A vast number of Microsoft's security holes are dependent on the credentials of the user logged in when a Windows machine is hacked. But one of Windows' weakest areas of baked-in security is login controls. Third-party software, such as IS Decisions' UserLock takes on the task of filling in the gaps.
So, I asked the CEO of IS Decisions, François Amigorena (pictured, right), if he could explain the risks of letting users simultaneously login from multiple locations. (IS Decisions even names Microsoft among the customers for its Windows network management wares.) The following is a guest post on the topic written by Amigorena.
Microsoft Windows has more security features than any other operating system but is strangely lacking the fundamental and classic login session controls found in other environments, like mainframe and midrange systems, UNIX and Netware.
As an example, there is no way in Windows to limit a given user account from only logging on at one computer at a time.
In terms of interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there.
And this is certainly one of the most underestimated flaws in a Windows network. Why is preventing (or limiting) concurrent logins to a Windows network really important?
When you think about it, as human beings still don’t have the gift of ubiquity, there are very few legitimate reasons for a user to be connected to a network from several different workstations.
In the best case scenario, the user is just careless and forgot to close his session before opening a new one from another computer. However if it is not the same user but two (or more) different persons concurrently using the same credentials, no need to be a rocket scientist to imagine that at least one of them may have harmful intentions …
Here are a few examples of potentially dangerous situations made possible by the absence of simultaneous logins control:
As you can see, not controlling concurrent logins does significantly increase the network vulnerability. That is why preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example NISPOM (National Industrial Security Program Operating Manual – 8-303, 8-602 and 8-609 sections) and ICD 503 (Intelligence Community Directive number 503 – “Identification and Authentication” and “Enforcement of sessions controls” sections).
Microsoft is perfectly aware of the issue and has relied on external, third-party software solutions to provide control over concurrent logins to a Windows network.
IS Decisions, founded in 2000 and based in Biarritz (France), is a software vendor specializing in Infrastructure and Security Management solutions for Microsoft Windows. The company makes software for network administrators to secure, monitor and report on network access and user sessions, audit access to sensitive files and folders, perform remote installations of applications and updates across the network and automate the inventory of Windows assets (hardware, software, settings, eventlogs).
IS Decisions cites more 3,000 clients worldwide including: Airbus, American Express, AXA, Banco Santander, Bank of Tokyo, Barclays, Boeing, Citizen, Ernst & Young, GlaxoSmithKline, Hewlett-Packard, HSBC, Konica, IBM, Lockheed Martin, L’Oréal, Microsoft, Mitsubishi, Saint Gobain, Siemens, Smurfit Stone, Texas A&M University, Time Warner, United Nations, University of Cambridge, University of Pennsylvania, US Department of Justice, US Air Force, US Army, US Navy and Virgin.
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at email@example.com, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited