UserLock vs Microsoft CConnect



Similar documents
Patch management with WinReporter and RemoteExec

Using WinReporter to perform security audits on Windows TM networks

Web Application Security

Network and Host-based Vulnerability Assessment

Print Audit 6 Technical Overview

FREQUENTLY ASKED QUESTIONS

Installing GFI Network Server Monitor

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Outpost Network Security

Spyware Doctor Enterprise Technical Data Sheet

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

AN OVERVIEW OF VULNERABILITY SCANNERS

Securing Database Servers. Database security for enterprise information systems and security professionals

4. Getting started: Performing an audit

Criteria for web application security check. Version

Print Audit 6 Technical Overview

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Windows Operating Systems. Basic Security

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Universal Management Service 2015

Network- vs. Host-based Intrusion Detection

enicq 5 System Administrator s Guide

Polar Help Desk Installation Guide

Deployment of Keepit for Windows

DC Agent Troubleshooting

Penetration Testing Report Client: Business Solutions June 15 th 2015

Spector 360 Deployment Guide. Version 7

SPI Backup via Remote Terminal

Nessus scanning on Windows Domain

Discovering passwords in the memory

Citrix Password Manager Using the Account Self-Service Feature. Citrix Password Manager 4.6 with Service Pack 1 Citrix XenApp 5.0, Platinum Edition

Desktop Web Access Single Sign-On Configuration Guide

User Guide Microsoft Exchange Remote Test Instructions

Thick Client Application Security

New Systems and Services Security Guidance

Protecting Your Organisation from Targeted Cyber Intrusion

extranet.airproducts.com Windows XP Client Configuration

XML Export Interface. IPS Light. 2 April Contact

Market Challenges Business Drivers

Remote Desktop access via Faculty Terminal Server Using Internet Explorer (versions 5.x-7.x)

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Security Testing & Load Testing for Online Document Management system

Chapter 6: Fundamental Cloud Security

Foundstone ERS remediation System

Propalms TSE Quickstart Guide

Manipulating Microsoft SQL Server Using SQL Injection

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Security and Vulnerability Testing How critical it is?

MSSQL quick start guide

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

MGC WebCommander Web Server Manager

GFI White Paper PCI-DSS compliance and GFI Software products

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Page 1. Overview of System Architecture

Random Password Manager Enterprise Edition

Installing GFI LANguard Network Security Scanner

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Embarcadero Performance Center 2.7 Installation Guide

Find the Who, What, Where and When of Your Active Directory

Password Policy Enforcer

TROUBLESHOOTING GUIDE

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

Management of Hardware Passwords in Think PCs.

Using WMI Scripts with BitDefender Client Security

WHITEPAPER. Nessus Exploit Integration

Table of Contents. Page 2/13

A Decision Maker s Guide to Securing an IT Infrastructure

How To Install Help Desk Premier

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Implementing HIPAA Compliance with ScriptLogic

Print Audit 6 Network Installation Guide

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

What is Web Security? Motivation

Enterprise SSO Manager (E-SSO-M)

Installing Kaspersky Security Center 10.0 on Microsoft Windows Server 2012 Core Mode

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Reporting works by connecting reporting tools directly to the database and retrieving stored information from the database.

Columbia University Web Security Standards and Practices. Objective and Scope

SQL Server Hardening

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

OAuth Web Authorization Protocol Barry Leiba

ilaw Installation Procedure

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Applying the Principle of Least Privilege to Windows 7

Web application security: automated scanning versus manual penetration testing.

Medical Device Security Health Group Digital Output

Transcription:

UserLock vs Microsoft White paper This document reviews how Microsoft and ISDecisions UserLock achieve logon management, and focuses on the concurrent connections restriction features provided by these 2 software products. IS Decisions Technopôle Izarbel Maison du Parc BP 12 64210 BIDART (FRANCE) Tel. : +335.59.41.42.20 Fax : +335.59.41.42.21 Email : info@isdecisions.com Web: http://www.isdecisions.com

Concurrent connections: a highly underestimated vulnerability It is widely accepted by the information security community that concurrent connections have to be restricted for the sake of network availability, data integrity, and users accountability, in short, to ensure information security. Windows servers (NT, 2000, 2003) fall short when it comes to thoroughly managing concurrent connections. In order to address this security vulnerability, Microsoft provides in its Windows NT/2000 Resource Kit a tool called. UserLock is a third party software utility, developed by IS Decisions, that provides concurrent connection restriction functionality as well as additional features to optimize and secure user network access. Installation and configuration process Although is a Microsoft product, the configuration process is cumbersome. This is due to lack of documentation provided with the binaries. First, the software requirements are far from standard: For Windows NT 4 workstations: Windows NT 4.0 Service Pack 3 or above must be installed Microsoft Data Access Components (MDAC) 2 or above must be installed Windows Scripting Host must be installed. Web Based Enterprise Management (WBEM) must be installed. For Windows XP, 2000, and NT 4 workstations: SQL Server 6.5 or above must be installed on the database server (MSDE free version is unsuitable for that purpose, as it cannot open more than 5 concurrent connections). In other words, is free as long as you already own a Resource Kit, and a SQL Server license... Secondly, the installation process is not automated: Agents must be deployed manually. Clients must be manually configured, or through group policies in order to launch the agent at start-up. A.adm file has to be edited with the security policy editor. This allows the deployment and the configuration of the clients. Again, this requires significant expertise and is time consuming. The UserLock installation process is straightforward: The server part is installed in a couple of clicks. The agent deployment is swift and seamless, just requiring the selection of the workstations to be protected by entering their names or using the network browser and then you are done. To complete the configuration, all that is left is to set users profiles to determine how many concurrent connections a given user is allowed to open, and how to notify (Email or pop-up) administrators when monitored connection events occur. Copyright 2000-2005 IS Decisions. All rights reserved. 2 of 5

