Back in September 2010, Network World published an insightful article by Carolyn Duffy Marsan, titled «6 tips for guarding against rogue sys admins».

In this article, Carolyn underlined the fact that «one of the biggest threats that organizations face is losing sensitive data […] to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.»

Carolyn then described several practical steps IT departments can take to minimize the insider threat, including:

«Restrict and monitor users with special privileges»

More easily said than done if you only rely on native Windows features. Windows lacks the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.

UserLock comes in handy here, as this software solution allows CIOs to:

• limit or prevent concurrent logins to a Windows network, based on user, user groups or session types,
• restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type,
• follow the session activity on the network in real-time and get detailed, graphical reporting,
• automatically receive popup or email alerts for specific events such as denied logins, successful logins and logoffs.

«Keep user access and privileges current, particularly during times of job changes or layoffs»

Here again, native Windows features are not really oriented to easily provide this functionality.

Imagine the following example:
A Sys Admin (let us call him John) is fired and knows that his dismissal is coming. John is logged on at 04:00 pm and at 04:05 pm the CIO disables and/or deletes his account. Guess what happens? John is still logged on to a workstation and connected to some servers. All he has to do is unlock the workstation, (typically workstations do not go and check unlock requests with the domain controller). The result is that John is still able to work on his desktop and local drives, even though his account has been disabled and deleted.

With UserLock, a CIO can remotely lock, logoff and reset all sessions immediately, from potentially anywhere using the Web interface.

«Monitor employees found guilty of minor online misconduct»

When it comes to employees’ online behavior surveillance, two things are crucial:

To monitor logon sessions

Here again, native Windows features are not sufficient. System Admins are not able to answer the following questions in real time:

• Who is logged on at which computers?
• Which computers are being used by a given user?
• Who are the users currently logged on at this particular computer?

UserLock allows real time session surveillance and monitoring; at all times a CIO knows who is connected, from what workstation(s), since when…

To monitor access to files and folders

To monitor access to an organization’s files and folders, standard Microsoft systems only propose manual event logs. This functionality leaves administrators with hundreds or even thousands of events to decrypt and analyze to pinpoint the information of interest. This generates endless hours of non productive and error-prone work.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

FileAudit instantly gives a comprehensive list of:

• read/write accesses
• file ownership changes (accepted or denied)
• permission modifications (accepted or denied)

Each record details:

• the user
• the domain
• the date and time of connection and disconnection

for:

• a file
• a selection of files
• a folder and subfolder
• a selection of folders and subfolders

«Educate your employees about insider threat»

Raising employees’ awareness about insider threat is a key component of an efficient IT security strategy. Regular training or offering a hotline so that employees can anonymously report fraud are part of the insightful measures that should be taken to mitigate insider threat. But one of the most efficient ways to make users security aware is to systematically remind them of their rights and duties each time they log on.

UserLock allows notifying all users prior to gaining access to a system with a tailor- made disclaimer. Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties.

Another efficient way is to provide users at each connection with detailed information about their previous logons, so they can easily detect if someone else had successfully logged on (or attempted to log on)as them and potentially impersonated them. This is missing from native Windows features.

At each logon, UserLock provides users with information such as:

• last workstation logged on,
• date and time of last successful logon,
• history of all logons denied by UserLock and Windows since last successful logon,
• number of logons denied by UserLock and Windows since last successful logon.

We look forward to your comments and concerns. Feel free to post your remarks hereunder or use Twitter or Facebook to exchange with us.

Download UserLock now

The example below illustrates the use of a predefined System Action to ensure the automatic shutdown of all workstations. The time you choose for switching off your computer must coincide with your company business needs.

Take note that:

• A user might be working on the target machine.
• A session can be opened on the target machine without a user in front of it, but with documents opened or applications running.
• A session can be locked on the target machine with some documents opened or applications running.

Our goal in this example is to shutdown all computers, even those with documents unsaved or applications running. You should communicate this as part of your global Green Charter to your users.

