8 Holes in Windows Login Controls
-
Upload
is-decisions -
Category
Documents
-
view
1.056 -
download
7
description
Transcript of 8 Holes in Windows Login Controls
![Page 1: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/1.jpg)
8 Holes in Windows® Login Controls
minutepresentation5
and how UserLock®
fills them in …
![Page 2: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/2.jpg)
Windows® lacksimportant security controls
No concurrent login
control
No logon/logoff reporting
No logon session
monitoring
No logon time restrictions
by group
No workstation restrictions
by group
No forcible logoff when
allowed logon time expires
No previous logon time and
computer display when user
logs on
No remote logoff of
workstation logon
sessions
![Page 3: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/3.jpg)
These security controls are required for
an Information System to
comply with major regulatory constraints
and efficiently mitigate
insider threat
![Page 4: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/4.jpg)
2011 CyberSecurity Watch Survey
How bad is the insider threat?
21%
58%
21%
Electronic crimes committed by
Insiders Outsiders Unknown
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
![Page 5: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/5.jpg)
2011 CyberSecurity Watch Survey
How damaging is an insider incident?
33%
38%
29%
Most costly or damaging electronic
crimes are committed by
Insiders Outsiders Unknown
Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute
CERT Program at Carnegie Mellon University and Deloitte, January 2011.
![Page 6: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/6.jpg)
Best practices for the prevention of insider threat
recommended in the Common Sense Guide to
Prevention and Detection of Insider Threats
Log, monitor, and audit employee online actions
Collect and save usable evidence in order to preserve response options
Make all activity from any account attributable to its owner
Deactivate computer access following termination
![Page 7: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/7.jpg)
Windows native login controls
do not enable efficient
implementation of such
practices.
![Page 8: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/8.jpg)
Hole #1No concurrent login control
There is no way in Windows to limit a given
user account from only logging on one
computer at a time.
![Page 9: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/9.jpg)
Why is controlling concurrent logins
so important?
It increases the risk of users sharing their
credentials, as there is no consequence to their own access on the network.
![Page 10: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/10.jpg)
Why is controlling concurrent logins
so important?
It widens the attack surface of a network as a
hacker can seamlessly use valid credentials at the
same time as their legitimate owner.
![Page 11: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/11.jpg)
Why is controlling concurrent logins
so important?
It means that several workstations can unduly be
blocked by one user, thus preventing proper sharing of resources.
![Page 12: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/12.jpg)
Why is controlling concurrent logins
so important?
It can very easily corrupt roaming profiles and
create versioning conflicts for offline files.
![Page 13: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/13.jpg)
NOT CONTROLLING
CONCURRENT LOGINS
CREATES A REAL
ACCOUNTABILITY AND NON-REPUDIATION ISSUE.
![Page 14: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/14.jpg)
Controlling concurrent logins is required
to comply with ICD 503, NISPOM Chap. 8
and NIST 800-53
![Page 15: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/15.jpg)
UserLock® allows you to limit or prevent
concurrent logins.
![Page 16: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/16.jpg)
Hole #2No logon/logoff reporting
There is no way in Windows to get a report
saying “John logged on at 8:00 and he
logged off at 11:00.”
![Page 17: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/17.jpg)
Why is logon/logoff reporting
so important?
It gives the ability to answer crucial questions when
it comes to investigations following an incident.
Who was really logged on?
Where were they logged on?When did they log on?
How long did they remain
logged on?
When did they log off?
At any given time, which people
were actually logged on at their
systems?
![Page 18: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/18.jpg)
Loi sur la Sécurité Financière
Logon/logoff reporting is required to
comply with major international regulations
![Page 19: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/19.jpg)
UserLock® records all session logging and
locking eventsin an ODBC database
for reporting.
![Page 20: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/20.jpg)
Hole #3No logon session monitoring
Who is logged on at which computers?
Which computers are being used by a given user?
Who are the users currently logged on at this particular
computer?
Native Windows features do not allow
SysAdmins to answer the following questions
in real time:
![Page 21: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/21.jpg)
Logon/logoff monitoring is required to
comply with major US regulations
![Page 22: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/22.jpg)
UserLock® allows real time
session monitoringand alerts.
![Page 23: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/23.jpg)
Hole #4No remote logoff of workstation sessions
Windows features do not provide System
Administrators with a practical way to remotely
logoff a specific user.
![Page 24: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/24.jpg)
Why is remote logoff of workstation
sessionsreally useful?
secure computers that are left unattended
free up locked-down resources
handle emergency situations
![Page 25: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/25.jpg)
Remote logoff ability is
required to comply with
GLBA and FISMA
![Page 26: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/26.jpg)
With UserLock®, a SysAdmin can
remotely lock or logoff
any session.
![Page 27: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/27.jpg)
Hole #5No logon time restriction by group
Windows only provides logon time restriction
functionality on a user-by-user basis.
![Page 28: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/28.jpg)
Enforcing time restrictions is required to
comply with major international regulations
Loi sur la Sécurité Financière
![Page 29: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/29.jpg)
UserLock® enforces time restrictions
by group and OU.
![Page 30: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/30.jpg)
Hole #6No workstation restriction by group
Windows only provides logon workstation
restriction functionality on a user-by-user
basis.
![Page 31: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/31.jpg)
Why does workstation restriction by
groupsecure access to your network?
It reduces the number of computers on which stolen
credentials can be used or exploited; therefore reducing your Windows network attack surface.
![Page 32: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/32.jpg)
Workstation restriction is
required to comply with
GLBA, FISMA and HIPAA
![Page 33: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/33.jpg)
UserLock®
enforces
workstation
restrictions by group and OU.
![Page 34: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/34.jpg)
Hole #7No forcible logoff when
allowed logon time expires
The “Automatically logoff users when logon time
expires” feature in Windows only applies to file and print servers (SMB components).
There is absolutely nothing in Windows
that will log a user off of his workstation where he is logged on.
![Page 35: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/35.jpg)
Forcible logoff ability is
required to comply with
the US Patriot Act, FISMA and HIPAA
![Page 36: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/36.jpg)
Outside of authorized timeframe(s) or
when time is up, UserLock®
will really disconnect users with prior warning.
![Page 37: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/37.jpg)
Hole #8No previous logon time and computer
display when users log on
Windows does not display previous logon time and
computer when users log on.
![Page 38: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/38.jpg)
Why does displaying previous logon
time and computer increase the security
of your network?
This is one of the most effective ways to detect
people impersonating user accounts.
![Page 39: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/39.jpg)
Displaying previous logon time and
computer is required to comply with
ICD 503, NISPOM Chap. 8
and NIST 800-53
![Page 40: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/40.jpg)
UserLock® allows notifying all users
prior to gaining access to a system
with a tailor-made warning message.
.
![Page 41: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/41.jpg)
Overall, UserLock is a solid tool that any
Windows Network Administrator should
consider adding to their network
management toolkit if tight user access
control is mandatory for their
organization …
… BOTTOM LINE: it’s an impressive
product.
UserLock reviewedin PC Mag
![Page 42: 8 Holes in Windows Login Controls](https://reader031.fdocuments.us/reader031/viewer/2022013118/549e957bb37959af618b4774/html5/thumbnails/42.jpg)
www.UserLock.com
Download a free
fully-functional
trial now