Features limits concurrent connections. Unfortunately Microsoft does not go far enough in this rational, and fails to provide a useful additional feature which would prevent users connecting from a forbidden workstation. has limited monitoring capabilities and has an unfriendly GUI, which allows the network administrator to check which users are logged into the system and from where. Finally, administrators can remotely logout a user from the manager interface. UserLock provides more features than its Microsoft counterpart. It restricts concurrent connections. Furthermore, it restricts the computers where users or groups can logon either by computer name or by IP ranges, and also provides administrators with an accurate real time picture of connection activities across the network. Additionally, it logs all events, allowing administrators to quickly spot any suspicious connection during subsequent investigations. Help The only available help is a Word file that comes with the.zip file. It is worth noting that this help refers to 1.3, while it is shipped with 1.1.1.124 binaries. This is far from being helpful - just run a search on Microsoft newsgroups to realize how painful it is to make work properly UserLock s graphical interface is self explanatory, and practically makes the online help useless. Implementation Regardless of the number of already open sessions, on every login request a fresh session is opened. The agent fires up on the client side, and checks the amount of opened sessions in the SQL database. Then, it compares this value with the number of authorized concurrent sessions. Finally it logs the user off if necessary. This highlights the fact that the client side part of solely manages the authorization process. The manager, the server side running on the domain controller, is just in charge of monitoring, auditing, and logging off users. UserLock uses a very different technology that makes it far more secure than. As stated above, opens a session in the first place: a golden opportunity for a malevolent user to attempt an attack UserLock first checks the user s credentials, and then opens the session if the user is allowed to log in. This technological choice makes a big difference as we will see later. Unlike, no third party database is required to store login related information, thus reducing UserLock exposure to eventual attacks. Finally, administrative privileges are required to kill the UserLock agent process. These choices collectively make UserLock a robust and reliable security solution. Copyright 2000-2005 IS Decisions. All rights reserved. 3 of 5

What s wrong with It is quite safe to say that does not fulfil the minimum requirements to improve security. Actually it introduces new breaches: with very limited skills, it is possible to carry out several successful attacks. These attacks let an unskilled user log in despite measures, gain sensitive information, and finally run a Denial of Service attack. How to circumvent protection On every request, opens a fresh session in the first place, performs the authorization process, and then logs the user off if needed. An illegitimate user can run a Ctr-Del-Alt, find and kill the process through the task manager before logs the user off. The illegitimate user is logged in. Once a user is logged in, a regular user can edit a.bat file that launches the following command at startup: kill.exe f. Kill.exe is provided in the Resource Kit, along with! This effectively stops during the subsequent connections, and lets illegitimate users log in despite protection. Once a user is logged in, a regular user can edit a dummy string value pointing to an erroneous address under the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. As a result, Windows will prompt a message error that freezes the opening session process. This allows enough time for an attacker to do whatever he wants in order to circumvent protection, for instance to kill process. These attacks point out an obvious flaw in design - the security-related function, the authorization, is entirely performed by the agent. Amazingly enough, the agent can be killed by a user without any privileges. Arguably was designed with no security in mind. How to gather information for further attacks exploiting flaws In order to perform the authorization process, the agent has to send and retrieve information from the SQL Server database. To do so, it stores the worthy information in HKCU\Software\Microsoft\ in the client register. An inquisitive attacker will very easily discover the server s name, an account and its password, all in clear. Once in possession of this juicy information, he gets full access to that database. If poorly administrated, the attacker would also get full access to the entire database server. How to run a DoS attack exploiting flaw As just said above, any user has easy and full access to the database table that holds information, namely SYSIAD table in the master database. There are two easy ways to launch a Denial of Service attack: The attacker logs in a workstation with User A s account, improperly stops.exe, e.g. by killing it using the task manager (alternatively a dirtier option would be to crash the system). As stops unexpectedly, it does not clean its entry in the SYSIAD table, therefore from s view User A is still logged in. With just one concurrent connection allowed, he cannot log in any more. Failsafe is not a feature A more ambitious attacker can launch a mass Denial of Service simply using MS Access. All he has to do is open a new project, connect to the database, overwrite the SYSIAD table, and prevent everybody, including the network administrators to log into the system! Copyright 2000-2005 IS Decisions. All rights reserved. 4 of 5

Conclusion Oddly enough Microsoft has forgotten to provide its flag ship software with a basic security feature such as concurrent connections management. As an afterthought, it provides system and network administrators with a buggy piece of software that makes things even worst. The primary goal of this software is to improve the network s security, but as shown here above, it compromises the confidentiality, integrity, and availability of the system. Resetting default configuration might mitigate s weaknesses. However, this is not a realistic alternative, as is inherently insecure: its poor design is an avenue for a broad range of attacks. Again, all these attacks are far from sophisticated. From a financial perspective, Microsoft argumentation is misleading, is free with the provision that you already have paid for a Resource Kit, an SQL Server license, and that you won t pay the extra hours that it will take administrators to struggle with the configuration process. On the other hand, UserLock does much more than just providing the critical missing features. It also has connection management capabilities, and above all is effectively implemented. As a result, UserLock combines both effectiveness and assurance. When it comes to financial consideration, UserLock is once again the winning choice: in the light of the given benefits, UserLock is a cost effective alternative. Summary PROS Remote user logout. Free upon certain conditions* * Requires an SQL Server license, a Resource Kit, and skilled administrator s expertise. CONS Cumbersome to configure. Introduces DOS risk Little assurance No support Needs third party database Outdated UserLock Flaw free Rich featured User-friendly Quick & easy installation, configuration and deployment Online support Cost effective Copyright 2000-2005 IS Decisions. All rights reserved. 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information