This blog post reviews how LimitLogin and UserLock limit concurrent user logins in an Active Directory domain.
It will focus on the concurrent connection restriction feature provided by each solution and discuss how else they help an organization secure user access for Windows Active Directory environments.
LimitLogin
eight
LimitLogin is an unsupported tool that was released in 2005. It was written by a Microsoft Partner Technology specialist and an Application Development Consultant. The aim of LimitLogin was to add the ability to track and limit concurrent workstation and terminal user logins in an Active Directory domain.
UserLock
UserLock is an enterprise software solution that controls, audits and monitors user access to an Active Directory network. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity, limiting access to certain device types and limiting network access methods. UserLock also monitors all sessions in real time providing alerts and information to respond to suspicious events and a log of access information for audit and forensics.
UserLock is developed by IS Decisions, a Microsoft Partner company founded in 2000, that specializes in solutions to safeguard and secure Microsoft Windows and Active Directory infrastructure.
Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits
LimitLogin vs UserLock. A comparison
| Features | LimitLogin | UserLock |
| Agent Technology | Logon Scripts | Windows Service* |
| AD schema modification | Yes | No |
| Web Server requirement | Yes | No |
| Supported Workstation OS | Windows 2000 SP4, Windows XP SP1 | Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 |
| Supported Server OS | Windows Server 2003, Windows Server 2008 | Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
| 64-bit OS support | No | Yes |
| Client Agent | Yes | Yes |
| Integrated deployer | No | Yes |
| Workstation Sessions | Yes | Yes |
| Terminal Sessions | Yes | Yes |
| Wi-Fi Sessions | No | Yes |
| VPN Sessions | No | Yes |
| IIS Sessions | No | Yes |
| Logon and logoff events audit | Yes | Yes |
| Lock and unlock events audit | No | Yes |
| Limit by User | Yes | Yes |
| Limit by Group | No | Yes |
| Location restrictions | No | Yes |
| Time connection restrictions | No | Yes |
| Time Quota features | No | Yes |
| Customizable Messages | No | Yes |
| E-mail notifications | No | Yes |
| Pop-up notifications | No | Yes |
| Database of session activities | No | Yes |
| Printable and customizable report | No : Only CSV / XML | Yes |
| Supported solution | No, even by its provider Microsoft | Yes, by its editor IS Decisions |
Windows Service*: Except for old Windows XP and 2003 Server for which the micro agent technology is a GINA DLL.
Requirements and Specifications
LimitLogin is not compatible with Windows Server 2008R2, 2012 and 2012R2.
UserLock is certified for compliance and support with Windows Server 2016, 2012, 2012R2, 2008 and 2008R2.
LimitLogin doesn’t support 64-bit systems. UserLock does.
Similar to the status of the resource kit tools and/or the support tools, LimitLogin is not officially supported by Microsoft.
- Windows Server Operating Systems
- Windows Workstation Operating Systems
Limited Session Types with LimitLogin
LimitLogin capabilities are limited to monitoring only workstation and terminal sessions. UserLock on the other hand takes into consideration access from all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN). Learn more
- Audited and Protected User Session Types
Architecture & Deployment
A summary comparing the architecture required to monitor and limit the number of workstation and terminal logins:
| LimitLogin | UserLock |
| The architecture is built around 3 main elements: – A Web service that handles the back-end processing on the server. – An application directory partition that holds the login information. – Login and logoff VBS scripts. |
A client/server application: – A UserLock Server on a Windows server. – A Micro-agent on protected machine. – Optionally a SQL Server |
| LimitLogin requires creating a new partition in Active Directory on a Windows Domain Controller. | UserLock can be installed on any server member of the network.There is no requirement to use a Domain Controller Server. |
| LimitLogin performs an Active Directory Schema modification. This operation is irreversible and cannot be cancelled. | It doesn’t perform any Active Directory modification. |
| LimitLogin requires logon and logoff scripts. | The micro-agent can then be automatically deployed through the UserLock console or as a MSI package. |
| It requires a Web server set up to do delegated Kerberos Authentication for scripts communication and rules processing. | Encrypted communication between the server and agents requires only Ping and Microsoft File and Printer sharing protocols. |
| Login sessions information is stored in files that are not encrypted. | Sessions Activities are stored in a database that can be a SQL Express or Server Edition (A free database is provided). |
Deploying LimitLogin
Microsoft LimitLogin was designed to help administrators to apply login limits on their network. It is however complex to implement and unsafe due to the Active Directory Schema modification it requires.
