RE: admiRE: w2k logon from one computer only

• Previous message: Joshua Feek: "RE: w2k logon from one computer only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Apr 2004 23:57:03 -0700
To: <focus-ms@securityfocus.com>

Eric,

If you define a token as "Something serving as an indication, proof, or expression of something else", then really a file, share connection, SQL table connection, or other unique identifier, for this purpose, are all simply different types of tokens. All can be made to work given enough effort, though each has different benefits & caveats.

However, I will rephrase your noted 'flaw' this way. A file based token must be both explicitly created, and deleted, during every logon/logoff operation. Any network, server, or client problem (i.e., system crash, network cable unplugged, etc), will cause this approach to "break closed", which as you said will require admin intervention. That may be acceptable in a smaller environment, but in any large environment, particularly one with a large contingent of laptop users who may disconnect from the network without logging off (read: broken token), you'd have a major problem on your hands.

I'm not familiar with the SQL based approach, and it may be worth some attention, but personally I wouldn't want to add additional dependencies to the logon process. Keep it simple, keep it up.

Rodney's note about Script Logic is probably worth some attention; I've heard a lot of good things about Script Logic, the only negative being its price.

Alternatively, your back to using standard shares. This can be a pain to setup, though there are 3d party tools you may use, or you can script it (WMI to create the shares, ADO for the home directories). That's not to say it's perfect. I haven't tested all the variables in a lab environment, so can't say exactly how quickly the server would detect a dropped connection, nor how easy it might be for a determined user to trick the system to letting him logon to multiple systems, but I expect it to be a more accurate estimate than a file based token. And if nothing else, it will break open.

No approach will be perfect. Which is better depends on the specific needs in a given environment.

Kevan Smith

-----Original Message-----
From: Eric McCarty [mailto:eric@lawmpd.com]
Sent: Thursday, April 29, 2004 1:40 PM
To: Kevan Smith; onel@uekae.tubitak.gov.tr; focus-ms@securityfocus.com
Subject: RE: w2k logon from one computer only

While we are not exactly on the same page with what your are saying I will second the idea of using a login script to map a drive, create a token and if the token can't be created or is already created, log off the connection.
       The flaw I see to this is that if the token is irregularly created or it is not deleted, you effectively lock the user out, which will require administrator assistance to resolve.

Eric McCarty

<...snip...>

-----Original Message-----
From: Kevan Smith [mailto:Kevan.Smith@tideworks.com]
Sent: Thursday, April 29, 2004 7:40 AM
To: onel@uekae.tubitak.gov.tr; focus-ms@securityfocus.com
Subject: RE: w2k logon from one computer only

Dincer,

The difficulty here is that the DCs are not notified when a user logs off, so anything that would touch your desired effect would take some fancy footwork. The closest thing I've seen was when an administrator gave each user a roaming profile, shared each profile individually, and set the connection limit on those shares to 1. You may be able to modify this approach somewhat to achieve your goal. For example you can add some logic to the logon script which logs the user off if unable to map the drive.

Kevan Smith
Windows Technology Engineer
Tideworks Technology

MCSE, MCP+I

-----Original Message-----
From: Dinçer ÖNEL [mailto:onel@uekae.tubitak.gov.tr]
Sent: Thursday, April 29, 2004 12:57 AM
To: focus-ms@securityfocus.com
Subject: w2k logon from one computer only

Hi everybody,
Is there any GP setting or something else that restrict users from logging to a computer while he/she already logged on from another computer in w2k domain. I need to find a way to force users log off before logon to another computer. Does anyone heard about any MS solution for that, or 3rd party solutions (preferably MS solution).
Thanks in advance

Dincer ONEL, CISSP
Network Security Researcher
TUBITAK-UEKAE
P.K.74 41470 Gebze
Kocaeli TURKEY
Tel:+90-262-6481398
Fax:+90-262-6481100

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Joshua Feek: "RE: w2k logon from one computer only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Logon access to all PCs but max 1 PC at the time.. ... the use of SQL. ... The second solution is less effective, but may be worth a try in your ... > all users can logon with name an pasword on every workstation, ... (microsoft.public.win2000.security) Re: Spontanious SERVER down (goes off) ... > When it is the logon of a user which causes this problem then this probably ... > It's worth trying because I have little solutions left. ... account and recreating it, it's worked fine since. ... (microsoft.public.win2000.general) Re: Cant open domain security policy in AD when primary domain controller is turned off ... If your Primary AD is down can you even logon to the domain from a client? ... worth a try ... Caveat: this is assuming your DNS config has been checked and is working ... (microsoft.public.win2000.security)