Windows hole 6 : No workstation restrictions by group

Here again, Windows does provide logon workstation restriction functionality on a user-by-user basis.

A System Administrator can go into a user's account and restrict him to only being able to log on from specific computers, but there is no way to do it by group and this is a real deterrent to implement and enforce an efficient access security policy. It is indeed very relevant to reduce the number of computers on which an account could be attacked or exploited if someone guesses the password or gets it using social engineering techniques and therefore reduce your Windows network attack surface.

This feature is nonetheless and logically required for an Information System to comply with major regulatory constraints, including:

UserLock allows user group's network access restriction per workstation, IP range or Organizational Unit. By doing this, users can be limited to their own workstation, department, floor, building…

Share this page: