Organisations spend a lot of time and effort protecting their networks from external attacks. However, it is insider threats that are viewed as one of the biggest risks to corporate data according to IT decision makers surveyed in the Cyber-Ark 2012 Trust, Security & Passwords report.

To efficiently mitigate insider threats and reduce the attack surface of an Information System, a network must be set on a 'need-to-know' and 'need-to-use' basis.

In real terms, this means that IT departments must ensure that each user in their organisation can only log in according to the pre-authorisation that has been granted. Unfortunately, this is usually not the case.

Uncontrolled User Access - The stadium metaphor

Imagine a football stadium. Once in possession of a ticket, you are able to enter the stadium at any time, through any entrance, watch every game and stay as long as you wish.

That is exactly what a Windows network looks like without an appropriate and enforced User Access Control Policy. Users are able to login at any time, from any system or device and from several systems simultaneously, stay logged in for as long as they want and share their credentials with their colleagues or even outsiders without any danger of consequences with regard to their own access.

Access restrictions – The need to go granular

Logins are the first line of defense for a Windows network. Login rights must therefore be granted parsimoniously based on business and security requirements and on the role of the user within the organisation.

This involves setting login restrictions according to various criteria. Such restrictions must take into consideration the session type (workstation, terminal, Internet Information Services, Wi-Fi/Radius or VPN/RAS) and its application (performed on a 'per user', 'per user group' or Active Directory Organisational Unit basis) to create a comprehensive matrix of access rules.

  1. Different login limitations should be set to ensure that every user in the organisation has sufficient access rights to fully perform his tasks without restriction, but no more.
  2. Concurrent logins (same ID, same password) should be banned or strictly limited to specific situations. Allowing simultaneous sessions means that several workstations can be blocked by one user, thus impeding resource sharing, and can easily result in corrupt roaming profiles and the creation of versioning conflicts for offline files.
  3. Logins from multiple systems should also be limited and users should be restricted to only connect to the network from their own workstation or from a predetermined set of workstations (e.g. those in their department, their floor, their building, etc.).
  4. Time is another critical factor in Information Security. The average user should be able to login only during business hours, with exceptions handled and controlled with care.

Making legitimate users accountable for illegitimate actions

No set of security measures is 100% perfect and an incident can always happen. In this case, collection and analysis of data relating to the session activity history of a Windows network must be performed.

This requires that all access events be recorded and that a comprehensive and detailed connection list (logon, lock, unlock, logoff instances, users, domains, workstations etc.) is always available to facilitate efficient forensic IT investigations.

Organisations that have ensured that access to critical assets is attributed to individual employees are then able to enforce policies and procedures consistently to address violations that do occur.

  • François Amigorena is founder and CEO at IS Decisions a software vendor specializing in Security & Access Management for Microsoft Windows-based infrastructures.