Is it a good idea to use a windows logon script to control concurrent sessions on Windows Servers?
When it comes to a login script and limiting simultaneous sessions we can affirm categorically that solutions based on windows logon script present too many drawbacks and weaknesses to suit medium to large IT infrastructures’ security requirements.
Any Malicious User can easily kill a Logon Script
Setting up Logon script solutions to control simultaneous sessions on Windows networks are based on a hidden share.
The logon script creates a file when the user opens a session and deletes the file when the user closes the session. If a user attempts to open a second session the script will check if the file already exists and if so, the logon is denied.
This is a very simple solution to develop and because of this simplicity has been quite widely used.
The main drawback is that logon scripts are executed as the user. You therefore need to give any user full access to the share where the session files are stored and any malicious user can therefore easily kill the script.
(If you don’t give the required access permissions, a windows logon script cannot create/delete the user session file.)
A Threat to your Network Security
The developer of such a windows logon script could say that the share can be hidden. Unfortunately this is not a good protection because a reasonably smart user can easily retrieve the path to the share.
Allowing this is a major threat to your network security because a simple user can create or delete any files on the share and decide who can logon and who can’t.
For example a simple user can delete all files to allow all users opening a second session or create manually a file to disallow a colleague to logon as a ‘joke’.
This is not a solution to secure and control simultaneous sessions.
What’s more with a logon scripts-based solution :
- if a workstation is not connected to the network, scripts cannot run and sessions history is therefore lost
- if an untimely reboot occurs, sessions are not suppressed from the database
So what is the best way to prevent or limit concurrent logins?
Control Concurrent Logins as part of a Complete Access Control Solution
Our unique security software solution UserLock does limit or prevents concurrent logins to your Windows® network, based on user, user groups or session types.
In fact it offers strong access control to protect all the data contained within your Windows network by permitting or denying logins (including concurrent logins), workstation access and usage/connection times. In this way you can define and set a process for user approval according to either individual user, user group or organizational unit and by session type (terminal, Wi-Fi/Radius, workstation, etc)
UserLock also offers real-time session monitoring and reporting on all network access. As soon as any suspicious access event is detected, UserLock automatically alerts you (the security administrator), offering the chance to instantly react by remotely locking, logging off or resetting the appropriate sessions.
Security controls far beyond native Windows
With Windows Active Directory, you can go into a user’s account and restrict him to only being able to log on from specific computers. However there is no way to do it by group or Organizational Unit. This is a real deterrent to implement and enforce an efficient access security policy.
You will find further information about differences between Active Directory native features and UserLock features in our whitepaper titled Eight Holes in Windows Login Controls and how UserLock fill them in.
Why are concurrent logins a very bad idea?
There are very few legitimate reasons for a user to be connected to a network from several different workstations.
Uncontrolled concurrent logins to a Windows network remains a serious security flaw and significantly increases network vulnerability. You should have the ability to determine in a very granular way what are the legitimate needs of simultaneous logins for each (group of) user(s) within your organization and efficiently enforce that decision.
Preventing or limiting concurrent logins:
- stops rogue users from using valid credentials at the same time as their legitimate owner
- stops users from sharing passwords as there is a consequence on their own access to the network.
- ensures access to critical assets is attributed to individual employees.
- It can very easily corrupt roaming profiles and create versioning conflicts for offline files
That is why preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example HIPAA, NIST 800-53, Sarbanes-Oxley, NISPOM Chapter 8,PCI, Bâle II, ICD 503.
Interested in trialing UserLock for yourself? Then download a fully functional 30day trial now.