Here's a question that a SearchWindowsSecurity.com reader sent in. It represents a common headache faced by security administrators:
Can you limit how many times a user can log on to the network?
Solutions to this type of problem have been around for a while. The problem is that not many people are aware of them.
Requires Free Membership to View
When you register, my team of editors will also send you the latest expert resources covering pertinent IT topics such as Windows server backup and recovery, server administration, storage management, infrastructure security, virtualization, Hyper-V, Active Directory and Group Policy.
Cathleen A. Gagne, Senior Editorial Director
 |
||||
|
|
|||
|
||||
The only downside I can see is that LimitLogin is not supported by Microsoft. However, once you work your way through the included help file (LimitLogin.chm) and get it installed and configured, you should find it to be a relatively low-maintenance application.
Outside of enforcing the number of concurrent logins, you can also use LimitLogin as a login auditing tool to see how and when users are logging into the network. It's not groundbreaking, but certainly a nicety if you can't justify spending good money on a commercial network audit logging system.
Last year, I came across a commercial alternative to LimitLogin (that's also well-liked by many Windows admins) called UserLock by IS Decisions. UserLock works in a similar fashion to LimitLogin but offers more enterprise features that you'd expect to find in a commercial product, like real-time alerting and reporting.
Finally, if you're on a limited budget and have time to tinker around with Windows, you could build your own homegrown solution. For example, you could create a Windows login script component that maps a drive to the user's home directory share. If it's unable to create the mapping, then error out and log off. On each user's home directory share, you would set the maximum number of connections to 1. When the user logs in once, all's well. However, doing so twice would generate a net use error level of 1. This error could be captured in the login script to redirect to the logoff command and exit.
You could also set the workstation that each user must use to log in to the network. In Active Directory Users and Computers, under User/Account/Log On To, you could set the specific workstation(s) the user is allowed to log on to. Unlike LimitLogin and UserLock it's a rather limited workaround, but it may be all you need.
These homegrown solutions should work fine for small networks, but they could easily turn into a real pain -- if not a liability -- in larger environments. I see it all too often -- where network admins thrive on their own custom applications to keep the network up and running. The problem is that these custom apps can be a single point of failure if something happens to the administrator and they don't play well in environments where separation of duties is needed. Plus, ongoing auditing, reporting and overall change management is much more difficult if not impossible.
With one of these login limiting techniques, you'll improve user accountability, network security and -- as a nice side benefit -- you'll be compliant with X policy or Y regulation all at the same time.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator and author of the Security On Wheels blog and information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver --at- principlelogic.com.
This was first published in February 2008