Auditing Logon Events. Why stop there?

Auditing logon events

Auditing logon events across a Windows network is often a priority for organizations wanting to secure access to their network and better understand user activity. What’s more it is required for an Information System to comply with most major regulatory constraints.

However, auditing logon events on their own is not enough for organizations who are serious about protecting their Windows network and all of the data contained within.

Whether it’s for HIPAA, SOX, PCI, NISPOM, DCID 6/3, GLBA, US Patriot Act or FISMA, strong access control is one of the key areas that auditors focus their efforts.

Some of the considerations that auditors consider are as follows:

User Account Approval & Role-Based Access Control

An auditor will look for policies, standards and procedures for ensuring secure and reliable authorization, i.e. user account approval to get access to the network and the organization’s data.

In addition a growing and important aspect to enterprise access control is that an organization engages in role-based access control (RBAC).  Creating well-defined user roles based on the rule of least privilege makes it easier to ensure users have access only to what their job requires. When a new user joins an organization, his or her user ID is added to the role rather than a particular set of database resources. The role is the one that maintains the access making it more efficient to add users to the system.

Privileged User Protections

To keep application and database environments working well some IT super-users (administrator account) will exist who have access to considerably more data than the ordinary employee. These are the people that an organization should be monitoring everything they do.

Effective Monitoring of User Activity

Effective access control is not just about putting up barriers to entry; it should also enable more visibility into what specific employees are doing within specific systems. By tracking and auditing logon events organizations can fall into a common trap. While collecting and storing logs is important, it is only a means to an end – knowing what is going on in your environment and, most importantly, responding to it is the key.

Furthermore, it is important to stress that whilst monitoring user activity is required by many compliance regulation, without being able to filter or send an alert to the security administrator on specific and potentially suspicious access events, the monitoring has limited use.

Don’t just stop at auditing logon events!

So when auditing logon events, why not go further and consider how to control, restrict, monitor and be alerted on all user logons throughout a Windows network.

UserLock is one unique software solution that can assume these tasks mentioned above in addition to auditing logon events and providing comprehensive detailed reports on session history, session statistics, user sessions etc.

UserLock restricts, controls, monitors and audits user access to protect a Windows Network. 

  • UserLock enables IT security teams to set customized access policies to permit or deny logins (including concurrent logins), workstation access and usage/connection times. In this way an organization can define and set a process for user approval according to either individual user, user group or organizational unit and by session type (terminal, Wi-Fi/Radius, workstation, etc)
  • It sets and enforces granular login restrictions that support an organization’s policies and helps set a role based access control.
  • UserLock offers real-time session monitoring. As soon as any suspicious access event is detected, UserLock automatically alerts the security administrator, offering IT the chance to instantly react by remotely locking, logging off or resetting the appropriate sessions

Also, when analyzing logon events, avoid accountability and non-repudiation issues

By putting in place logon event auditing, organizations understand they can review logs after an incident to support IT forensics. However by not controlling concurrent logins a whole accountability and non-repudiation issue is created. Only by eliminating concurrent logins – as is the case with UserLock – can an organization accurately identify, search, report and archive user access and make a user accountable for any malicious activity.

So when next time your looking for a software solution to help in auditing logon events, think further and consider how to restrict, control and monitor user logons according to your customized user access policies. Because logins are the first line of access – and defense – in any network, UserLock provides a necessary security function in empowering IT teams to instantly control user access and protect their network.

Discover UserLock for yourself with a fully functional 30Day Free Trial.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.