This is a guest post by W. Benson Dana, IT internal auditor for the Maine state government.

Prevent concurrent logins

W. Benson Dana is perfectly right here: password sharing creates accountability and non-repudiation issue as user A, connected to the network with the credentials of user B, can access user B’s data and applications, send e-mails in his/her name, etc.

Passwords can be shared inadvertently (ever seen a password written on a Post-it note and attached to a monitor?) or consciously (a manager does not want to approve purchase requisitions and so just logs on for one of his subordinates and then allows him to approve each purchase requisitionin his place) .Educating users about the dangers of such practices is a good thing but is it good enough?

Human beings usually need to be properly motivated to adopt best practices and follow rules and policy.

UserLock comes handy here, as this unique software solution prevents (among numerous other security features) concurrent logins to a Windows network.

On a UserLock-protected network, a user cannot share his password without taking a major risk of being unable to logon himself. Can you think of better motivation?

Check UserLock detailed features

Download a free, fully-functional trial

UserLock, our software solution that limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network, has been picked by PC Mag to be part of their “25 excellent applications for small-to-mid-sized businesses to consider in 2012”.

Samara Lynn, Lead Analyst at PC Mag, describes UserLock as “an impressive product”, emphasizes its efficiency and scalability and highlights its usefulness for organizations that have to adhere to compliance regulations like HIPAA or SOX.

UserLock allows Network Administrators to:

• Limit or prevent concurrent logins to Windows networks, based on user, user groups, Organizational Units or session types.
• Restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type.
• Follow the session activity on the network in real-time and get detailed, graphical reporting
• Remotely close or lock user sessions, shutdown workstations, from anywhere using the Web console

More than one million UserLock licenses are currently in use by hundreds of security demanding organizations worldwide, including:
The US DoJ, the FBI, the DEA, the United Nations, Barclays Bank, Banco Santander, Cigna, as well as numerous SMBs and academic institutions.

Read the article on PC Mag

UserLock detailed features

Download a fully-functional trial

According to a report recently issued by Cisco Systems, 7 out of 10 young employees frequently ignore IT policies and two-thirds said they believe their company’s policies need to be modified. About 61 percent said corporate IT security isn’t their responsibility, believing it is that of their employer or the maker of their devices.

Of those who were aware of IT security policies, 70% of employees worldwide admitted to breaking policy with varying regularity. Among the different reasons, the most common was the belief that employees were not doing anything wrong (33%). One in five (22%) cited the need to access unauthorized programs and applications to get their job done, while 19% admitted the policies are not enforced. Some (18%) said they do not have time to think about policies when they are working, and others either said adhering to the policies is not convenient (16%), they forget to do so (15%), or their bosses aren’t watching them (14%). The attitude of younger workers to technology clearly represents a new and growing threat to corporate IT security.

Beyond IT security awareness and training programs, organizations must find ways to efficiently enforce their computer security policies.

UserLock has a role to play here, as this software solution gives CSOs and Network Administrators the means to secure access to their Windows network and to quickly react in case of inappropriate behavior.

Using UserLock makes it possible to:

Automatically notify all users prior to gaining access to a system with a tailor-made disclaimer

Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties. This is an efficient reminder for thoughtless employees, young or not.

Restrict user access to the network with multiple criteria: workstations, time, business hours, quotas and connection type

UserLock allows setting and enforcing access restrictions in a granular way. An example of multi-criteria restriction could be: prevent a given user (or group, or Organizational Unit) from logging to the network:

• from a computer outside of a given department
• outside of business hours
• via a VPN connection.

The login system is the first line of defense of a Windows network. Restricting user access reduces the attack surface of the network and keeps rogue or careless users at bay.

Follow the session activity on the network in real-time, be alerted and remotely lock, logoff and reset all sessions immediately

UserLock allows real time session surveillance and monitoring; at all times a System Administrator knows who is connected, from what workstation(s), since when, etc. Popup or email alerts can also be sent to the network administrators for specific events such as denied logins, successful logins and logoffs.

