Why concurrent logins to a Windows network are a (very) bad idea

Once hackers gain legitimate Windows login credentials, they have unfettered use of them

A vast number of Microsoft's security holes are dependent on the credentials of the user logged in when a Windows machine is hacked. But one of Windows' weakest areas of baked-in security is login controls. Third-party software, such as IS Decisions' UserLock takes on the task of filling in the gaps.

So, I asked the CEO of IS Decisions, François Amigorena (pictured, right), if he could explain the risks of letting users simultaneously login from multiple locations. (IS Decisions even names Microsoft among the customers for its Windows network management wares.) The following is a guest post on the topic written by Amigorena.

Microsoft Windows has more security features than any other operating system but is strangely lacking the fundamental and classic login session controls found in other environments, like mainframe and midrange systems, UNIX and Netware.

As an example, there is no way in Windows to limit a given user account from only logging on at one computer at a time.

In terms of interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there.

And this is certainly one of the most underestimated flaws in a Windows network. Why is preventing (or limiting) concurrent logins to a Windows network really important?

When you think about it, as human beings still don’t have the gift of ubiquity, there are very few legitimate reasons for a user to be connected to a network from several different workstations.

In the best case scenario, the user is just careless and forgot to close his session before opening a new one from another computer. However if it is not the same user but two (or more) different persons concurrently using the same credentials, no need to be a rocket scientist to imagine that at least one of them may have harmful intentions …

Here are a few examples of potentially dangerous situations made possible by the absence of simultaneous logins control:

• It increases the ability of users to share their credentials, as there is no consequence on their own access to the network. This of course creates a whole accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send e-mails in his name, etc.
• It widens the attack surface of a network as a hacker can seamlessly use valid credentials at the same time as their legitimate owner (and make legitimate user accountable for any illegitimate action he takes).
• In the case of educational organizations that manage a network of free access computers for their students, it means that several workstations can unduly be blocked by one user, thus preventing proper sharing of resources. Or even worse, students can disclose their credentials to unauthorized third parties.
• It can very easily corrupt roaming profiles and create versioning conflicts for offline files.

As you can see, not controlling concurrent logins does significantly increase the network vulnerability. That is why preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example NISPOM (National Industrial Security Program Operating Manual – 8-303, 8-602 and 8-609 sections) and ICD 503 (Intelligence Community Directive number 503 – “Identification and Authentication” and “Enforcement of sessions controls” sections).

Microsoft is perfectly aware of the issue and has relied on external, third-party software solutions to provide control over concurrent logins to a Windows network.

IS Decisions, founded in 2000 and based in Biarritz (France), is a software vendor specializing in Infrastructure and Security Management solutions for Microsoft Windows. The company makes software for network administrators to secure, monitor and report on network access and user sessions, audit access to sensitive files and folders, perform remote installations of applications and updates across the network and automate the inventory of Windows assets (hardware, software, settings, eventlogs).

IS Decisions cites more 3,000 clients worldwide including: Airbus, American Express, AXA, Banco Santander, Bank of Tokyo, Barclays, Boeing, Citizen, Ernst & Young, GlaxoSmithKline, Hewlett-Packard, HSBC, Konica, IBM, Lockheed Martin, L’Oréal, Microsoft, Mitsubishi, Saint Gobain, Siemens, Smurfit Stone, Texas A&M University, Time Warner, United Nations, University of Cambridge, University of Pennsylvania, US Department of Justice, US Air Force, US Army, US Navy and Virgin.

• Microsoft
• Security
• keylogger
• Microsoft security
• user accounts
• Windows security
• Windows security holes