Microsoft Windows has more security features than any other operating system but is strangely lacking the fundamental and classic login session controls found in other environments, like mainframe and midrange systems, UNIX and Netware.
As an example, there is no way in Windows to limit a given user account from only logging on at one computer at a time.
In terms of interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there.
And this is certainly one of the most underestimated flaws in a Windows network.
Why is preventing (or limiting) concurrent logins to a Windows network really important?
When you think about it, as human beings still don’t have the gift of ubiquity, there are very few legitimate reasons for a user to be connected to a network from several different workstations.
In the best case scenario, the user is just careless and forgot to close his session before opening a new one from another computer, however if it is not the same user but two (or more) different persons concurrently using the same credentials, no need to be a rocket scientist to imagine that at least one of them may have harmful intentions …
Here are a few examples of potentially dangerous situations made possible by the absence of simultaneous logins control:
- it increases the ability of users to share their credentials, as there is no consequence on their own access to the network.
This of course creates a whole accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send Emails in his name, etc.
- it widens the attack surface of a network as a hacker can seamlessly use valid credentials at the same time as their legitimate owner (and make legitimate user accountable for any illegitimate action he takes).
- in the case of educational organizations that manage a network of free access computers for their students, it means that several workstations can unduly be blocked by one user, thus preventing proper sharing of resources. Or even worse, students can disclose their credentials to unauthorized third parties.
- it can very easily corrupt roaming profiles and create versioning conflicts for offline files.
As you can see, not controlling concurrent logins does significantly increase the network vulnerability.
That is why preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example NISPOM (National Industrial Security Program Operating Manual – 8-303, 8-602 and 8-609 sections) and ICD 503 (Intelligence Community Directive number 503 – “Identification and Authentication” and “Enforcement of sessions controls” sections).
Among numerous other features, UserLockallows you to limit or prevent concurrent logins, per user, user group, or Organizational Unit and per session type (workstation, terminal, interactive, Internet Information Services or VPN/RAS).
Limitations can be set in a granular way and can vary from one user to another, one group to another, or one Organizational Unit to the other.
Please let us know your thoughts and practices about concurrent logins to a Windows network. Thanks for your valued feedback!