Windows hole 4 : No remote logoff of workstation logon sessions

If a System Administrator needs to get a specific user off his computer, unless he has some kind of utility, he is going to have to walk down there to that building, to that floor, to that cubicle, and log him off that computer.

And there are many good reasons you may want to log users off their workstations:

• securing computers that are left unattended (even though hopefully they have a password-protected screensaver mandated)
• freeing up locked-down resources
• handling emergency situations

Imagine for example that an employee (let us call him Jack) is fired and knows that his dismissal is coming. Jack is logged on at 04:00 pm and at 04:05 pm a System Administrator disables and/or deletes his account. Guess what happens? Jack is still logged on to that workstation and maybe connected to some servers. All he has to do is unlock that workstation, and typically workstations do not go and check unlock requests with the domain controller. So Jack is still going to be there on that computer, even though his account has been disabled and deleted …

The ability to perform remote logoffs is nonetheless required for an Information System to comply with major regulatory constraints, including:

• FISMA / NIST 800-53 / FIPS PUB 200 («Access control» domain)
• GLBA (Gramm-Leach-Bliley Act - («Access control» section)

With UserLock, an administrator can remotely lock, logoff and reset all sessions, either from the administration console or the Web interface.