[Dshield] Force Remote Windows User Lock-Out/Disable

Stasiniewicz, Adam stasinia at msoe.edu
Tue Feb 19 03:54:02 GMT 2008 

Have you tried to set login hours on the AD account (set on the "Account"
tab)?  If you combine setting login hours with setting the "Network
security: Force logoff when logon hours expire" policy in the Default Domain
Policy, then once someone's login hours expire the will be forcefully logged
off and unable to login/authenticate until the logon hours setting says they
can.

Hope that helps,
Adam Stasiniewicz

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of BGaudreault Brian
Sent: Friday, February 15, 2008 4:54 PM
To: list at lists.dshield.org
Subject: [Dshield] Force Remote Windows User Lock-Out/Disable

Hello,

 

Not sure if this question is appropriate for this group (the group says
it's good for IT Security discussions).

 

I'm trying to determine the best way to force a remote Windows user to
be locked-out/disabled from their computer at a specific time.

 

Ideally the technique should work when they aren't connected to the
corporate network and it would have the immediate effect of preventing
the person from interacting with a logged-in session.  The computer does
not need to be turned off or rebooted, but the person should not be able
to logon again using a local account or cached account.  Any
suggestions?  I'd even take suggestions on special agents that require
you to be connected to the corporate network.

 

BTW, my best scenario so far is to schedule a registry change at the
time we need to lock out the cached user account on the computer.  But
for the registry value to take effect, you have to reboot the computer
and the user could still log into to a local user account if they had
one.  The registry value is HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount (REG_SZ) and set it to '0'.
We would of course then change their domain account password and/or
disable their account in case they tried to reconnect to the domain.

 

Brian

 

_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north
if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list