LimitLogin vs. UserLock
A comparison of how Microsoft® LimitLogin and UserLock® limit concurrent user logins and further help secure user access in an Active Directory domain.
)
)
)
)
)
Microsoft’s LimitLogin application and UserLock both limit concurrent user logins in an Active Directory domain, but the similarity largely stops there.
This article will focus on how each solution restricts concurrent connections and discuss how else they help an organization secure user access for Windows Active Directory environments.
LimitLogin
LimitLogin is an unsupported tool released in 2005. The application was written by a Microsoft Partner Technology specialist and an Application Development Consultant. At the time, the aim of LimitLogin was to add the ability to track and limit concurrent workstation and terminal user logins in an Active Directory domain.
UserLock
UserLock is a comprehensive access management solution for on-premise and hybrid Active Directory networks. Much more than a tool for limiting concurrent logins, UserLock protects workforce access to corporate networks and cloud applications with multi-factor authentication (MFA), single sign-on (SSO) , contextual access management and session management.
UserLock permits, denies or limits access based on a range of criteria. For example, UserLock prevents concurrent logins via a single identity, limiting access to certain device types and limiting network access methods. UserLock also monitors all sessions in real time providing alerts and information to respond to suspicious events and a log of access information for audit and forensics.
UserLock is developed by IS Decisions, a Microsoft Gold Partner, founded in 2000 and specialized in access security solutions for Microsoft Windows and Active Directory.
Compare LimitLogin vs UserLock
Features | LimitLogin | UserLock |
|---|---|---|
Agent Technology | Logon Scripts | Windows Service* |
AD schema modification | Yes | No |
Web Server requirement | Yes | No |
Supported Workstation OS | Windows 2000 SP4, Windows XP SP1 | Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 |
Supported Server OS | Windows Server 2003, Windows Server 2008 | Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
64-bit OS support | No | Yes |
Client Agent | Yes | Yes |
Integrated deployer | No | Yes |
Workstation Sessions | Yes | Yes |
Terminal Sessions | Yes | Yes |
Wi-Fi Sessions | No | Yes |
VPN Sessions | No | Yes |
IIS Sessions | No | Yes |
Logon and logoff events audit | Yes | Yes |
Lock and unlock events audit | No | Yes |
Limit by User | Yes | Yes |
Limit by Group | No | Yes |
Location restrictions | No | Yes |
Time connection restrictions | No | Yes |
Time Quota features | No | Yes |
Customizable Messages | No | Yes |
E-mail notifications | No | Yes |
Pop-up notifications | No | Yes |
Database of session activities | No | Yes |
Printable and customizable report | No : Only CSV / XML | Yes |
Supported solution | No, even by its provider Microsoft | Yes, by its editor IS Decisions |
Windows Service*: Except for old Windows XP and 2003 Server for which the micro agent technology is a GINA DLL.
Requirements and Specifications
LimitLogin is not compatible with Windows Server 2008R2, 2012 and 2012R2.
UserLock is certified for compliance and support with Windows Server 2016, 2012, 2012R2, 2008 and 2008R2.
LimitLogin doesn’t support 64-bit systems. UserLock does.
Similar to the status of the resource kit tools and/or the support tools, LimitLogin is not officially supported by Microsoft.
Windows Server Operating Systems
2000 | 2003 | 2008 | 2008 R2 | 2012 | 2012 R2 | 2016 | |
|---|---|---|---|---|---|---|---|
LimitLogin | |||||||
UserLock |
Windows Workstation Operating Systems
2000 | XP | Vista | Windows 7 | Windows 8 | Windows 8.1 | Windows 10 | |
|---|---|---|---|---|---|---|---|
LimitLogin | |||||||
UserLock |
Limited session types with LimitLogin
LimitLogin capabilities are limited to monitoring only workstation and terminal sessions. UserLock on the other hand allows you to apply access restrictions on all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN).