In case of suspicious behavior, System Administrators can instantly take action to tackle insider threats.

Limit or prevent concurrent logins to a Windows network, based on user, user groups, Organizational Units and session types

Limiting or preventing concurrent logins decreases the ability of users to share their credentials, as it would impact their own ability to access to the network.

It also makes it impossible for a rogue user to seamlessly use valid credentials at the same time as their legitimate owner, access that user’s data and applications, send Emails in his name, etc.

Simultaneous logins limitation or prevention avoids serious accountability and non-repudiation issues.

Check UserLock detailed features

Download a free trial

Volunteers among IS Decisions’ Team constantly review dozens of information sources (websites, blogs, Twitter accounts, etc.), carefully select content for its quality, originality and relevance, and create compelling online magazines.

Our goal is to provide IT pros with online resources that help them easily get useful, up to date information about Microsoft technologies, IT security and more, in order to streamline their technology watch activities.

Topics we cover include:

Microsoft
“Microsoft’s products, people and strategies”

Windows Infrastructure
“Hot off the presses for Windows IT pros”

IT Security
“Windows IT Security News”

PowerShell
“Everything PowerShell”

MVP
“What’s new in the Microsoft MVPs world”

You can receive a daily digest by Email for the topic(s) of your choice:

Click on the “Follow” button at the top right corner of every page (under the mention “curated by IS Decisions”) of the topic(s), then type in your Email address. You can opt out whenever you want by clicking “Unfollow”.

Please check our online magazines out and let us know what you think. Thanks for your feedback!

The December issue of IS Decisions Wire, our bimonthly E-newsletter is out.

Drawing inspiration from Microsoft’s Metro design language, IS Decisions Wire celebrates an elegant and clean look & feel that we hope you will find pleasant to look at and interesting to read.

Subscribe now to get the next issue: it’s free!

Simple and direct deployment

Easily deploy the new Internet Explorer 9 (IE9) browser on chosen computers by following these instructions.

1. Download the four existing IE 9 packages from the Microsoft Web site
   - IE9-Windows7-x64-enu.exe
   - IE9-Windows7-x86-enu.exe
   - IE9-WindowsVista-x64-enu.exe
   - IE9-WindowsVista-x86-enu.exe

2. Open RemoteExec and go to Remote Jobs/New Remote Job/Multiple actions through the Configuration tree.

   

3. Click on Add Files to execute/deploy in the Quick access pane. A browser will open. Browse to the four downloaded IE 9 packages, select them and click on Open.

   

4. Go to the Target Computers section and select the computers on which you want to deploy IE 9.

   

5. You can now start your deployment by clicking on

6. The Progress window will open in a new tab to permit you to follow the remote operation process.

Advanced deployment

The simplified and direct deployment previously described shows the easiest path possible. This is the full scenario to follow if you want to deploy the required hotfix and Internet Explorer 9.

Requirements

Here is the list of requirements needed to deploy Internet Explorer 9:

• Windows Vista, Seven, 2008 or 2008 R2 (You cannot install IE 9 on Windows XP or Windows 2003).
• For Windows Seven and Windows 2008 R2, the KB2454826 is required if you have not yet deploy the Service Pack 1 released in February.
• This deployment can require a system reboot.

In this article we describe how to build your deployment scenario automatically.

Create your scenario

1. Download the four existing IE 9 packages from Microsoft Web site and the two KB2454826 hotfixs packages:
   - IE9-Windows7-x64-enu.exe
   - IE9-Windows7-x86-enu.exe
   - IE9-WindowsVista-x64-enu.exe
   - IE9-WindowsVista-x86-enu.exe
   - Windows6.1-KB2454826-v2-x64.msu
   - Windows6.1-KB2454826-v2-x86.msu

2. Open RemoteExec and go to Remote Jobs/New Remote Job/Multiple actions through the Configuration tree.

   

3. The Quick access pane allows you to add all Remote Actions needed for this deployment scenario. Click on Add a wake up. This System action will be added to the central window. As it’s already pre-set, you’ve nothing else to do: RemoteExec will wake up the target computers¹ and wait until an answer is received before performing the next action.

