8 holes in windows login controls
DESCRIPTION
Windows has more security features than any other operating system but is strangely lacking the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.TRANSCRIPT
8 Holes in Windows® Login Controls
minutepresentation5
and how UserLock®
fills them in …
Windows® lacksimportant security controls
No concurrent login
control
No logon/logoff reporting
No logon session
monitoring
No logon time restrictions
by group
No workstation restrictions
by group
No forcible logoff when
allowed logon time expires
No previous logon time and
computer display when user
logs on
No remote logoff of
workstation logon
sessions
These security controls are required for
an Information System to
comply with major regulatory constraints
and efficiently mitigate
insider threat
2011 CyberSecurity Watch Survey
How bad is the insider threat?
21%
58%
21%
Electronic crimes committed by
Insiders Outsiders Unknown
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
2011 CyberSecurity Watch Survey
How damaging is an insider incident?
33%
38%
29%
Most costly or damaging electronic
crimes are committed by
Insiders Outsiders Unknown
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
Best practices for the prevention of insider threat
recommended in the Common Sense Guide to
Prevention and Detection of Insider Threats
Log, monitor, and audit employee online actions
Collect and save usable evidence in order to preserve response options
Make all activity from any account attributable to its owner
Deactivate computer access following termination
Windows native login controls
do not enable efficient
implementation of such
practices.
Hole #1No concurrent login control
There is no way in Windows to limit a given
user account from only logging on one
computer at a time.
Why is controlling concurrent logins
so important?
It increases the risk of users sharing their
credentials, as there is no consequence to their own access on the network.
Why is controlling concurrent logins
so important?
It widens the attack surface of a network as a
hacker can seamlessly use valid credentials at the
same time as their legitimate owner.
Why is controlling concurrent logins
so important?
It means that several workstations can unduly be
blocked by one user, thus preventing proper sharing of resources.
Why is controlling concurrent logins
so important?
It can very easily corrupt roaming profiles and
create versioning conflicts for offline files.
NOT CONTROLLING
CONCURRENT LOGINS
CREATES A REAL
ACCOUNTABILITY AND NON-REPUDIATION ISSUE.
Controlling concurrent logins is required
to comply with ICD 503, NISPOM Chap. 8
and NIST 800-53
UserLock® allows you to limit or prevent
concurrent logins.
Hole #2No logon/logoff reporting
There is no way in Windows to get a report
saying “John logged on at 8:00 and he
logged off at 11:00.”
Why is logon/logoff reporting
so important?
It gives the ability to answer crucial questions when
it comes to investigations following an incident.
Who was really logged on?
Where were they logged on?When did they log on?
How long did they remain
logged on?
When did they log off?
At any given time, which people
were actually logged on at their
systems?
Loi sur la Sécurité Financière
Logon/logoff reporting is required to
comply with major international regulations
UserLock® records all session logging and
locking eventsin an ODBC database
for reporting.
Hole #3No logon session monitoring
Who is logged on at which computers?
Which computers are being used by a given user?
Who are the users currently logged on at this particular
computer?
Native Windows features do not allow
SysAdmins to answer the following questions
in real time:
Logon/logoff monitoring is required to
comply with major US regulations
UserLock® allows real time
session monitoringand alerts.
Hole #4No remote logoff of workstation sessions
Windows features do not provide System
Administrators with a practical way to remotely
logoff a specific user.
Why is remote logoff of workstation
sessionsreally useful?
secure computers that are left unattended
free up locked-down resources
handle emergency situations
Remote logoff ability is
required to comply with
GLBA and FISMA
With UserLock®, a SysAdmin can
remotely lock or logoff
any session.
Hole #5No logon time restriction by group
Windows only provides logon time restriction
functionality on a user-by-user basis.
Enforcing time restrictions is required to
comply with major international regulations
Loi sur la Sécurité Financière
UserLock® enforces time restrictions
by group and OU.
Hole #6No workstation restriction by group
Windows only provides logon workstation
restriction functionality on a user-by-user
basis.
Why does workstation restriction by
groupsecure access to your network?
It reduces the number of computers on which stolen
credentials can be used or exploited; therefore reducing your Windows network attack surface.
Workstation restriction is
required to comply with
GLBA, FISMA and HIPAA
UserLock®
enforces
workstation
restrictions by group and OU.
Hole #7No forcible logoff when
allowed logon time expires
The “Automatically logoff users when logon time
expires” feature in Windows only applies to file and print servers (SMB components).
There is absolutely nothing in Windows
that will log a user off of his workstation where he is logged on.
Forcible logoff ability is
required to comply with
the US Patriot Act, FISMA and HIPAA
Outside of authorized timeframe(s) or
when time is up, UserLock®
will really disconnect users with prior warning.
Hole #8No previous logon time and computer
display when users log on
Windows does not display previous logon time and
computer when users log on.
Why does displaying previous logon
time and computer increase the security
of your network?
This is one of the most effective ways to detect
people impersonating user accounts.
Displaying previous logon time and
computer is required to comply with
ICD 503, NISPOM Chap. 8
and NIST 800-53
UserLock® allows notifying all users
prior to gaining access to a system
with a tailor-made warning message.
.
Overall, UserLock is a solid tool that any
Windows Network Administrator should
consider adding to their network
management toolkit if tight user access
control is mandatory for their
organization …
… BOTTOM LINE: it’s an impressive
product.
UserLock reviewedin PC Mag
www.UserLock.com
Download a free
fully-functional
trial now