Windows Security Authenticated Users: How to start taking internal security more seriously

On average, a total of about 1,200 internal security breaches occur in UK businesses every single day. In the US, the figure is over 2,500. These figures are based on recent research in which 500 IT decision makers whether they had had an internal security breach in the last year.

Yet despite this huge prolificacy, they also told us that insider threats are not top of their list of security priorities. In fact they come a fairly distant fourth, after viruses, data loss and hacking. So for IT managers, internal security is a lesser priority than data loss, despite the fact that the most common source of data loss is via ‘trusted’ employees – our authenticated users.

Why is that? It is possibly because internal security is not a simple beast to tackle.

insider threat manifesto

Another insight gleaned from our research was that most IT managers are not aware that technology can help them with internal security, especially with helping secure authenticated users. This suggests that the prevailing assumption is that it is a cultural issue rather than a technology based one, and we all know cultural security issues are harder to crack.

It’s true that insider threats cannot be simply ‘patched up’ with technology, but really what security issue can? The issues of internal security must be addressed from both a cultural angle, but technology can help you achieve that.

What does that mean in practical terms?

1. Limit or prevent concurrent logins

The biggest cultural issue to tackle with regards to internal security is password sharing. Our research told us that IT managers estimate an average of one in five authenticated users share their network passwords. If your users think nothing of handing over their network access to someone else, it is very easy for sensitive data to fall into the wrong hands. An example of this being Edward Snowden, who simply asked his NSA colleagues for passwords in order to gain access to files which led to one of the most high profile information leaks in history.

authenticated users greatest security risk

So a core part of your internal security approach needs to address this. And in technology terms, limiting or preventing concurrent logins is your first line of defence against password sharing. If users know that giving their password to a colleague means their own network access will be restricted, they will be much less likely to do it.

What’s more is that in the event that a rogue user does gain valid credentials that they shouldn’t have, they will be prevented from using them at the same time as the legitimate owner. This means that access to critical assets can be more authoritatively attributed to individual employees, helping to affirm accountability and avoid repudiation issues when there is an internal breach.

2. Limit authenticated users to specific locations and times

Someone looking to gain access to files that they shouldn’t have is more likely to do so outside of normal working hours, in order to lessen the risk of being caught. So by restricting your authenticated users’ network access to specific working hours, you are reducing the vulnerable surface for attack. In addition, network access attributed to a user inside of their set working hours is more easily identifiable to that individual, meaning in the event that you do have a security breach, it is more traceable.

This approach can be extended by limiting authenticated users to specific workstations, devices, departments or IP range. You are effectively reducing the network surface area that is open to any kind of attack. In reducing the number of computers or devices on which a compromised user’s credentials can be used, you are reducing risk and making your entire security process more traceable.

IP restriction for windows network security

3. Monitor user behavior in real-time

Once restrictions such as these are in place, monitoring user access should be made easier, and although these precautions may have made breaches more traceable, it is still essential to monitor what is happening in real time. Tracking and reporting is only so useful when done in retrospect, it may allow you to track a source but it does not allow you to take a preventative approach to internal security. So ensure you are monitoring in real time in order to recognise suspicious activity when you are able to respond.

4. Recognise and respond to suspicious behavior

If you are monitoring all authenticated users access in this way, then it is also important that you do respond when you spot suspicious activity. An immediate response should be an integral part of an organisation’s security policy and risk mitigation strategy. By responding quickly, even if the threat is a false alarm, showing that action is taken swiftly helps to reduce the risk of malicious insider activity and serves to educate and remind users of policy.


5. Deactivate computer access following an employee leaving

This may seem obvious, but it is actually surprising how many businesses fail to shut down access for staff who have moved on, or at least fail to do it swiftly. Former employees are another kind of internal threat, naturally are more likely to have malicious intents and no incentive to adhere to company security policy. Yet they are often left with their network access open following the termination of employment, when they may be more motivated to access sensitive information. It is crucial that you ensure their accounts are closed swiftly following termination.

6. Implement a security policy

Again, this will seem obvious, but our research found that 29% of the IT professionals we surveyed told us they don’t have a security policy at all, which is very worrying. It is great to have technical limitations on passwords and network access, but ensure you have a written policy too, as it is so important to put in writing what you are implementing.

Make sure your policy covers the ‘why’ as well as the ‘what’ in terms of the restrictions you are putting in place, to give your employees a better understanding of the severity of what you are trying to tackle and what their actions might lead to, even accidentally. Be transparent about the risks the policy addresses and if you are in an industry that is subject to regulations then explain in understandable terms what those regulations are and why they’re important.

7. Clearly document policies and consistently remind users of them

Security policies should be clear, accessible to everyone and understood by all in your organisation. Our research found that 41% of IT professionals said their security policy was included in an employee handbook or manual, which is great, but it is just the first step to ensuring users understand the policy. We all know that employee handbooks can get read in an employee’s first week on the job, and then forgotten about.

There is also a chance that users who are consistently trying to gain network access outside of restrictions will get frustrated. Remind them when they are meeting these frustrations why the restrictions are in place, and what they can do instead to get the job they need to do done, like asking for temporary clearance. By continually doing this and being consistent in your approach, users will come to understand what your policies are and why they are in place. Mentioning contractual or legal implications here also helps highlight the severity of the issue to the user.

This is another instance where technology can help to address a cultural issue; we found that just 12% of the IT professionals we surveyed remind users of security policies with daily prompts. With UserLock it is possible to set up customisable alerts and prompts to ensure users are reminded of security policies in an effective way.

8. Work closely with HR and other departments

As we’ve mentioned, mitigating insider threats is not just a technological problem, and subsequently departments that are responsible beyond the technology the businesses use it can not only help, they have a responsibility to. IT is responsible for managing network access, but not generally for managing sensitive employee information; that tends to be the remit of HR.

Working closely with other departments may help with educating users on your security policy, HR could include it in the training schedule for instance. It also may help in identifying potential internal threats, as HR are much more likely to be aware of issues where employees may be disgruntled, as well as having a closer track on new starters and employee terminations.

Conclusion: A cultural and technology based approach

We are starting to see awareness of insider threats growing, with high profile data leaks like the Snowden scandal and examples like the Target retailer breach recently. As trends like BYOD grow, the number and types of devices employees are using broadens, and the volume and scale of digitally stored data and information businesses house grows too, there are more points of access and a larger risk.

This means that organisations must start to take the issue of internal security much more seriously, but by using a combination of the right technology and the right cultural approach, they can mitigate the risks.

To help secure all authenticated users access across a Windows Server Network, download the free trial version of UserLock

A close version of this article originally appeared in Computer Fraud & Security: A monthly publication focusing on providing practical, useable information to effectively manage and control computer and information security within commercial organisations.

Share this post :

François Amigorena

François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. After a career spanning IBM and a subsidiary of la Société Générale, Francois became an entrepreneur in 1989 and has never looked back.