a Flo + a Blog = a Flog my ブログ

Windows logon management

A while ago I posted a article about how Kerberos authentication worked and basically how you would determine who was using what account to log on which machine.

Not so long ago a colleague of mine, not to mention he is our HR head, found himself locked out while traveling to our Toronto office (he is based in Montreal). He found out as he was trying to log onto is laptop. After a call to the helpdesk he was able to log in as they unlocked his account, but the next morning he would be locked out again.

I'll let you check the Kerberos article to check how to find out the source of the lockout. Put shortly it is just matter of finding which Domain Controller his account was locked out on and then checking the security log to determine from what machine.

So it appeared that a week before traveling to Toronto, he had a training and he logged onto a training computer and got out of the training without logging off. And prior his travel he also changed his password. While a daily unlocking by the helpdesk helped him to achieve his daily work, the training machine where he was logged onto would try to authenticate at the DC (with a previously cached password) and lock him out.

This really demonstrates some issues of Windows Logon management (Active Directory based aka the ms windows directory service). And here I am thinking of logon/logoff control. It would have helped in this case to know where his account was currently logged to. If you wanted to do so you would have to collect logs of all workstations or other resource machines.

The Microsoft directory doesn't allow concurrent logon control. Well there are some tools given by Microsoft to manage this but so far my tries to make them work were unsuccessful (cconnect). Because when logging the directory only checks the validity of the logon, this doesn't allow to make any reporting of who is logged where and for how long. This limits somehow your (system admins) ability to control credential sharing issues or just to enforce accountability for users action on different machines.

Those are not the only lacks of the Windows directory. Along with the lack of logon/logoff reporting, there is no session control on workstation. Of course as an Domain Admin you can log off someone but this is a tedious task if you had to logoff 100 users for security reasons. A little logon session monitoring would be helpful as for now you would have to check open session on several servers to do so and DCs do not keep track of current logon sessions anyway.

With that we can also talk about the fact that there is no automated way to logoff users on unattended workstations. And without saying anything about the fact that it is good to free up resources I see it as a threat as a terminated users that left his workstation locked would be able to unlock it - even if this user account is now gone from AD or just disabled.

The only manageable part of logon with Windows directory is time of logon and and workstations logon permission. However this is only feasible by user only. This doesn't make management easy and it would be interesting to be able to control those restriction per groups.

Yet, Windows Directory is pretty comfortable to manange and use but it could use some more logon controlling to enforce more security and control over users/hackers attempts/mistakes with logon.

Note: I have limited hands on windows 2008 servers but I don't remember seeing too much changes as far as logon control goes. Please feel free to update!