LimitLogin vs. UserLock

Microsoft’s LimitLogin application and UserLock both limit concurrent user logins in an Active Directory domain, but the similarity largely stops there.

This article will focus on how each solution restricts concurrent connections and discuss how else they help an organization secure user access for Windows Active Directory environments.

limitlogin-user-logins

LimitLogin

LimitLogin is an unsupported tool released in 2005. The application was written by a Microsoft Partner Technology specialist and an Application Development Consultant. At the time, the aim of LimitLogin was to add the ability to track and limit concurrent workstation and terminal user logins in an Active Directory domain.

UserLock

UserLock is a comprehensive access management solution for on-premise and hybrid Active Directory networks. Much more than a tool for limiting concurrent logins, UserLock protects workforce access to corporate networks and cloud applications with multi-factor authentication (MFA), single sign-on (SSO) , contextual access management and session management.

UserLock permits, denies or limits access based on a range of criteria. For example, UserLock prevents concurrent logins via a single identity, limiting access to certain device types and limiting network access methods. UserLock also monitors all sessions in real time providing alerts and information to respond to suspicious events and a log of access information for audit and forensics.

UserLock is developed by IS Decisions, a Microsoft Gold Partner, founded in 2000 and specialized in access security solutions for Microsoft Windows and Active Directory.

Compare LimitLogin vs UserLock

Features LimitLogin UserLock
Agent Technology Logon Scripts Windows Service*
AD schema modification Yes No
Web Server requirement Yes No
Supported Workstation OS Windows 2000 SP4, Windows XP SP1 Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Server OS Windows Server 2003, Windows Server 2008 Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
64-bit OS support No Yes
Client Agent Yes Yes
Integrated deployer No Yes
Workstation Sessions Yes Yes
Terminal Sessions Yes Yes
Wi-Fi Sessions No Yes
VPN Sessions No Yes
IIS Sessions No Yes
Logon and logoff events audit Yes Yes
Lock and unlock events audit No Yes
Limit by User Yes Yes
Limit by Group No Yes
Location restrictions No Yes
Time connection restrictions No Yes
Time Quota features No Yes
Customizable Messages No Yes
E-mail notifications No Yes
Pop-up notifications No Yes
Database of session activities No Yes
Printable and customizable report No : Only CSV / XML Yes
Supported solution No, even by its provider Microsoft Yes, by its editor IS Decisions

Windows Service*: Except for old Windows XP and 2003 Server for which the micro agent technology is a GINA DLL.

Requirements and Specifications

LimitLogin is not compatible with Windows Server 2008R2, 2012 and 2012R2.

UserLock is certified for compliance and support with Windows Server 2016, 2012, 2012R2, 2008 and 2008R2.

LimitLogin doesn’t support 64-bit systems. UserLock does.

Similar to the status of the resource kit tools and/or the support tools, LimitLogin is not officially supported by Microsoft.

  • Windows Server Operating Systems

LimitLogin UserLock - Windows Server Operating Systems

  • Windows Workstation Operating Systems

LimitLogin UserLock - Windows Workstation Operating Systems

Limited session types with LimitLogin

LimitLogin capabilities are limited to monitoring only workstation and terminal sessions. UserLock on the other hand allows you to apply access restrictions on all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN).

  • Audited and Protected User Session Types

LimitLogin UserLock - Audited and Protected User Session Types

Architecture & deployment

A summary comparing the architecture required to monitor and limit the number of workstation and terminal logins:

LimitLogin UserLock
The architecture is built around 3 main elements:
– A Web service that handles the back-end processing on the server.
– An application directory partition that holds the login information.
– Login and logoff VBS scripts.
A client/server application:
– A UserLock Server on a Windows server.
– A Micro-agent on protected machine.
– Optionally a SQL Server
LimitLogin requires creating a new partition in Active Directory on a Windows Domain Controller. UserLock can be installed on any server member of the network.There is no requirement to use a Domain Controller Server.
LimitLogin performs an Active Directory Schema modification. This operation is irreversible and cannot be cancelled. It doesn’t perform any Active Directory modification.
LimitLogin requires logon and logoff scripts. The micro-agent can then be automatically deployed through the UserLock console or as a MSI package.
It requires a Web server set up to do delegated Kerberos Authentication for scripts communication and rules processing. Encrypted communication between the server and agents requires only Ping and Microsoft File and Printer sharing protocols.
Login sessions information is stored in files that are not encrypted. Sessions Activities are stored in a database that can be a SQL Express or Server Edition (A free database is provided).

