Eight Holes in Windows Login Controls and how UserLock fill them in...

Windows has more security features than any other operating system but is strangely lacking the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.

Windows indeed lacks:

• Concurrent logon control
• Logon/logoff reporting
• Logon session monitoring
• Remote logoff of workstation logon sessions
• Logon time restrictions by group
• Workstation restrictions by group
• Forcible logoff when allowed logon time expires
• Previous logon time and computer display when user logs on

These are although important security controls that are required for an Information System to comply with major regulatory constraints (HIPAA, SOX, PCI, NISPOM, DCID 6/3, GLBA, US Patriot Act, FISMA…) and can efficiently mitigate insider threats.

Insider threats

And the threat of attack from insiders is real and substantial. The 2007 E-Crime Watch SurveyTM conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT® Program and Microsoft Corp., found that in cases where respondents could identify the perpetrator of an electronic crime, 34% were committed by insiders (outsiders 37%, unknown 29%).

39% of these rogue insiders used compromised accounts to commit e-crimes, like unauthorized access to/use of corporate information, systems or networks, theft of intellectual property, theft of other information (including financial and customer records) and fraud (credit card, etc.).

Among best practices for the prevention and detection of insider threats recommended in the Common Sense Guide to Prevention and Detection of Insider Threats published by Carnegie Mellon University's CyLab, appear:

• restricting employees' access to only those resources needed to accomplish their jobs, as access control gaps facilitate most incidents
• logging and monitoring access to all of the organization's critical electronic assets, so that suspicious access can be detected and investigated
• making all activity from any account attributable to its owner
• enabling auditors or investigators to trace all online activity on any account to an individual user
• logging, monitoring, and auditing employee online actions in order to lead to early discovery and investigation of suspicious insider actions
• using techniques that promote non-repudiation of action in order to ensure that online actions taken by users can be attributed to the person that performed them
• following rigorous termination procedures that disable all open access points to the networks, systems, applications, and data
• collecting and saving usable evidence in order to preserve response options, including legal options

Major holes in Windows native login controls unfortunately do not allow to efficiently implementing such practices.