Audited and Protected User Session Types
Workstation | Terminal | Wi-Fi | VPN | IIS | |
|---|---|---|---|---|---|
LimitLogin | |||||
UserLock |
Architecture & deployment
A summary comparing the architecture required to monitor and limit the number of workstation and terminal logins:
LimitLogin | UserLock |
|---|---|
The architecture is built around 3 main elements:
| A client/server application:
|
LimitLogin requires creating a new partition in Active Directory on a Windows Domain Controller. | UserLock can be installed on any server member of the network.There is no requirement to use a Domain Controller Server. |
LimitLogin performs an Active Directory Schema modification. This operation is irreversible and cannot be cancelled. | It doesn’t perform any Active Directory modification. |
LimitLogin requires logon and logoff scripts. | The micro-agent can then be automatically deployed through the UserLock console or as a MSI package. |
It requires a Web server set up to do delegated Kerberos Authentication for scripts communication and rules processing. | Encrypted communication between the server and agents requires only Ping and Microsoft File and Printer sharing protocols. |
Login sessions information is stored in files that are not encrypted. | Sessions Activities are stored in a database that can be a SQL Express or Server Edition (A free database is provided). |
Deploying LimitLogin
Microsoft LimitLogin was designed to help administrators to apply login limits on their network. It is however complex to implement and unsafe due to the Active Directory schema modification it requires.
Bill Boswell (Microsoft Certified Professional Magazine) wrote this very meticulous and precise breakdown on how to deploy LimitLogin:
“LimitLogin requires a bit of effort to deploy. For one thing, it performs a Schema modification. For another, it creates a new partition in Active Directory. It also requires configuring a Web server with the .NET Framework and ASP.NET and setting it up to do delegated Kerberos authentication. Finally, it requires distributing client packages that support communicating with the Web server via SOAP (a lightweight protocol for exchanging structured information in a distributed environment). Whoa. Don’t stop reading. It’s complicated, but not impossible. Really.”
Deploying UserLock
UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.
The need to manage concurrent user logins
Most organizations with in a Windows environment use Microsoft Active Directory to authenticate and control all users.
However, Active Directory is by no means a fool-proof security solution. Yes, it manages passwords and confirms that the user name matches the password, but it does not stop multiple users from logging on with the same password, at the same time.
This challenge of limiting concurrent logins in a Windows environment averts one of the most potentially dangerous situations for a Windows Active Directory network.
Preventing or limiting concurrent sessions:
Stops users sharing their passwords. Users will think twice about sharing credentials, as they won’t be able to get on the system if someone else is logged in too
Stops rogue users from using valid credentials at the same time as their legitimate owner
Ensures access to critical assets is attributed to individual employees
Is required for an information system to comply with major regulatory constraints, including NIST 800-53, SOX, PCI-DSS, HIPAA and the newly updated CJIS requirements.
Why limiting logins isn’t enough to secure network access
The application LimitLogin allows an organization to manage only the number of user logins.
With UserLock, concurrent login control is just one part of a granular MFA and access control solution. UserLock sets and enforces contextual access management, including the ability to restrict user access to the network based on:
Origin: Define where the user login can take place based on workstation or device, IP range, department, or country.
Time: Control when users can logon based on defined working hours and/or maximum session time.
Session type: Control the type of user connection by workstation, terminal, WiFi, VPN and IIS sessions to protect both interactive sessions and network access for remote and mobile users.
Go beyond limiting logins with comprehensive access management
Microsoft LimitLogin was a free tool to help administrator in the past to apply login limits on their network. It was however complex to implement and unsafe due to the Active Directory Schema modification it required.
In today’s world, LimitLogin is unable to meet the critical needs of many organizations. Operating systems which have appeared during the past six years are not supported, only the number of user sessions can be controlled – no further restrictions by location or time, and it is limited to only workstation and terminal sessions.
Defining and enforcing a full User Access Policy to ensure the security of your network access and the protection of your data require the consideration of more context variables.
The number of simultaneous accesses is not sufficient. You need to know, analyze and control who, how, when, how many times and from where an access to an enterprise network is requested, whether this request is done on a machine, through the VPN, thanks a wireless connection or by a web application or an Intranet.
UserLock answers to these needs with an effective MFA and network access management solution that is very simple to manage and easy to use. With customized, granular access policies, admins can choose if and when to require MFA, permit or deny user logins.UserLock makes it easy to prevent concurrent sessions and restrict access to specific workstations or devices, time, business hours and connection types (including Wi-Fi).