Organizations deploying OS software often need a feature or tool that lets them define and enforce a limited number of concurrent logon sessions for a particular account. Often this is a must-have feature for highly privileged accounts such as the built-in Administrator account. Most organizations want to block concurrent Administrator logon sessions completely. If a user is logged on using the built-in Administrator account at multiple locations at the same time, he or she is much more likely to leave one of these sessions open—which creates security risks.
Limiting logon sessions for an account is supported natively in OSs such as Novell NetWare, but it's still missing from Windows. However, Microsoft does offer an add-on tool for Windows that you can use to limit concurrent Windows logon sessions. Let's look at how the LimitLogin tool operates and how to install and configure it to limit the number of Administrator logon sessions that are open at a given time.
Requirements and Components
LimitLogin is a revamped version of the Cconnect tool that Microsoft made available as part of the Microsoft Windows 2000 Server Resource Kit. Cconnect provides basic functionality to limit concurrent logon sessions in Windows 2000 and Windows NT 4.0 environments. LimitLogin provides better integration with Active Directory (AD) and AD administration tools. LimitLogin leverages AD for storing the connection-limit data; Cconnect requires a SQL Server database. Like Cconnect, LimitLogin can restrict only interactive and Windows Terminal Services logon sessions. Interactive logon sessions are sessions that users and administrators initiate from the console (by using Ctrl+Alt+Del or the Windows XP Welcome screen).
LimitLogin requires Windows Server 2003 AD and a Microsoft IIS 6.0 Web server that has ASP.NET support enabled. Both servers also must have .NET Framework 1.1 or later loaded.
LimitLogin runs on the following Windows client platforms: Windows 2003, XP Professional Service Pack 1 (SP1) and later, Win2K Professional SP4 and later, and Win2K Server SP4 and later. As is the case for other Windows add-on and resource kit tools, Microsoft Product Support Services (PSS) doesn't provide official support for LimitLogin. When using LimitLogin, you won't be able to trace logons on any workstations that aren't running one of the LimitLogin-supported OSs.
LimitLogin requires configuration changes and special components on the Windows clients, the IIS 6.0 Web server and the AD domain controllers (DCs). Most of these changes and components are created automatically when you install the Limit-Login software. The logon and logoff scripts that LimitLogin uses (llogin.vbs and llogoff.vbs) come with the software but must be copied manually to a share that all Windows clients can access. Also, the user logon/logoff script Group Policy Object (GPO) settings (located in the User Configuration/Windows Settings/Scripts (Logon/Logoff) GPO container) must be changed manually to reference these scripts. The scripts add the overhead of a normal logon script.
The client-side LimitLogin components consist of the Simple Object Access Protocol (SOAP) runtime and a set of LimitLogin-specific DLLs and executables. On the Web server, LimitLogin installs the LimitLogin Web service in the WSLimitLogin virtual directory. By default, WSLimitLogin is created in the Default Web site and the Web service can be accessed on port 80.
Even though the LimitLogin client doesn't submit user credentials to the Web service, Microsoft recommends that organizations with more stringent security requirements manually configure Secure Sockets Layer (SSL) for the WSLimitLogin virtual directory. LimitLogin doesn't automatically provide this SSL protection.
LimitLogin extends the AD schema and builds an application partition to host the LimitLogin configuration data—this is why LimitLogin requires Windows 2003 AD. Figure 1 shows the LimitLogin AD application partition as viewed from the Microsoft Management Console (MMC) ADSI Edit snap-in (which comes with the Windows Server 2003 Support Tools).
The AD application partition is named DC= limitlogin,dc=domainname,dc=domainname. The new object type LimitLogin uses to store a user's logon quota is called msLimitLoginUser. It has the following LimitLogin-specific attributes:
- msLimitLoginDenyLoginOnQuotaExceed—A user is enabled for LimitLogin if this attribute is set to true.
- msLimitLoginQuota—This attribute holds the LimitLogin logon quota.
- msLimitLoginInfo—This attribute holds the logons that are currently registered in AD. The data in this attribute is compared to the quota set in the previous attribute to decide whether a user can get another logon session.
- msLimitLoginUsername—This attribute holds the user's account name.
You configure the AD object and its attributes by using the LimitLogin extensions for the MMC Active Directory Users and Computers snap-in and the LimitLogin command line utilities, which I describe below.