LimitLogin vs UserLock

This blog post reviews how LimitLogin and UserLock limit concurrent user logins in an Active Directory domain.

It will focus on the concurrent connection restriction feature provided by each solution and discuss how else they help an organization secure user access for Windows Active Directory environments.

limitlogin-user-logins

LimitLogin

LimitLogin is an unsupported tool that was released in 2005. It was written by a Microsoft Partner Technology specialist and an Application Development Consultant. The aim of LimitLogin was to add the ability to track and limit concurrent workstation and terminal user logins in an Active Directory domain.

UserLock

UserLock is an enterprise software solution that controls, audits and monitors user access to an Active Directory network. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity, limiting access to certain device types and limiting network access methods. UserLock also monitors all sessions in real time providing alerts and information to respond to suspicious events and a log of access information for audit and forensics.

UserLock is developed by IS Decisions, a Microsoft Partner company founded in 2000, that specializes in solutions to safeguard and secure Microsoft Windows and Active Directory infrastructure.

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

LimitLogin vs UserLock. A comparision

Features LimitLogin UserLock
Agent Technology Logon Scripts Windows Service*
AD schema modification Yes No
Web Server requirement Yes No
Supported Workstation OS Windows 2000 SP4, Windows XP SP1 Windows XP, Windows Vista, Windows Seven, Windows Eight
Supported Server OS Windows Server 2003, Windows Server 2008 Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
64-bit OS support No Yes
Client Agent Yes Yes
Integrated deployer No Yes
Workstation Sessions Yes Yes
Terminal Sessions Yes Yes
Wi-Fi Sessions No Yes
VPN Sessions No Yes
IIS Sessions No Yes
Logon and logoff events audit Yes Yes
Lock and unlock events audit No Yes
Limit by User Yes Yes
Limit by Group No Yes
Location restrictions No Yes
Time connection restrictions No Yes
Time Quota features No Yes
Customizable Messages No Yes
E-mail notifications No Yes
Pop-up notifications No Yes
Database of session activities No Yes
Printable and customizable report No : Only CSV / XML Yes
Supported solution No, even by its provider Microsoft Yes, by its editor IS Decisions

Windows Service*: Except for old Windows XP and 2003 Server for which the micro agent technology is a GINA DLL.

Requirements and Specifications

LimitLogin is not compatible with Windows Server 2008R2, 2012 and 2012R2.

UserLock is Microsoft-certified for compliance and support with Windows Server 2012, 2012R2, 2008, 2008R2 and 2003.

LimitLogin doesn’t support 64-bit systems. UserLock does.

Similar to the status of the resource kit tools and/or the support tools, LimitLogin is not officially supported by Microsoft.

  • Windows Server Operating Systems

limitlogin-userlock-windows-operating-systems

  • Windows Workstation Operating Systems

limitlogin-userlock-windows-workstations

Limited Session Types with LimitLogin

LimitLogin capabilities are limited to monitoring only workstation and terminal sessions. UserLock on the other hand takes into consideration access from all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN). Learn more

  • Audited and Protected User Session Types

limitlogin-userlock-audited-proteted-user-session-types

Architecture & Deployment

A summary comparing the architecture required to monitor and limit the number of workstation and terminal logins:

LimitLogin UserLock
The architecture is built around 3 main elements:
– A Web service that handles the back-end processing on the server.
– An application directory partition that holds the login information.
– Login and logoff VBS scripts.
A client/server application:
– A UserLock Server on a Windows server.
– A Micro-agent on protected machine.
– Optionally a SQL Server
LimitLogin requires creating a new partition in Active Directory on a Windows Domain Controller. UserLock can be installed on any server member of the network.There is no requirement to use a Domain Controller Server.
LimitLogin performs an Active Directory Schema modification. This operation is irreversible and cannot be cancelled. It doesn’t perform any Active Directory modification.
LimitLogin requires logon and logoff scripts. The micro-agent can then be automatically deployed through the UserLock console or as a MSI package.
It requires a Web server set up to do delegated Kerberos Authentication for scripts communication and rules processing. Encrypted communication between the server and agents requires only Ping and Microsoft File and Printer sharing protocols.
Login sessions information is stored in files that are not encrypted. Sessions Activities are stored in a database that can be a SQL Express or Server Edition (A free database is provided).