   

   ¹: RemoteExec should have automatically scanned the Mac addresses and subnet of Target computers. RemoteExec automatically scans for MAC addresses and subnets at each start-up. You can launch or schedule the scan of MAC addresses during working hours with the Get wake up info Action. You can also check all previously scanned MAC addresses or add manually MAC addresses and subnets in the RemoteExec Options.

4. Click on Add Files to execute/deploy in the Quick access pane. A browser will open. Browse to the two KB2454826 hotfixs packages. Select them and click on Open.

   

   RemoteExec will detect the package type as an Update installation action and will set all parameters automatically².

   ²: If the KB2454826 has been already installed, RemoteExec will display a warning message in the Execution Results Windows: Exit code not null (0x240006 The update to be installed is already installed on the system.). Then it will launch the next action.

5. Click on Add a reboot in the Quick access pane.

6. As the reboot needs only be done for the computers which just received the hotfixs, double-click on the Reboot action in the list and check the option Reboot only if needed.

   

7. Repeat step 4 to add the IE 9 installation files clicking on Add Files to execute/deploy in the Quick access pane.

8. Add another Reboot action after the IE 9 installation actions. As in step 6, enable the Reboot only if needed check box. IE 9 deployment require a reboot to finalize his installation.

9. To finish, click on Add a shutdown to power off your computers.

10. Your whole IE 9 deployment scenario is now complete.

    

    You can select your Target computers in the third section as wanted: only the machines which can accept the hotfixs or this Internet Explorer version will be processed.

11. Schedule your Job deployment as explained in a previous article

Want more?

It can be useful to save this scenario deployment for re-use, when you add new computers to your network for example. Once you’ve finished your Multiple actions configuration, select it in the Configuration tree and then click on Save in my Remote Actions through the context menu or the Quick access pane.

Type a name for this Multiple actions in the pop-up and validate. You will be able to use it later in My Remote Actions menu through the Use action in a new remote job command.

NDS and NetWare gave network administrators the ability to easily enforce certain restrictions on their network especially the ability for a person to open simultaneous sessions with the same login.

As with most things in Netware Directory Services, restricting concurrent connections could be performed from the administrative workstation using the NetWare Administrator utility.

When migrating to Windows Server and Active Directory, former Netware network administrators are therefore surprised to discover that Windows offers no native feature to prevent or limit simultaneous logins to their new network.

That is where UserLock comes in handy, with concurrent logins limitation features even more powerful than Netware’s native features. UserLock allows you to limit or prevent simultaneous logins to a Microsoft Windows network, per user, user group or per session type (workstation, terminal, interactive or VPN/RAS).

Limitations can be set in a granular way and can vary from one user to another or from one group to another.

With UserLock you will be able to define and enforce:

• the maximum number of concurrent workstations where a user can be logged on
• the maximum number of terminal sessions that a user can open
• the maximum number of simultaneous VPN/RAS sessions that a user can open
• the maximum total number of sessions (all session types) that a user can open

You will also be able to:

• define a maximum limit for combinations of several kinds of sessions.
  You can for example set a custom limit to prevent the number of workstation sessions plus the number of VPN/RAS sessions to be greater than one.
• allow users to remotely logoff an existing session if their number of allowed sessions has already been reached.
  A user will then be able to remotely close a previous session from the new workstation on which he is not allowed to logon due to his current UserLock restriction.

Additional UserLock features

• Workstation restriction
• Time restriction
• Real-time session monitoring and alerts
• Reporting on session history and statistics
• Remote session administration

More info

Interacting with remote Windows systems is a daily task for IT professionals.

Everyone will agree that application deployment, remote server reboots, emergency updates, user session locking, etc. are tedious, time consuming chores without the help provided by efficient tools.

