UserLock and FileAudit help guard against rogue sys admins

Back in September 2010, Network World published an insightful article by Carolyn Duffy Marsan, titled «6 tips for guarding against rogue sys admins».

In this article, Carolyn underlined the fact that «one of the biggest threats that organizations face is losing sensitive data […] to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.»

Carolyn then described several practical steps IT departments can take to minimize the insider threat, including:

«Restrict and monitor users with special privileges»

More easily said than done if you only rely on native Windows features. Windows lacks the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.

UserLock comes in handy here, as this software solution allows CIOs to:

  • limit or prevent concurrent logins to a Windows network, based on user, user groups or session types,
  • restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type,
  • follow the session activity on the network in real-time and get detailed, graphical reporting,
  • automatically receive popup or email alerts for specific events such as denied logins, successful logins and logoffs.

«Keep user access and privileges current, particularly during times of job changes or layoffs»

Here again, native Windows features are not really oriented to easily provide this functionality.

Imagine the following example:
A Sys Admin (let us call him John) is fired and knows that his dismissal is coming. John is logged on at 04:00 pm and at 04:05 pm the CIO disables and/or deletes his account. Guess what happens? John is still logged on to a workstation and connected to some servers. All he has to do is unlock the workstation, (typically workstations do not go and check unlock requests with the domain controller). The result is that John is still able to work on his desktop and local drives, even though his account has been disabled and deleted.

With UserLock, a CIO can remotely lock, logoff and reset all sessions immediately, from potentially anywhere using the Web interface.

«Monitor employees found guilty of minor online misconduct»

When it comes to employees’ online behavior surveillance, two things are crucial:

To monitor logon sessions

Here again, native Windows features are not sufficient. System Admins are not able to answer the following questions in real time:

  • Who is logged on at which computers?
  • Which computers are being used by a given user?
  • Who are the users currently logged on at this particular computer?

UserLock allows real time session surveillance and monitoring; at all times a CIO knows who is connected, from what workstation(s), since when…

To monitor access to files and folders

To monitor access to an organization’s files and folders, standard Microsoft systems only propose manual event logs. This functionality leaves administrators with hundreds or even thousands of events to decrypt and analyze to pinpoint the information of interest. This generates endless hours of non productive and error-prone work.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

FileAudit instantly gives a comprehensive list of:

  • read/write accesses
  • file ownership changes (accepted or denied)
  • permission modifications (accepted or denied)

Each record details:

  • the user
  • the domain
  • the date and time of connection and disconnection

for:

  • a file
  • a selection of files
  • a folder and subfolder
  • a selection of folders and subfolders

«Educate your employees about insider threat»

Raising employees’ awareness about insider threat is a key component of an efficient IT security strategy. Regular training or offering a hotline so that employees can anonymously report fraud are part of the insightful measures that should be taken to mitigate insider threat. But one of the most efficient ways to make users security aware is to systematically remind them of their rights and duties each time they log on.

UserLock allows notifying all users prior to gaining access to a system with a tailor- made disclaimer. Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties.

Another efficient way is to provide users at each connection with detailed information about their previous logons, so they can easily detect if someone else had successfully logged on (or attempted to log on)as them and potentially impersonated them. This is missing from native Windows features.

At each logon, UserLock provides users with information such as:

  • last workstation logged on,
  • date and time of last successful logon,
  • history of all logons denied by UserLock and Windows since last successful logon,
  • number of logons denied by UserLock and Windows since last successful logon.

We look forward to your comments and concerns. Feel free to post your remarks hereunder or use Twitter or Facebook to exchange with us.

Download UserLock now

Download FileAudit now

Permalink 0 notes Comments

Protect Windows networks from careless and fraudulent users

According to several recent studies, the most costly or damaging attacks against information systems are more often caused by insiders (employees or contractors with authorized access).


Taking this fact into account, we developed an enterprise software solution named UserLock, whose main goal is to protect Windows networks from careless and/or fraudulent users, thus efficiently mitigating insider threat.

UserLock logo

UserLock allows IT security teams to:


- prevent or limit simultaneous logon (same ID, same password), per user or user group
- record all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL,…) for future reference
- monitor user sessions in realtime (who is connected, from which workstation(s), for how long…)
- remotely lock, logoff and reset all interactive sessions
- define working hours and/or maximum session time for protected users and disconnect users with prior warning outside of the defined timeframe(s) and/or when time is up
- restrict user group’s network access per workstation or IP range
- notify all users prior to gaining access to a system with a tailor-made warning message (legal disclaimer, etc.)
- …


More than 750,000 UserLock licenses are already in use by worldwide security-demanding organizations including:
BAE Systems, Banco de Costa Rica, Barclays Bank, BMW, Computer Sciences Corporation, Frito-Lay, Lockheed Martin, Mitsubishi, National Bank of Kuwait, South Wales Police, Telcel, United Nations Organization, US Department of Justice, US Department of Veterans Affairs, US Navy Marine Corps, TimeWarner, …


You will find information about UserLock on our website and this whitepaper will provide you with further details about holes in Windows native login controls and how UserLock fills them in and helps organizations to comply with major regulatory constraints (HIPAA, SOX, PCI, NISPOM, DCID 6/3 - ICD 503, GLBA, US Patriot Act, FISMA…).



Get your free, fully-functional, 180-day copy of UserLock


Permalink 0 notes Comments

CERT Best Practices for Protecting Against Insider Threat and How UserLock Can Help

CERT, Carnegie Mellon University Software Engineering Institute’s center for conducting and coordinating information security research, has released the Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1.

