Also, just as important, ctrl+alt+del and then lock work station when not Using it. Or, setup policy to automatically lock workstation after 10 - 15 minutes of inactivity. So, someone doesn't use your terminal To send the boss a message. Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, July 14, 2004 8:55 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stupid users and weak policies http://www.ISAserver.org Hey guys, This is why two factor authentication is so important -- so that users can't say "he told me" or "he looked at my monitor". HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, July 14, 2004 10:42 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stupid users and weak policies http://www.ISAserver.org While ISA scripting is extremely powerful, it's not the answer here. Overgeneralizing the question doesn't help, either. There is a distinct difference between a common password for "group resources" and users sharing their passwords so that they can circumvent existing policies. There is NO WAY for ISA to know that multiple "sessions" from multiple computers represents a security violation. This is defined by the IS Aadmin and whatever policies they do or don't have / enforce. Since "sessions" are seen in two places, the problem is (at least) two-fold: - Firewall sessions - this requires a change to ISA core functionality , since there is no common "thread" between application filters - Web Proxy sessions - direct web proxy sessions (CERN proxy requests to the Outgoing Web Requests listener) can compare credentials with client-IP, buit this goes to hell when the session comes from the HTTP Redirector. Those always come from 127.0.0.1. Before you try to decide what's "easily coded" for ISA, you have to define the problem, product capabilities and the focus of the "answer". Clearly, what fits in your warehouse is unlikely to work in Anwar's site. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, July 14, 2004 08:25 Subject: [isalist] RE: Stupid users and weak policies http://www.ISAserver.org The best administrators in the world and the best managers still need tools to help them do their jobs and to enforce policies. My policy is to deny access to bad sites as best I can instead of allowing it and then terminating someone for breaking the rules of going somewhere they shouldn't have but were given the ability to. Warehouses don't have speed limits for fork lifts and enforce them by using radar guns, they put speed limiters on the fork lifts that prevent speeding in the first place. Windows domain controllers have policies that can prevent users from logging on to more than one computer at a time by choosing which machines users can log on to. Building on that, there should be a way to set ISA to ONLY use machine logged in credentials, instead of trying them first as it does, and then popping up an authentication screen when the machine's user account failed to get access to the site. The bad thing about this possible solution is companies that use thin clients and terminal services have many users logging in to the same machine (server) at the same time, so a terminal services client aware solution would need to be developed. It can be hard to fire someone for sharing an account/password when they can claim someone saw them log on, or someone could have used an external key logger device without their knowledge. And if there is more than one person working at a time, then it would be hard to prove which person was the one using the shared/stolen password. I guess you could make passwords expire every day, but that would be a nightmare too. If you put up a "bridge out" sign on the road, but the bridge is still there, drivers will soon find out and ignore the sign. If you tear down the bridge, they will turn around and go the other way. My main point is this: Windows domains and ISA both know what machine the request is coming from. They both also know what user credentials are being used. Why can't something be written to take advantage of what is already known and control access to resources the way an administrator wishes? To make Jim happy, maybe it could also automatically email the logged in user a notice to change their password and or an employment termination warning too. I'm not versed in scripting like Jim, but the best programming I ever did in the Air Force using Basic of all things is when other computer guys told me it couldn't be done. I bet it can be accomplished in a script or at least a patch, fix, feature enhancement, etc. Jeff -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, July 14, 2004 8:50 AM To: ISALists Subject: [isalist] Stupid users and weak policies http://www.ISAserver.org This isn't a problem for ISA; it's one for your company (school, hacker club, etc.) Your management needs to define and enforce a compay security policy that creates new job openings when it's known that users are sharing passwords. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 14 Jul 2004 11:59:29 +0500 <a_sidiqi@xxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim I am Anwar, I posted my query but didn't get any reply. What I need to know is that is this possible that we can limit the session through ISA to one session only per user. Means that if a person has been authenticated by ISA server from one PC the same can not be authenticated from some other Pc at the same time. Actually we have given internet access to limited # of staff. But some of the staff have given away their passwords to those who do not have access to internet, and they connect using the authorized users password. My manager needs to restrict the staff to single session only. Please help me out Anwar Ahmed Siddiqui Assistant Systems Officer Information Technology Department Pakistan Petroleum Limited Tel: 111568568, Ext: 569 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist