Terminal Server user logins: disconnected session

[Guest Pearl]

We are planning a Terminal Server where there are a few buildings that will

use only a single generic account to login to it. My question is: how can I

secure the Terminal Server login so that someone doesn't inadvertently step

on the active session since each generic account will have 3 users to it. Is

there a way to lock the account while it is use so that someone else can't

inadvertently attempt a login with that account and knock of the current user?

[Guest Vera Noest [MVP]]

Re: Terminal Server user logins: disconnected session

 

You can allow multiple sessions per user account, which prevents that

users disconnect each others sessions when they logon with the same

account.

 

Security-wise, this is a nightmare, since the 3 users will be sharing

the same profile. Also expect problems with printers changing

everytime a user logs in, documents being printed at unexpected

printers, and profile corruption. In other words: go to any lenght to

avoid this scenario!

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 19

nov 2007 in microsoft.public.windows.terminal_services:

> We are planning a Terminal Server where there are a few

> buildings that will use only a single generic account to login

> to it. My question is: how can I secure the Terminal Server

> login so that someone doesn't inadvertently step on the active

> session since each generic account will have 3 users to it. Is

> there a way to lock the account while it is use so that someone

> else can't inadvertently attempt a login with that account and

> knock of the current user?

[Guest Hank Arnold (MVP)]

Re: Terminal Server user logins: disconnected session

 

Pearl wrote:

> We are planning a Terminal Server where there are a few buildings that will

> use only a single generic account to login to it. My question is: how can I

> secure the Terminal Server login so that someone doesn't inadvertently step

> on the active session since each generic account will have 3 users to it. Is

> there a way to lock the account while it is use so that someone else can't

> inadvertently attempt a login with that account and knock of the current user?

 

I can tell you from bitter experience that this is a very bad idea. Not

only is it a security nightmare, it's also an administration headache.

How do you even start investigating problems? Where do you start if

there is a virus or malware event? Who did it?

 

I spent 2 years convincing the Hospice I support. We have numerous

volunteers that come and go. It was argued that requiring accounts for

each and every volunteer would be confusing and delay getting them

on-line. We finally succeeded and its been no problem.

 

I urge you from the bottom of my soul to re-evaluate this strategy....

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

[Guest Pearl]

Re: Terminal Server user logins: disconnected session

 

Thanks Hank

We've semi convinced them that a single generic account is not practical and

they'll purchase individual Terminal Server user licenses. Also, access to

the Terminal Server will only be granted from one workstation and our

security will be based on IP Address access. However, this question still

interests me...that is, in terms of ensuring that no one can inadvertently

come from behind using someone's credentials to bump someone off of their

session. My thoughts gravitate toward the fact that our users are not always

careful securing their login and passwords. So, it would be useful to know

if there is a way to prevent a second login while someone is either in a

disconnected state of actively using Terminal Server. is there a way to

"lock" an active account from being knocked off by a second login....?

 

Thanks

 

"Hank Arnold (MVP)" wrote:

> Pearl wrote:

> > We are planning a Terminal Server where there are a few buildings that will

> > use only a single generic account to login to it. My question is: how can I

> > secure the Terminal Server login so that someone doesn't inadvertently step

> > on the active session since each generic account will have 3 users to it. Is

> > there a way to lock the account while it is use so that someone else can't

> > inadvertently attempt a login with that account and knock of the current user?

>

> I can tell you from bitter experience that this is a very bad idea. Not

> only is it a security nightmare, it's also an administration headache.

> How do you even start investigating problems? Where do you start if

> there is a virus or malware event? Who did it?

>

> I spent 2 years convincing the Hospice I support. We have numerous

> volunteers that come and go. It was argued that requiring accounts for

> each and every volunteer would be confusing and delay getting them

> on-line. We finally succeeded and its been no problem.

>

> I urge you from the bottom of my soul to re-evaluate this strategy....

>

> --

>

> Regards,

> Hank Arnold

> Microsoft MVP

> Windows Server - Directory Services

>

[Guest Soo Kuan Teo [MSFT]]

Re: Terminal Server user logins: disconnected session

 

From Terminal Services point of view, it has no way of knowing who is

actually using the user account. The information about the identical user

account being used by different users is not available to Terminal Services.

I haven't tried this to see if it actually works, for work around, you can

have a machine with 3 nics, create 2 more rdp-tcp connections, assign each

connection to each nic, and ask your employee 1 to connect with nic1 ip

address with user account A, employee 2 to connect with nic2 ip address with

user account A, employee 3 to connect with nic3 ip address with user account

A.

Thanks

Soo Kuan

 

 

--

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Pearl" <Pearl@discussions.microsoft.com> wrote in message

news:E7B1774B-BC99-417D-8CC0-BC93BCF023E6@microsoft.com...

> Thanks Hank

> We've semi convinced them that a single generic account is not practical

> and

> they'll purchase individual Terminal Server user licenses. Also, access

> to

> the Terminal Server will only be granted from one workstation and our

> security will be based on IP Address access. However, this question still

> interests me...that is, in terms of ensuring that no one can inadvertently

> come from behind using someone's credentials to bump someone off of their

> session. My thoughts gravitate toward the fact that our users are not

> always

> careful securing their login and passwords. So, it would be useful to

> know

> if there is a way to prevent a second login while someone is either in a

> disconnected state of actively using Terminal Server. is there a way to

> "lock" an active account from being knocked off by a second login....?

>

> Thanks

>

> "Hank Arnold (MVP)" wrote:

>

>> Pearl wrote:

>> > We are planning a Terminal Server where there are a few buildings that

>> > will

>> > use only a single generic account to login to it. My question is: how

>> > can I

>> > secure the Terminal Server login so that someone doesn't inadvertently

>> > step

>> > on the active session since each generic account will have 3 users to

>> > it. Is

>> > there a way to lock the account while it is use so that someone else

>> > can't

>> > inadvertently attempt a login with that account and knock of the

>> > current user?

>>

>> I can tell you from bitter experience that this is a very bad idea. Not

>> only is it a security nightmare, it's also an administration headache.

>> How do you even start investigating problems? Where do you start if

>> there is a virus or malware event? Who did it?

>>

>> I spent 2 years convincing the Hospice I support. We have numerous

>> volunteers that come and go. It was argued that requiring accounts for

>> each and every volunteer would be confusing and delay getting them

>> on-line. We finally succeeded and its been no problem.

>>

>> I urge you from the bottom of my soul to re-evaluate this strategy....

>>

>> --

>>

>> Regards,

>> Hank Arnold

>> Microsoft MVP

>> Windows Server - Directory Services

>>