Re: Permit only one network logon per user

If you don't mind, I'd like to use your situation here to chat a moment about risk. Limiting simultaneous logons is usually considered for these reasons:

1. Alice logs on at workstation A. Alice then logs on at workstation B, which sits next to workstation A.

2. Alice logs on at workstation A. Alice then logs on at workstation B, which is in another room. Bob wanders along, sees that someone is logged into unoccupied workstation A, and messes around.

3. Alice logs on at workstation A. Alice shares her ID/password with Bob. Bob logs on at workstation B.


#1 is not a security risk. #2 and #3 are security risks. Trying to prohibit simultaneous logons isn't very practical because there are circumstances in which the tracking mechanism might get out of sync. Better mitigations are to teach people to log off when not using a workstation and not to share IDs/passwords with others--and to back up these policies with consequences.

Also, realize that tools like CConnect apply to the user's entire domain access, not just to your application. That is, CConnect doesn't have a way of preventing Alice from logging on multiple times only for the use of your application--it applies to her domain account on the whole.

Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Christian Thies [Ar]" <ch.thies@xxxxxxxxx> wrote in message news:OJ2kARE4HHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
I'm building a product that is accessed with a username and password, and for preventing unauthorized access to it, I need to prevent multiple simultaneous logons with the same username and password



Sorry about my English. Let me know if the answer is clear



Christian

"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> escribió en el mensaje news:26CE53B9-E00D-4BB5-B2E2-17E5A305B4DE@xxxxxxxxxxxxxxxx
Why do you need to do this? What security risk do you need to mitigate?

Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley


"Christian Thies [Ar]" <ch.thies@xxxxxxxxx> wrote in message news:u71neA13HHA.5724@xxxxxxxxxxxxxxxxxxxxxxx
Hi, I have Windows 2003 domain working. I need to allow only one network logon per user.



The example is:



User: username

Status: Logged



If user username try to login from a different machine, and he is logged in another, the login attempt must be denied



How can I accomplish this?



Thanks in advance






.

Relevant Pages

  • Re: Permit only one network logon per user
    ... I assign a unique username and password per user of this service. ... Alice logs on at workstation A. Alice then logs on at workstation B, ...
    (microsoft.public.windows.server.security)
  • Re: Authentication failures
    ... Userenv eventid 1030 and Userenv eventid 1006 logged? ... Did you change the workstation SID? ... restictions on the "Mike Bannister" account, ... lastly the user never logs in on any other workstation so simultaneous ...
    (microsoft.public.windows.server.sbs)
  • Re: Authentication failures
    ... If yes I would be leaning torwards a corrupt profile. ... lastly the user never logs in on any other workstation so simultaneous ... The user logs in every day. ... Logon Failure: ...
    (microsoft.public.windows.server.sbs)
  • Group policy / LDAP error
    ... I have a user that gets an error every time he logs in. ... difference what workstation he logs on to and other accounts do not get an ... The Local Security Authority cannot be contacted. ... Failed to query SPC registration on DC ...
    (microsoft.public.windows.server.active_directory)
  • Group policy / LDAP error
    ... I have a user that gets an error every time he logs in. ... difference what workstation he logs on to and other accounts do not get an ... The Local Security Authority cannot be contacted. ... Failed to query SPC registration on DC ...
    (microsoft.public.windows.group_policy)