8 holes in windows login controls

8 Holes in Windows® Login Controls

minutepresentation5

and how UserLock®

fills them in …

Windows® lacksimportant security controls

No concurrent login

control

No logon/logoff reporting

No logon session

monitoring

No logon time restrictions

by group

No workstation restrictions

by group

No forcible logoff when

allowed logon time expires

No previous logon time and

computer display when user

logs on

No remote logoff of

workstation logon

sessions

These security controls are required for

an Information System to

comply with major regulatory constraints

and efficiently mitigate

insider threat

2011 CyberSecurity Watch Survey

How bad is the insider threat?

21%

58%

21%

Electronic crimes committed by

Insiders Outsiders Unknown

Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute

CERT Program at Carnegie Mellon University and Deloitte, January 2011.

2011 CyberSecurity Watch Survey

How damaging is an insider incident?

33%

38%

29%

Most costly or damaging electronic

crimes are committed by

Insiders Outsiders Unknown

Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute

CERT Program at Carnegie Mellon University and Deloitte, January 2011.

Best practices for the prevention of insider threat

recommended in the Common Sense Guide to

Prevention and Detection of Insider Threats

Log, monitor, and audit employee online actions

Collect and save usable evidence in order to preserve response options

Make all activity from any account attributable to its owner

Deactivate computer access following termination

Windows native login controls

do not enable efficient

implementation of such

practices.

Hole #1No concurrent login control

There is no way in Windows to limit a given

user account from only logging on one

computer at a time.

Why is controlling concurrent logins

so important?

It increases the risk of users sharing their

credentials, as there is no consequence to their own access on the network.

Why is controlling concurrent logins

so important?

It widens the attack surface of a network as a

hacker can seamlessly use valid credentials at the

same time as their legitimate owner.

Why is controlling concurrent logins

so important?

It means that several workstations can unduly be

blocked by one user, thus preventing proper sharing of resources.

Why is controlling concurrent logins

so important?

It can very easily corrupt roaming profiles and

create versioning conflicts for offline files.

NOT CONTROLLING

CONCURRENT LOGINS

CREATES A REAL

ACCOUNTABILITY AND NON-REPUDIATION ISSUE.

Controlling concurrent logins is required

to comply with ICD 503, NISPOM Chap. 8

and NIST 800-53

UserLock® allows you to limit or prevent

concurrent logins.

Hole #2No logon/logoff reporting

There is no way in Windows to get a report

saying “John logged on at 8:00 and he

logged off at 11:00.”

Why is logon/logoff reporting

so important?

It gives the ability to answer crucial questions when

it comes to investigations following an incident.

Who was really logged on?

Where were they logged on?When did they log on?

How long did they remain

logged on?

When did they log off?

At any given time, which people

were actually logged on at their

systems?

Loi sur la Sécurité Financière

Logon/logoff reporting is required to

comply with major international regulations

UserLock® records all session logging and

locking eventsin an ODBC database

for reporting.

Hole #3No logon session monitoring

Who is logged on at which computers?

Which computers are being used by a given user?

Who are the users currently logged on at this particular

computer?

Native Windows features do not allow

SysAdmins to answer the following questions

in real time:

Logon/logoff monitoring is required to

comply with major US regulations

UserLock® allows real time

session monitoringand alerts.

Hole #4No remote logoff of workstation sessions

Windows features do not provide System

Administrators with a practical way to remotely

logoff a specific user.

Why is remote logoff of workstation

sessionsreally useful?

secure computers that are left unattended

free up locked-down resources

handle emergency situations

Remote logoff ability is

required to comply with

GLBA and FISMA

With UserLock®, a SysAdmin can

remotely lock or logoff

any session.

Hole #5No logon time restriction by group

Windows only provides logon time restriction

functionality on a user-by-user basis.

Enforcing time restrictions is required to

comply with major international regulations

Loi sur la Sécurité Financière

UserLock® enforces time restrictions

by group and OU.

Hole #6No workstation restriction by group

Windows only provides logon workstation

restriction functionality on a user-by-user

basis.

Why does workstation restriction by

groupsecure access to your network?

It reduces the number of computers on which stolen

credentials can be used or exploited; therefore reducing your Windows network attack surface.

Workstation restriction is

required to comply with

GLBA, FISMA and HIPAA

UserLock®

enforces

workstation

restrictions by group and OU.

Hole #7No forcible logoff when

allowed logon time expires

The “Automatically logoff users when logon time

expires” feature in Windows only applies to file and print servers (SMB components).

There is absolutely nothing in Windows

that will log a user off of his workstation where he is logged on.

Forcible logoff ability is

required to comply with

the US Patriot Act, FISMA and HIPAA

Outside of authorized timeframe(s) or

when time is up, UserLock®

will really disconnect users with prior warning.

Hole #8No previous logon time and computer

display when users log on

Windows does not display previous logon time and

computer when users log on.

Why does displaying previous logon

time and computer increase the security

of your network?

This is one of the most effective ways to detect

people impersonating user accounts.

Displaying previous logon time and

computer is required to comply with

ICD 503, NISPOM Chap. 8

and NIST 800-53

UserLock® allows notifying all users

prior to gaining access to a system

with a tailor-made warning message.

.

Overall, UserLock is a solid tool that any

Windows Network Administrator should

consider adding to their network

management toolkit if tight user access

control is mandatory for their

organization …

… BOTTOM LINE: it’s an impressive

product.

UserLock reviewedin PC Mag

www.UserLock.com

Download a free

fully-functional

trial now