Local Session Authentication Cache

  • Thread starter Thread starter chuck.meredith
  • Start date Start date
C

chuck.meredith

Hi,
Here's my puzzle:
I have a secure, hidden server separated from our AD domain in a
workgroup. Select domain users need to access hidden shares on this
server via statically mapped drives and local (non-domain) accounts.
When they connect, they are forced to authenticate. But, once
authenticated, the session is cached until the users either logs off or
shuts down. The problem is a security concern because the mapped
connection is left wide open without any timeouts. If the PC is left
unlocked by the user, a malicious or curious user could hit the mapped
drive without a challenge. I would like to prevent this.

I'm looking to enable an idle session timeout, disconnecting the user
after a period of inactivity.

I've already tried editing the local user account\sessions settings but
although it did disconnect the drive, the credentials were still cached
(no challenge.)

Thanks in advance!
Chuck M.
 
Probably the best approach would be to configure the user's computer so that
their desktop locks after a period of inactivity. A malicious user can do
much more than just access shares. You can use Group Policy to configure if
you want to though make sure that the user's computer is configured to use a
screen saver instead of "none" which you also can do via Group Policy. Look
under user configuration/administrative templates/control panel/display for
the options to enforce that the computer locks after a period of inactivity.
You also have a training issue with users that walk away from their
computers without logging off or locking the desktop. Also note that hidden
shares are not hidden from command line tools - only My Network Places. ---
Steve
 
Hi Steve,
Our users have been instructed to lock their PCs when they are
unattended and we do have the locked screensavers enabled. But as an
added layer of security, I wanted to be able to disconnect the session
and force them to authenticate when they access the share again. We
have auditing turned up on those particular shares, so we want to log
all session attempts.

And I know that the share and server is visible through the CL but
unless someone is using a ping sweep on our network or other
enumeration tool, no one will know it's out there (another layer of
security.) Also, being separate from the domain (in a Workgroup) means
that any and all domain accounts do not apply. So an intruder would 1)
have to get access to the network, 2) enumerate and 'find' this
particular server 3) try to brute force it 4) and have to avoid being
detected by the IDS and audit logs.

I'm not trying to be overly confident; I'm really interested in anyone
that could see potential problems with this setup. The goal is to have
the shares as secure as possible (even from domain/enterprise admins).

I appreciate your reply Steve and welcome any other insight you might
have.
Regards,
Chuck
 
There is certainly nothing wrong with defense in depth. Since you enforce
that the screen saver is locked after a period of inactivity you already
have a mechanism in place to prevent access to the share from unauthorized
users and maybe you need to tweak those settings to use less idle time
before locking the desktop though I can imagine that users will resist such.
Having said that and to answer your direct question I don't know of a way to
do what you want. What you might try is to create a Scheduled Task on the
user's computer that is activated after a period of idle time to run a batch
file that uses something like the net use * /delete command to disconnect
all sessions or you can configure it to delete a specific session to see if
that does what you want or not. Schtasks can create Scheduled Tasks via the
command line. Also keep in mind that XP users may be using "stored
credentials" to access the shares that can make the connection seamless
which can be disabled via Group Policy.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx
--- schtasks.

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp
--- stored credentials
 
My thoughts are that this needs a small program which runs as a background
process, to monitor the share. Perhaps every 15min it would then send a
disconnect command if there had been no activity on it.

In fact, a periodic NET USE <share> /d command should work OK, as this will
refuse anyway if there are files still open on the share.
 
Back
Top