Should I log off or disconnect remote desktop?
Get answers from your peers
along with millions of IT pros who visit Spiceworks.
Join Now
Hi, During my work I often find servers where technical staff that I work with have left their log in sessions. I don't know what they are doing, ie just disconnecting or locking it and disconnecting or what. The ones that I log back into the session and check, there are invariably loads of open programs, windows and commands prompts that they have obviously finished with (some been sitting there for weeks or months) but have just left, this annoys the hell out of me. I'm sending an email round to everyone asking them to please log out when they are done but I would like to quote good reasons for staying logged out of servers. We are mainly talking about Windows Server 2008 and 2012 here, physical and virtual. I know MS advise to always stay logged out of of Hyper-V hosts, which isn't generally a problem as once they are set up technical staff don't usually remote on to them but I would appreciate some advise on why it's best to stay logged out of servers generally. Thanks.
Best Answer
Cayenne
OP
TXOgre
Sep 26, 2013 at 16:05 UTC
Just set a policy to log off disconnected remote sessions after X minutes. Problem solved. There are some security concerns if they have any open sessions to other network or internet servers. Applications and user run services can have memory leaks and otherwise tie up resources (especially mmc snap-ins).
Those two are good enough reasons. Like I said, though, just make a GPO and be done with it.
View this "Best Answer" in the replies below »
Popular Topics in General IT Security
Spiceworks Help Desk
The help desk software for IT. Free. Track users' IT needs, easily, and with only the features you need.
Learn More »
15 Replies· · ·
Jalapeno
OP
Blizz127
Sep 26, 2013 at 13:58 UTC
Security, Resource availability are a couple important ones.
10
· · ·
Jalapeno
OP
P.Chin
Sep 26, 2013 at 14:01 UTC
Sharing admin accounts??? awesome way to keep accountability... You now know who did what when shit happens.
5
· · ·
Thai Pepper
OP
lmaslany
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
What if there is a power failure? If they have unsaved work open it would be lost. Better that they log out to avoid the possibility.
2
· · ·
Mace
OP
Rockn
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
And why are they using their personal accounts to log into the servers? Create a generic service account for the admin staff with permissions needed to perform their duties. Leaving sessions open can cause unforeseen issues, lock files, it is not a secure way to leave a server. Unless they have a really good reason to be logging in there really is no reason to do it. Most generic management tasks can be performed via an MMC from their workstation.
1
· · ·
Sonora
OP
ShaggyMarrs
Sep 26, 2013 at 14:34 UTC
1st Post
Solutions@Work is an IT service provider. The couple other admins nad I here all have our own admin logins and we RDP into the servers a great deal. if there are 2 accounts already logged in, nobody else can get in. Always log off.
2
· · ·
Poblano
OP
FrankP
Sep 26, 2013 at 14:41 UTC
Create a TS policy that limits disconnected sessions to X hours, where X is something reasonable to allow for long-running tasks, etc. Tell everyone that if they do not log out, they will lost all unsaved work.
5
· · ·
Thai Pepper
OP
lmaslany
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
@ShaggyMarrs: Connect using the -admin switch... That'll teach 'em! :)
0
· · ·
Habanero
OP
Matt_P
Sep 26, 2013 at 15:46 UTC
Because servers are not to be treated like a community coffee pot!
0
· · ·
Cayenne
OP
Best Answer
TXOgre
Sep 26, 2013 at 16:05 UTC
Just set a policy to log off disconnected remote sessions after X minutes. Problem solved. There are some security concerns if they have any open sessions to other network or internet servers. Applications and user run services can have memory leaks and otherwise tie up resources (especially mmc snap-ins).
Those two are good enough reasons. Like I said, though, just make a GPO and be done with it.
2
· · ·
Mace
OP
Bryce Katz
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Did you really just suggest that everyone use the same account? This is absolutely the wrong thing to do. Say Buh-bye to any hope of an audit trail or use accountability. Best practice says IT staff should have a standard-level account for their daily activities and a separate, unique admin-level account for admin tasks.
2
· · ·
Cayenne
OP
Bret Owen
Sep 27, 2013 at 15:03 UTC
You can use a scheduled task to run logoff.exe after X minutes of idle. This works regardless if they logged onto the local console or via RDP. Or you can provide slightly more delay/warning this is about to happen, as well as a reason code, if you use psshutdown
If you want to call somebody out on it, why not run a .bat with a command-line email that will send you...
0
· · ·
Chipotle
OP
PPC
Sep 27, 2013 at 16:59 UTC
Blizz183, can you elaborate please? We don't generally share accounts, there are some generic service accounts for certain purposes where I find this, I also see their personal accounts still logged in when I query sessions. Anyway, got a lot of responses suggesting ways to stop this, issues around accountability, etc, don't know if my question wasn't clear but I'm not really looking for that I'm looking for reasons why people shouldn't stay logged in (to servers, I don't care what they do to their machines). I do appreciate the advise on preventing this and I have and will follow it but I want to be able to explain to people, who clearly disregard the importance of logging off, good reasons why they should be logging off that will hopefully help them learn and build good habits for the future.
0
· · ·
Serrano
OP
Aryeh (ESET)
Sep 27, 2013 at 17:36 UTC
Brand Representative for ESET
Hello,
0
· · ·
Cayenne
OP
TXOgre
Sep 27, 2013 at 17:39 UTC
I'm not sure these apply to what he's talking about. I was under the impression that he was talking about disconnected sessions that were left logged in.
0
· · ·
Chipotle
OP
Robert4788
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Nice sales pitch Aryeh however bottom line if you cant figure out a reason for the pc's to stay logged on then log them off and set a pol of after 2 hours machine will disconnect and log out. If pol has to be used to many times their account will be locked out and they will need to see you for their new password "ImUsTrEMbErToLoGoUtwHeNIGoHoMeEvErYnIGhT!"
On or two of those and you should have them remembering....
0
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. |