UserLock vs Microsoft CConnect

Transcription

1 UserLock vs Microsoft White paper This document reviews how Microsoft and ISDecisions UserLock achieve logon management, and focuses on the concurrent connections restriction features provided by these 2 software products. IS Decisions Technopôle Izarbel Maison du Parc BP BIDART (FRANCE) Tel. : Fax : info@isdecisions.com Web:

2 Concurrent connections: a highly underestimated vulnerability It is widely accepted by the information security community that concurrent connections have to be restricted for the sake of network availability, data integrity, and users accountability, in short, to ensure information security. Windows servers (NT, 2000, 2003) fall short when it comes to thoroughly managing concurrent connections. In order to address this security vulnerability, Microsoft provides in its Windows NT/2000 Resource Kit a tool called. UserLock is a third party software utility, developed by IS Decisions, that provides concurrent connection restriction functionality as well as additional features to optimize and secure user network access. Installation and configuration process Although is a Microsoft product, the configuration process is cumbersome. This is due to lack of documentation provided with the binaries. First, the software requirements are far from standard: For Windows NT 4 workstations: Windows NT 4.0 Service Pack 3 or above must be installed Microsoft Data Access Components (MDAC) 2 or above must be installed Windows Scripting Host must be installed. Web Based Enterprise Management (WBEM) must be installed. For Windows XP, 2000, and NT 4 workstations: SQL Server 6.5 or above must be installed on the database server (MSDE free version is unsuitable for that purpose, as it cannot open more than 5 concurrent connections). In other words, is free as long as you already own a Resource Kit, and a SQL Server license... Secondly, the installation process is not automated: Agents must be deployed manually. Clients must be manually configured, or through group policies in order to launch the agent at start-up. A.adm file has to be edited with the security policy editor. This allows the deployment and the configuration of the clients. Again, this requires significant expertise and is time consuming. The UserLock installation process is straightforward: The server part is installed in a couple of clicks. The agent deployment is swift and seamless, just requiring the selection of the workstations to be protected by entering their names or using the network browser and then you are done. To complete the configuration, all that is left is to set users profiles to determine how many concurrent connections a given user is allowed to open, and how to notify ( or pop-up) administrators when monitored connection events occur. Copyright IS Decisions. All rights reserved. 2 of 5

3 Features limits concurrent connections. Unfortunately Microsoft does not go far enough in this rational, and fails to provide a useful additional feature which would prevent users connecting from a forbidden workstation. has limited monitoring capabilities and has an unfriendly GUI, which allows the network administrator to check which users are logged into the system and from where. Finally, administrators can remotely logout a user from the manager interface. UserLock provides more features than its Microsoft counterpart. It restricts concurrent connections. Furthermore, it restricts the computers where users or groups can logon either by computer name or by IP ranges, and also provides administrators with an accurate real time picture of connection activities across the network. Additionally, it logs all events, allowing administrators to quickly spot any suspicious connection during subsequent investigations. Help The only available help is a Word file that comes with the.zip file. It is worth noting that this help refers to 1.3, while it is shipped with binaries. This is far from being helpful - just run a search on Microsoft newsgroups to realize how painful it is to make work properly UserLock s graphical interface is self explanatory, and practically makes the online help useless. Implementation Regardless of the number of already open sessions, on every login request a fresh session is opened. The agent fires up on the client side, and checks the amount of opened sessions in the SQL database. Then, it compares this value with the number of authorized concurrent sessions. Finally it logs the user off if necessary. This highlights the fact that the client side part of solely manages the authorization process. The manager, the server side running on the domain controller, is just in charge of monitoring, auditing, and logging off users. UserLock uses a very different technology that makes it far more secure than. As stated above, opens a session in the first place: a golden opportunity for a malevolent user to attempt an attack UserLock first checks the user s credentials, and then opens the session if the user is allowed to log in. This technological choice makes a big difference as we will see later. Unlike, no third party database is required to store login related information, thus reducing UserLock exposure to eventual attacks. Finally, administrative privileges are required to kill the UserLock agent process. These choices collectively make UserLock a robust and reliable security solution. Copyright IS Decisions. All rights reserved. 3 of 5