How to shutdown all computers

1. Open RemoteExec and go to Remote Jobs/New Remote Job/System action through the Configuration tree.
   
2. In the first section «Settings», choose in the combo list System action named Shutdown.
   
3. RemoteExec can check if a user is currently working on the target machine, and can process the System action differently in this case.
   
   Choosing the option Immediate execution, notify otherwise means:
   • If there is no user connected on the workstation, the shutdown will be initiated immediately.
   • If there is a user connected on the workstation, a Notification will be displayed to the connected user. The shutdown will be initiated depending on the mode defined in step 4 for this Notification.
4. Notification mode
   Two options to define how the shutdown will be initiated:
   
   • Execute after showing notification during
     The shutdown will be executed after displaying the message during the number of minutes typed. The Notification displayed can be hidden by users, but it regularly pops in foreground.
   • Indefinitely notify every
     The Notification is displayed indefinitely until users click on the button to initiate the shutdown. Users can hide the Notification, but it will pop again every number of minutes you’ve defined.
   
   As we defined in the preamble, we want to shutdown all workstations. We will choose here to execute this System action after the Notification period. We will set a sufficient delay allowing users to finish their current work.
5. Leave the third combo list on the Don’t wait for the end of the execution option. (This option is pertinent in multi action mode, not in our example here).
6. Check the Force applications to close option.
   
   We will be sure that all sessions kept opened will be closed. Although users have been informed about this Green Charter action, there will be always some thoughtlessness.
7. Set your Notification message to explain the imminent shutdown and provide instruction to avoid losing documents/work recently modified.
   
8. We want to power off all workstation from our network. That’s why in Target Computers section we have selected the whole domain. As we don’t want servers to be concerned by this Remote Action, we will set the Filter section option named OS level only to workstation.
9. The remote shutdown job is now ready and fully set.
   
   This is how the Notification will be displayed to users connected on the target machines:
   
10. Click in Quick Access Pane on
11. Enter a name on the Schedule Wizard for this new task.
12. Once validating the new task name, the Windows scheduler pop-up will appear. Set the task to Daily and the hour settings in according to your company hours. Validate by clicking OK. You will be prompted to set an administrative account for this task.
    
    In this example setting 09h30 PM means that the computers will be powered off by 10:00 at the latest. (9h30 + 30 minutes countdown).
    
    The RemoteExec Scheduler now displays our new scheduled Job.

Want more ?

In this example, all computers have been shut down during the night. In the same way, you may decide to automatically switch on computers on allowing users to work immediately upon their arrival. This is also possible through RemoteExec Wake up System action.

The computers using the Wake-on-line technology (available on most computers today) can be remotely powered on if this option is enabled. You just have previously to scan the Mac addresses and Subnet of your network machines using the System action Get wake up info (which can also be scheduled). Then using the same concept, you can choose to wake up users’ computers automatically.

During your tests

If for any reason you remotely launch a shutdown that you want to abort, you can use the specific System action.

Download RemoteExec now Check RemoteExec detailed features

As a contribution to the Microsoft 2011 MVP Global Summit, IS Decisions today launched MVPtweets.com, a website that displays in real time:

- tweets from more than 1,100 Microsoft Most Valuable Professionals (MVPs)
- tweets from Microsoft MVP Leads and Community Managers
- tweets with #MVP11 and #MVPbuzz hashtags

and allows instant visualization of what is going on in the Microsoft MVPs community.

If you are a Microsoft MVP and noticed that your Twitter profile is not on MVPtweets.com, please just tweet us and we will add you.

Visit MVPtweets.com

Follow IS Decisions on Twitter

Introducing Windows Server 2008 R2, by Charlie Russel and Craig Zacker with the Windows Server Team at Microsoft, can be downloaded here.

