Can a Windows logon script control concurrent logins?

Is it a good idea to use a windows logon script to control concurrent sessions on Windows servers?

When it comes to a login script and limiting simultaneous sessions we can affirm categorically that solutions based on windows logon script present too many drawbacks and weaknesses to suit medium to large IT infrastructures’ security requirements.

Any malicious user can easily kill a logon script

Setting up logon script solutions to control simultaneous sessions on Windows networks are based on a hidden share.

The logon script creates a file when the user opens a session and deletes the file when the user closes the session. If a user attempts to open a second session the script will check if the file already exists and if so, the logon is denied.

This is a very simple solution to develop and because of this simplicity has been quite widely used.

The main drawback is that logon scripts are executed as the user. You therefore need to give any user full access to the share where the session files are stored and any malicious user can therefore easily kill the script.

(If you don’t give the required access permissions, a windows logon script cannot create/delete the user session file.)

A threat to your network security

The developer of such a windows logon script could say that the share can be hidden. Unfortunately this is not a good protection because a reasonably smart user can easily retrieve the path to the share.

Allowing this is a major threat to your network security because a simple user can create or delete any files on the share and decide who can logon and who can’t.

For example a simple user can delete all files to allow all users opening a second session or create manually a file to disallow a colleague to logon as a "joke."

This is not a solution to secure and control simultaneous sessions.

What’s more, with a logon scripts-based solution:

• if a workstation is not connected to the network, scripts cannot run and sessions history is therefore lost

• if an untimely reboot occurs, sessions are not suppressed from the database

So what is the best way to prevent or limit concurrent logins?

Control concurrent logins as part of a complete access control solution

Our unique security software solution UserLock does limit or prevents concurrent logins to your Windows network, based on user, user groups or session types.

In fact it offers strong access control to protect all the data contained within your Windows network by permitting or denying logins (including concurrent logins), workstation access and usage/connection times. In this way you can define and set a process for user approval according to either individual user, user group or organizational unit and by session type (terminal, Wi-Fi/Radius, workstation, etc.)

UserLock also offers real-time session monitoring and reporting on all network access. As soon as any suspicious access event is detected, UserLock automatically alerts you (the security administrator), offering the chance to instantly react by remotely locking, logging off or resetting the appropriate sessions.

Security controls far beyond native Windows

With Windows Active Directory, you can go into a user’s account and restrict him to only being able to log on from specific computers. However there is no way to do it by group or organizational unit. This is a real deterrent to implement and enforce an efficient access security policy.

For more information about differences between Active Directory native features and UserLock features, read Eight Holes in Windows Login Controls and how UserLock fills them in.