Bill Boswell (Microsoft Certified Professional Magazine) wrote this very meticulous and precise breakdown on how to deploy LimitLogin:
“LimitLogin requires a bit of effort to deploy. For one thing, it performs a Schema modification. For another, it creates a new partition in Active Directory. It also requires configuring a Web server with the .NET Framework and ASP.NET and setting it up to do delegated Kerberos authentication. Finally, it requires distributing client packages that support communicating with the Web server via SOAP (a lightweight protocol for exchanging structured information in a distributed environment). Whoa. Don’t stop reading. It’s complicated, but not impossible. Really.”
Deploying UserLock
UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.
Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits
The need to manage Concurrent connections
Most organizations that work in a Windows environment use Microsoft Active Directory to authenticate and control all users. However, Active Directory is by no means a full proof security solution. Yes it manages passwords and confirms that the user name matches the password, but it does not stop multiple users from logging on with the same password, at the same time.
This challenge of limiting concurrent logins in a Windows environment averts one of the most potentially dangerous situations for a Windows Active Directory network.
Preventing or limiting concurrent sessions:
- Stops users sharing their passwords. Users will think twice about sharing credentials, as they won’t be able to get on the system if someone else is logged in too
- Stops rogue users from using valid credentials at the same time as their legitimate owner
- Ensures access to critical assets is attributed to individual employees
- Is required for an information system to comply with major regulatory constraints, including NIST 800-53, SOX, PCI-DSS, HIPAA and the newly updated CJIS requirements.
Further Restrictions needed to Manage Network Access
The application LimitLogin allows an organization to manage only the number of user logins.
With UserLock, concurrent login control is just one part of a granular access control policy. UserLock sets and enforces login control based on multiple criteria in a matrix of access rules; that is set according to user, user group or organizational unit.
Control from where a protected account may logon. Restrict domain users to workstation or device, IP range, department, floor or building. Learn more
Control the hours and days when protected users can logon onto the network. Define working hours and/or maximum session time. Learn more
Conclusion
Microsoft LimitLogin was a free tool to help administrator in the past to apply login limits on their network. It was however complex to implement and unsafe due to the Active Directory Schema modification it required.
In today’s world, LimitLogin is unable to meet the critical needs of many organizations. Operating systems which have appeared during the past six years are not supported, only the number of user sessions can be controlled – no further restrictions by location or time, and it is limited to only workstation and terminal sessions.
Defining and enforcing a full User Access Policy to ensure the security of your network access and the protection of your data require the consideration of more context variables.
The number of simultaneous accesses is not sufficient. You need to know, analyze and control who, how, when, how many times and from where an access to an enterprise network is requested, whether this request is done on a machine, through the VPN, thanks a wireless connection or by a web application or an Intranet.
UserLock answers to these needs with an effective network access management tool that is very simple to manage and easy to use. A customized access policy can be set and enforced to permit or deny user logins. Concurrent sessions can be prevented and access restricted to specific workstations or devices, time, business hours and connection type (including Wi-Fi).
Download NOW a fully functional Free Trial of UserLock. 30-day full version with no user limits
Case Study: Bank of Cyprus reduces security risks from internal users with UserLock
Disclaimer: The comparison juxtaposes the features of IS Decisions UserLock and LimitLogin based on the publicly available information as of February 11, 2014.