Here is the book’s Content at a Glance:

Introduction    xvii
Chapter 1    What’s New in Windows Server R2    1
Chapter 2    Installation and Configuration: Adding R2 to Your World    9
Chapter 3    Hyper-V: Scaling and Migrating Virtual Machines    25
Chapter 4    Remote Desktop Services and VDI: Centralizing Desktop and Application Management    47
Chapter 5    Active Directory: Improving and Automating Identity and Access    65
Chapter 6    The File Services Role    91
Chapter 7    IIS 7.5: Improving the Web Application Platform    109
Chapter 8    DirectAccess and Network Policy Server    129
Chapter 9    Other Features and Enhancements    147
Index    163

Numerous Microsoft ITpros and developers around the world join User Groups and communities to meet their peers, share ideas and experiences, and improve their skills by learning from each other.

And a lot of these User Groups and communities now use Twitter to share information, advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable about Microsoft technologies.

That is why we began to compile what we hope will become the largest Twitter List of Microsoft Technologies User Groups and Communities.

So far, we identified and listed 117 Microsoft Technologies User Groups and Communities!

Please help us grow and maintain the most comprehensive and accurate Twitter list of Microsoft Technologies User Groups and Communities: if you curate such an account on Twitter or know one that we missed, just tweet us or leave a comment to this post!

And if you are interested in news, tips and analysis about IT Security and Microsoft technologies, please follow us too …

Logon session monitoring is being able to say, in real time, who is logged on at which computers and to answer two questions:

- What are all the computers that a given user is currently logged on at?
- Who are the users currently logged on at this particular computer?

There is no way to do that with native Windows functionality, although that would empower System Administrators to efficiently mitigate insider threats.

Instead, what you have to do is figure that out one server at a time.

You can go to a given single Windows server, go to Computer Management > Shared Folders > Sessions, and you can look it up that way.

Think about how difficult that is if you have to check each server individually …

Read more about login sessions monitoring

IS Decisions is a Microsoft Partner Silver Independent Software Vendor and develops Infrastructure and Security Management solutions for Microsoft Windows.

We therefore are interested in all things Microsoft and assume our customers, partners and followers on Twitter are too.
That is why we thoroughly compiled what we believe to be the largest Twitter list of Official Microsoft Accounts.

To the best of our knowledge, Microsoft indeed created more than 320 Twitter accounts, ranging from the @Microsoft flagship to more niche-oriented ones including @MSFT_IT, @OutlookWebApp, or @MicrosoftDCU.

So far, we identified and listed 325 Microsoft Official Accounts on Twitter!

Please help us maintain the most comprehensive and accurate Twitter list of Official Microsoft Accounts: if you curate an Official Microsoft Account or know one that we missed, just tweet us or leave a comment to this post!

And if you are interested in news, tips and analysis about IT Security and Microsoft technologies, please follow us too …

At IS Decisions, we recognize the contribution that Microsoft MVPs (Most Valuable Professionals) make to the ITpro community.

More, MVPs’ tweets are usually extremely valuable as they reflect their expertise in Microsoft technologies.

We therefore decided to track MVPs on Twitter and to create a Twitter list of them.

As each Twitter list is currently limited to 500 people, we had to create 3 lists so far, and you should follow them:

@is_decisions/MVPs (500 members)

@is_decisions/MVPs2 (500 members)

@is_decisions/MVPs3 (180 members and counting)

Please help us maintain the most comprehensive and accurate Twitter list(s) of MVPs: if you are an MVP or know an MVP with a Twitter account, just tweet us!

We just renewed our certified status in Microsoft’s Certified Partner Program (ISV/Software Solutions Competency) which represents our commitment to developing the latest technology for Windows-based infrastructure.

As a Microsoft Certified Partner, we have demonstrated expertise with Microsoft technologies and proven our ability to meet customer needs.

The certification process indeed required:

- comprehensive 3rd party testing of our software solutions that included such areas as integration capabilities to Microsoft platforms, coding specifications and security

- references from clients using our software

- competency requirements specific to our software in relation to Microsoft technology.