4 What s wrong with It is quite safe to say that does not fulfil the minimum requirements to improve security. Actually it introduces new breaches: with very limited skills, it is possible to carry out several successful attacks. These attacks let an unskilled user log in despite measures, gain sensitive information, and finally run a Denial of Service attack. How to circumvent protection On every request, opens a fresh session in the first place, performs the authorization process, and then logs the user off if needed. An illegitimate user can run a Ctr-Del-Alt, find and kill the process through the task manager before logs the user off. The illegitimate user is logged in. Once a user is logged in, a regular user can edit a.bat file that launches the following command at startup: kill.exe f. Kill.exe is provided in the Resource Kit, along with! This effectively stops during the subsequent connections, and lets illegitimate users log in despite protection. Once a user is logged in, a regular user can edit a dummy string value pointing to an erroneous address under the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. As a result, Windows will prompt a message error that freezes the opening session process. This allows enough time for an attacker to do whatever he wants in order to circumvent protection, for instance to kill process. These attacks point out an obvious flaw in design - the security-related function, the authorization, is entirely performed by the agent. Amazingly enough, the agent can be killed by a user without any privileges. Arguably was designed with no security in mind. How to gather information for further attacks exploiting flaws In order to perform the authorization process, the agent has to send and retrieve information from the SQL Server database. To do so, it stores the worthy information in HKCU\Software\Microsoft\ in the client register. An inquisitive attacker will very easily discover the server s name, an account and its password, all in clear. Once in possession of this juicy information, he gets full access to that database. If poorly administrated, the attacker would also get full access to the entire database server. How to run a DoS attack exploiting flaw As just said above, any user has easy and full access to the database table that holds information, namely SYSIAD table in the master database. There are two easy ways to launch a Denial of Service attack: The attacker logs in a workstation with User A s account, improperly stops.exe, e.g. by killing it using the task manager (alternatively a dirtier option would be to crash the system). As stops unexpectedly, it does not clean its entry in the SYSIAD table, therefore from s view User A is still logged in. With just one concurrent connection allowed, he cannot log in any more. Failsafe is not a feature A more ambitious attacker can launch a mass Denial of Service simply using MS Access. All he has to do is open a new project, connect to the database, overwrite the SYSIAD table, and prevent everybody, including the network administrators to log into the system! Copyright IS Decisions. All rights reserved. 4 of 5

5 Conclusion Oddly enough Microsoft has forgotten to provide its flag ship software with a basic security feature such as concurrent connections management. As an afterthought, it provides system and network administrators with a buggy piece of software that makes things even worst. The primary goal of this software is to improve the network s security, but as shown here above, it compromises the confidentiality, integrity, and availability of the system. Resetting default configuration might mitigate s weaknesses. However, this is not a realistic alternative, as is inherently insecure: its poor design is an avenue for a broad range of attacks. Again, all these attacks are far from sophisticated. From a financial perspective, Microsoft argumentation is misleading, is free with the provision that you already have paid for a Resource Kit, an SQL Server license, and that you won t pay the extra hours that it will take administrators to struggle with the configuration process. On the other hand, UserLock does much more than just providing the critical missing features. It also has connection management capabilities, and above all is effectively implemented. As a result, UserLock combines both effectiveness and assurance. When it comes to financial consideration, UserLock is once again the winning choice: in the light of the given benefits, UserLock is a cost effective alternative. Summary PROS Remote user logout. Free upon certain conditions* * Requires an SQL Server license, a Resource Kit, and skilled administrator s expertise. CONS Cumbersome to configure. Introduces DOS risk Little assurance No support Needs third party database Outdated UserLock Flaw free Rich featured User-friendly Quick & easy installation, configuration and deployment Online support Cost effective Copyright IS Decisions. All rights reserved. 5 of 5