Deploying LimitLogin

Microsoft LimitLogin was designed to help administrators to apply login limits on their network. It is however complex to implement and unsafe due to the Active Directory Schema modification it requires.

Bill Boswell (Microsoft Certified Professional Magazine) wrote this very meticulous and precise breakdown on how to deploy LimitLogin:

“LimitLogin requires a bit of effort to deploy. For one thing, it performs a Schema modification. For another, it creates a new partition in Active Directory. It also requires configuring a Web server with the .NET Framework and ASP.NET and setting it up to do delegated Kerberos authentication. Finally, it requires distributing client packages that support communicating with the Web server via SOAP (a lightweight protocol for exchanging structured information in a distributed environment). Whoa. Don’t stop reading. It’s complicated, but not impossible. Really.”

Deploying UserLock

UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

The need to manage Concurrent connections

Most organizations that work in a Windows environment use Microsoft Active Directory to authenticate and control all users. However, Active Directory is by no means a full proof security solution. Yes it manages passwords and confirms that the user name matches the password, but it does not stop multiple users from logging on with the same password, at the same time.

This challenge of limiting concurrent logins in a Windows environment averts one of the most potentially dangerous situations for a Windows Active Directory network.

Preventing or limiting concurrent sessions:

  •  Stops users sharing their passwords. Users will think twice about sharing credentials, as they won’t be able to get on the system if someone else is logged in too
  •  Stops rogue users from using valid credentials at the same time as their legitimate owner
  •  Ensures access to critical assets is attributed to individual employees
  •  Is required for an information system to comply with major regulatory constraints, including NIST 800-53, SOX, PCI-DSS, HIPAA and the newly updated CJIS requirements.

Further Restrictions needed to Manage Network Access

The application LimitLogin allows an organization to manage only the number of user logins.

With UserLock, concurrent login control is just one part of a granular access control policy. UserLock sets and enforces login control based on multiple criteria in a matrix of access rules; that is set according to user, user group or organizational unit.

Control from where a protected account may logon. Restrict domain users to workstation or device, IP range, department, floor or building. Learn more

Control the hours and days when protected users can logon onto the network. Define working hours and/or maximum session time. Learn more

Conclusion

Microsoft LimitLogin was a free tool to help administrator in the past to apply login limits on their network. It was however complex to implement and unsafe due to the Active Directory Schema modification it required.

In today’s world, LimitLogin is unable to meet the critical needs of many organizations. Operating systems which have appeared during the past six years are not supported, only the number of user sessions can be controlled – no further restrictions by location or time, and it is limited to only workstation and terminal sessions.

Defining and enforcing a full User Access Policy to ensure the security of your network access and the protection of your data require the consideration of more context variables.

The number of simultaneous accesses is not sufficient. You need to know, analyze and control who, how, when, how many times and from where an access to an enterprise network is requested, whether this request is done on a machine, through the VPN, thanks a wireless connection or by a web application or an Intranet.

UserLock answers to these needs with an effective network access management tool that is very simple to manage and easy to use. A customized access policy can be set and enforced to permit or deny user logins. Concurrent sessions can be prevented and access restricted to specific workstations or devices, time, business hours and connection type (including Wi-Fi).

Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits

Case Study: Bank of Cyprus reduces security risks from internal users with UserLock

Disclaimer: The comparison juxtaposes the features of IS Decisions UserLock and LimitLogin based on the publicly available information as of February 11, 2014.

Share this post :

Chris is Community Manager of IS Decisions. IS Decisions software offers organizations proven and effective solutions to help protect a Windows Network against Insider Threats.

Secured By miniOrange