The best administrators in the world and the best managers still need tools to help them do their jobs and to enforce policies. My policy is to deny access to bad sites as best I can instead of allowing it and then terminating someone for breaking the rules of going somewhere they shouldn't have but were given the ability to. Warehouses don't have speed limits for fork lifts and enforce them by using radar guns, they put speed limiters on the fork lifts that prevent speeding in the first place. Windows domain controllers have policies that can prevent users from logging on to more than one computer at a time by choosing which machines users can log on to. Building on that, there should be a way to set ISA to ONLY use machine logged in credentials, instead of trying them first as it does, and then popping up an authentication screen when the machine's user account failed to get access to the site. The bad thing about this possible solution is companies that use thin clients and terminal services have many users logging in to the same machine (server) at the same time, so a terminal services client aware solution would need to be developed. It can be hard to fire someone for sharing an account/password when they can claim someone saw them log on, or someone could have used an external key logger device without their knowledge. And if there is more than one person working at a time, then it would be hard to prove which person was the one using the shared/stolen password. I guess you could make passwords expire every day, but that would be a nightmare too. If you put up a "bridge out" sign on the road, but the bridge is still there, drivers will soon find out and ignore the sign. If you tear down the bridge, they will turn around and go the other way. My main point is this: Windows domains and ISA both know what machine the request is coming from. They both also know what user credentials are being used. Why can't something be written to take advantage of what is already known and control access to resources the way an administrator wishes? To make Jim happy, maybe it could also automatically email the logged in user a notice to change their password and or an employment termination warning too. I'm not versed in scripting like Jim, but the best programming I ever did in the Air Force using Basic of all things is when other computer guys told me it couldn't be done. I bet it can be accomplished in a script or at least a patch, fix, feature enhancement, etc. Jeff -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, July 14, 2004 8:50 AM To: ISALists Subject: [isalist] Stupid users and weak policies http://www.ISAserver.org This isn't a problem for ISA; it's one for your company (school, hacker club, etc.) Your management needs to define and enforce a compay security policy that creates new job openings when it's known that users are sharing passwords. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 14 Jul 2004 11:59:29 +0500 <a_sidiqi@xxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim I am Anwar, I posted my query but didn't get any reply. What I need to know is that is this possible that we can limit the session through ISA to one session only per user. Means that if a person has been authenticated by ISA server from one PC the same can not be authenticated from some other Pc at the same time. Actually we have given internet access to limited # of staff. But some of the staff have given away their passwords to those who do not have access to internet, and they connect using the authorized users password. My manager needs to restrict the staff to single session only. Please help me out Anwar Ahmed Siddiqui Assistant Systems Officer Information Technology Department Pakistan Petroleum Limited Tel: 111568568, Ext: 569