9

Quick background: we are a smaller sized team meaning that we perform multi-function roles. Thus a developer is typically a DBA as well and some developers do have domain admin access. As a rule our team does not use the admin accounts (there are no anonymous admin accounts, each administrator has a designated admin account) during normal operations. Only when needed to make a change, perform maintenance etc and for off-site support we have two-factor authentication. Small companies where you have to be multi-talented, overworked and underpaid is what I am getting at :)

We recently went through an audit where there was a request for us to limit/disable the concurrent logins for admin accounts. The general idea is: how do we make it hard for a rogue admin to be malicious, and also how do we know that the logged in admin accounts are not compromised (hacker logged in with admin).

From my research there is no way to limit the concurrent logins for an account on a Windows domain out of the box? Does it require third party software?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Namphibian
  • 190
  • 6
  • Hi! Just a clarification - I assume this is about RDP logins by a single account to multiple machines at the same time? – Milen Jul 28 '15 at 11:56
  • No this is really limiting the amount of concurrent logins. Essentially they have stated no concurrent logins for admin account. While the practical side of it is still up for debate I wanted to check techincal feasability. – Namphibian Jul 28 '15 at 12:00
  • I think we're talking about the same thing, but using a different language. Let's first establish if we are talking about both remote desktop and local interactive logins? – Milen Jul 28 '15 at 12:02
  • @Milen I clarified this with the auditors(non-technical) people and they want me to disable concurrent logins for admin accounts thus no more than one connection ever regardless of type. I know this does not make sense at all but I need to get back to them regarding feasibility. – Namphibian Jul 28 '15 at 21:09
  • 2
    It seems that the auditors must have a clue for how to do this, if they are suggesting impossible things then what is the value of their services? They might as well suggest having your datacentre guarded by unicorns. – Gaius Oct 29 '19 at 18:50
  • A slight aside but current thinking is that _no_ accounts should be permanently privileged and that admin should be granted [just in time](https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) and for no longer than necessary. So I would skip over this suggestion and go straight to JIT and JEA. It’s a better way to reach your desired outcome than this idea about concurrency. – Gaius Oct 29 '19 at 18:55

2 Answers2

3

so I don't think this is going to be 100% possible.

What you can do is limit your servers to a single RDP session : https://support.managed.com/kb/a1816/how-to-enable-disable-multiple-rdp-sessions-in-windows-2012.aspx

What you won't be able to prevent (I don't think) is someone using a console session at the same time (so MSTSC /admin) and the equivelent physical access console session.

Patrick
  • 131
  • 3
1

as far as my experience goes, this is not possible in a pure windows environment.

you can workaround this however by using a credential vault like thycotic secret server or a competitor. have all admin credentials inside the vault, with random passwords so the real person doesn't know the password, and therefore has to use the credential vault to initiate the RDP session. additionally have the credential set to require "check out", so it can be only used once.

this gives you the benefit of having all your connection attempts audited (which imho is much more worth than a technical usage limit), and have the password reset each time the credential is used.

this is still not "limiting concurrent logins" on a technical basis, but should come pretty close in real life.

Robert R
  • 63
  • 6