IS Decisions prides itself in building top notch solutions for IT pros. Our remote deployment and execution solution is called RemoteExec and here’s a comparison with Microsoft’s PsExec:

RemoteExec

RemoteExec is an agentless software solution that allows IT pros to execute predefined remote actions through a graphical interface.

RemoteExec remotely installs applications, executes programs/scripts and updates files and folders on Windows systems throughout the network.

RemoteExec logs execution history and results allowing administrators to reload remote actions and generate reports.

RemoteExec was created in 2000 by IS Decisions and is in its 5th major version.

PsExec

PsExec is a light-weight telnet-replacement freeware that lets IT pros execute processes on other Windows systems, complete with full interactivity for console applications, without having to manually install client software.

It was initially developed by Sysinternals, which is now owned by Microsoft.

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their system utilities and technical information.

GUI and command line vs command line only

RemoteExec has an intuitive, user-friendly GUI (tabbed interface, dockable windows) with predefined action types while PsExec is a command line tool only.

As an example, with RemoteExec, a Microsoft hotfix deployment will only require you to specify the hotfix path while PsExec will require determining every hotfix switch.

RemoteExec can also be used via the command line and be invoked by a script or any automation tool if needed.

RemoteExec Interface

Multithreading vs single-threading

RemoteExec uses fully multithreaded technology while PsExec performs remote executions on one computer at the time.

This can be extremely frustrating especially on large networks or when remote computers are unavailable.

RemoteExec Multithreading example

Execution logging vs console output

RemoteExec comprehensively logs all remote executions (and their results) it performs and automatically generates graphical, printable reports, so you can relaunch them (or schedule a new try) if some of them happen to be unsuccessful.

PsExec only provides you with a console output and a return code.

RemoteExec report example

Integrated Scheduling vs nothing

The scheduler is integrated in RemoteExec. You can perform and manage remote executions and reports outside of business hours.

PsExec does not have any scheduling features. You will have to manually build and enter the command line expression into the Scheduler.

RemoteExec scheduler

Conditional execution vs nothing

RemoteExec comes with a mini scanner allowing remote systems configuration information to be collected and used for conditional updating: OS version, OS level (server/workstation), Service Pack, Internet Explorer version, customizable registry key/value, OS language, architecture, etc.

This makes it possible to execute a deployment on Windows 7 SP1 workstations only, without having to select them manually.

There is no such possibility in PsExec.

RemoteExec filter example

Full reusability vs saving script files

RemoteExec gives you the ability to save Remote Action configurations in a favorite folder (My Remote Actions) in order to use them again quickly on different target computers (for example to perform on demand deployment).

PsExec will only allow you to save your command lines as a script file.

RemoteExec “My Remote Actions” menu

Encryption vs insecurity

RemoteExec’s communications are encrypted. Unfortunately, when you use a specific user account, PsExec passes credentials in the clear to the remote workstation, thus exposing the credentials to anyone who happens to be «listening in».

Conclusion

PsExec is a smart unsupported utility that can be very useful if you are on a tight budget, manage a small-sized Windows network and have minimal feature and security requirements.

RemoteExec is a secure, feature-rich enterprise software solution that meets the performance and security requirements of savvy IT professionals managing small to very large (up to tens of thousands endpoints) Windows networks.

At IS Decisions, we believe that customers, prospects, partners and more widely IT professionals in the field provide the best source of ideas for enhancing our software solutions and improving the quality of our service.

That is why we created IS Decisions’ official page on Google+ as another way to exchange with savvy IT pros worldwide.

Our aspiration is to get feedback, suggestions, share information and tips, and sometimes, well, just have some fun together!

Please let us know what kind of content you would like us to cover on Google+ and add us to your circles.

The September issue of IS Decisions Wire, our bimonthly E-newsletter is out.

We designed it as a tribute to Windows 8 and the Metro-UI and made sure
you can read it from your desktop and/or your smartphone.

Subscribe now to get the next issue: it’s free!