?
23. Hole #4
No remote logoff of workstation sessions
Windows features do not provide System
Administrators with a practical way to remotely
logoff a specific user.
24. Why is remote logoff of workstation
sessions
really useful?
secure computers that are left unattended
free up locked-down resources
handle emergency situations
30. Hole #6
No workstation restriction by group
Windows only provides logon workstation
restriction functionality on a user-by-user
basis.
31. Why does workstation restriction by
group
secure access to your network?
It reduces the number of computers on which stolen
credentials can be used or exploited; therefore
reducing your Windows network attack surface.
34. Hole #7
No forcible logoff when
allowed logon time expires
The “Automatically logoff users when logon time
expires” feature in Windows only applies to file and
print servers (SMB components).
There is absolutely nothing in Windows
that will log a user off of his workstation
where he is logged on.
36. Outside of authorized timeframe(s) or
when time is up, UserLock®
will really disconnect users with prior warning.
37. Hole #8
No previous logon time and computer
display when users log on
Windows does not display previous logon time and
computer when users log on.
38. Why does displaying previous logon
time and computer
increase the security
of your network?
This is one of the most effective ways to detect
people impersonating user accounts.
39. Displaying previous logon time and
computer is required to comply with
ICD 503, NISPOM Chap. 8
and NIST 800-53
40. UserLock® allows notifying all users
prior to gaining access to a system
with a tailor-made warning message.
41. UserLock reviewed
in PC Mag
Overall, UserLock is a solid tool that any
Windows Network Administrator should
consider adding to their network
management toolkit if tight user access
control is mandatory for their
organization …
… BOTTOM LINE: it’s an impressive
product.