CERT Logo


This valuable, insightful document (PDF - 88 pages) provides a comprehensive range of best practices to mitigate insider threat. And UserLock, our software solution to secure access to Microsoft Windows-based networks, can greatly help implementing a large part of them.

 

CERT BEST PRACTICE 2: Clearly document and consistently enforce policies and controls
“A consistent, clear message on organizational policies and controls will help reduce the chance that employees will inadvertently commit a crime or lash out at the organization for a perceived injustice.”

 
UserLock allows notifying all users prior to gaining access to a system with a tailor-made warning message.

These messages can for example include:
- a tailor-made legal disclaimer, including acceptable use of organization’s systems, information, and resources
- last workstation logged on
- date and time of last successful logon
- history of all logons denied by UserLock and Windows since last successful logon
- number of logons denied by UserLock and Windows since last successful logon.


CERT BEST PRACTICE 4: Monitor and respond to suspicious or disruptive behavior
“One method of reducing the threat of malicious insiders is to proactively deal with suspicious or disruptive employees.”

 
UserLock allows real time session surveillance and monitoring; at all times, a system administrator knows who is connected, from what workstation(s), since when… and can remotely lock, logoff and reset all sessions, either from the administration console or the Web interface.


CERT BEST PRACTICE 7: Implement strict password and account management policies and practices.
“If the organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms.”

 
UserLock allows:
- simultaneous logon (same ID, same password) limitation or prohibition, per user or user group, thus reducing the ability of users to share their credentials and preventing accountability and non-repudiation issues.
- defining working hours and/or maximum session time for protected users. Outside of this (these) timeframe(s) and/or when time is up, users will be disconnected with prior warning.
- user group’s network access restriction per workstation or IP range. By doing this, users can be limited to their own workstation, department, floor, building…


CERT BEST PRACTICE 12: Log, monitor, and audit employee online actions
“Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions.”

 
As seen here above, UserLock allows real time session surveillance and monitoring, but it also records all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL …) for future reference.
Reports can automatically be generated at regular intervals, in order to update an Intranet Web site, or being sent by Email.
UserLock provides predefined reports, including:
- Session History: Comprehensive session list (logon, lock, logoff instances, users, domains, workstations…)
- Session Statistics: Displays for a given user and period, total sessions, total connection time, average time per session, per worked day or per week.
- User Sessions: Instantaneous view of all user session at display time.


CERT BEST PRACTICE 14: Deactivate computer access following termination
“It is important to follow rigorous procedures that disable all access paths into the organization’s networks and systems for terminated employees.”

With UserLock, an administrator can within seconds remotely lock, logoff and reset all sessions, either from the administration console or the Web interface.
Windows native features will indeed not prevent an employee to log onto his/her workstation even if his/her account has been disabled and deleted…



In-depth information in our whitepaper “Eight Holes in Windows Login Controls”

 
Detailed information about UserLock and free, fully-functional 180-day trial version

Permalink 1 notes Comments

Protect your Windows network from careless and fraudulent users

IS Decisions developed a software solution named UserLock, whose main goal is to protect Windows networks from careless and/or fraudulent users, thus mitigating insider threat.


More than 700,000 UserLock licenses are already in use by worldwide security-demanding organizations including:
BAE Systems, Banco de Costa Rica, Barclays Bank, BMW, Computer Sciences Corporation, Frito-Lay, Lockheed Martin, Mitsubishi, National Bank of Kuwait, South Wales Police, Telcel, United Nations Organization, US Department of Justice, US Department of Veterans Affairs, US Navy Marine Corps, TimeWarner, …

UserLock Logo


UserLock indeed allows IT Security teams to:

- prevent or limit simultaneous logon (same ID, same password), per user or user group

- record all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL,…) for future reference

- monitor user sessions in realtime (who is connected, from which workstation(s), for how long…)

- remotely lock, unlock, logoff and reset all interactive sessions

- define working hours and/or maximum session time for protected users and automatically disconnect users with prior warning outside of the defined timeframe(s) and/or when time is up

- restrict user group’s network access per workstation or IP range

- notify all users prior to gaining access to a system with a tailor-made warning message (legal disclaimer, etc.)

- …


You will find detailed information about UserLock on our website (as well as a free, 180-day fully-functional trial version), and this whitepaper will provide you with further details about holes in Windows native login controls and how UserLock fills them in and helps organizations to comply with major regulatory constraints (HIPAA, SOX, PCI, NISPOM, DCID 6/3 - ICD 503, GLBA, US Patriot Act, FISMA …).

Permalink 3 notes Comments

Windows networks: why should you monitor login sessions?

Logon session monitoring is being able to say, in real time, who is logged on at which computers and to answer two questions:

- What are all the computers that a given user is currently logged on at?
- Who are the users currently logged on at this particular computer?

Logon Monitoring

There is no way to do that with native Windows functionality, although that would empower System Administrators to efficiently mitigate insider threats.


Instead, what you have to do is figure that out one server at a time.

You can go to a given single Windows server, go to Computer Management > Shared Folders > Sessions, and you can look it up that way.


Think about how difficult that is if you have to check each server individually …



Read more about login sessions monitoring

Permalink 0 notes Comments
"I once had to deal with a chief executive who shared his access credentials with his secretary despite this being a dismissible offence."

— This anecdote, reported by John Mitchell (Managing Director of LHS Business Control) in the article “IT systems: the insider threat” could not have happened if this company has used UserLock

Permalink 1 notes Comments