Deploying LimitLogin

Microsoft LimitLogin was designed to help administrators to apply login limits on their network. It is however complex to implement and unsafe due to the Active Directory schema modification it requires.

Bill Boswell (Microsoft Certified Professional Magazine) wrote this very meticulous and precise breakdown on how to deploy LimitLogin:

“LimitLogin requires a bit of effort to deploy. For one thing, it performs a Schema modification. For another, it creates a new partition in Active Directory. It also requires configuring a Web server with the .NET Framework and ASP.NET and setting it up to do delegated Kerberos authentication. Finally, it requires distributing client packages that support communicating with the Web server via SOAP (a lightweight protocol for exchanging structured information in a distributed environment). Whoa. Don’t stop reading. It’s complicated, but not impossible. Really.”

Deploying UserLock

UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.

The need to manage concurrent user logins

Most organizations with in a Windows environment use Microsoft Active Directory to authenticate and control all users.

However, Active Directory is by no means a fool-proof security solution. Yes, it manages passwords and confirms that the user name matches the password, but it does not stop multiple users from logging on with the same password, at the same time.

This challenge of limiting concurrent logins in a Windows environment averts one of the most potentially dangerous situations for a Windows Active Directory network.

Preventing or limiting concurrent sessions:

  •  Stops users sharing their passwords. Users will think twice about sharing credentials, as they won’t be able to get on the system if someone else is logged in too
  •  Stops rogue users from using valid credentials at the same time as their legitimate owner
  •  Ensures access to critical assets is attributed to individual employees
  •  Is required for an information system to comply with major regulatory constraints, including NIST 800-53, SOX, PCI-DSS, HIPAA and the newly updated CJIS requirements.

Why limiting logins isn’t enough to secure network access

The application LimitLogin allows an organization to manage only the number of user logins.

With UserLock, concurrent login control is just one part of a granular MFA and access control solution. UserLock sets and enforces contextual access management, including the ability to restrict user access to the network based on:

Go beyond limiting logins with comprehensive access management

Microsoft LimitLogin was a free tool to help administrator in the past to apply login limits on their network. It was however complex to implement and unsafe due to the Active Directory Schema modification it required.

In today’s world, LimitLogin is unable to meet the critical needs of many organizations. Operating systems which have appeared during the past six years are not supported, only the number of user sessions can be controlled – no further restrictions by location or time, and it is limited to only workstation and terminal sessions.

Defining and enforcing a full User Access Policy to ensure the security of your network access and the protection of your data require the consideration of more context variables.

The number of simultaneous accesses is not sufficient. You need to know, analyze and control who, how, when, how many times and from where an access to an enterprise network is requested, whether this request is done on a machine, through the VPN, thanks a wireless connection or by a web application or an Intranet.

UserLock answers to these needs with an effective MFA and network access management solution that is very simple to manage and easy to use. With customized, granular access policies, admins can choose if and when to require MFA, permit or deny user logins.UserLock makes it easy to prevent concurrent sessions and restrict access to specific workstations or devices, time, business hours and connection types (including Wi-Fi).

Ready to see how UserLock can boost your access security and ease of management? Download UserLock today and start your free, fully-functional 30-day trial.

 

Read UserLock success stories: 

Two-factor authentication and concurrent login restrictions ensure compliance without slowing workflows for a U.S. healthcare organization

How the Bank of Cyprus reduces security risks from internal users with UserLock

 

Disclaimer: The comparison juxtaposes the features of IS Decisions UserLock and LimitLogin based on the publicly available information as of February 11, 2014.

Share this post :

Avatar

Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.

Secured By miniOrange