Hi,
During my work I often find servers where technical staff that I work with have left their log in sessions. I don't know what they are doing, ie just disconnecting or locking it and disconnecting or what. The ones that I log back into the session and check, there are invariably loads of open programs, windows and commands prompts that they have obviously finished with [some been sitting there for weeks or months] but have just left, this annoys the hell out of me.
I'm sending an email round to everyone asking them to please log out when they are done but I would like to quote good reasons for staying logged out of servers. We are mainly talking about Windows Server 2008 and 2012 here, physical and virtual. I know MS advise to always stay logged out of of Hyper-V hosts, which isn't generally a problem as once they are set up technical staff don't usually remote on to them but I would appreciate some advise on why it's best to stay logged out of servers generally.
Thanks.
Just set a policy to log off disconnected remote sessions after X minutes. Problem solved.
There are some security concerns if they have any open sessions to other network or internet servers.
Applications and user run services can have memory leaks and otherwise tie up resources [especially mmc snap-ins].
Those two are good enough reasons. Like I said, though, just make a GPO and be done with it.
//technet.microsoft.com/en-us/library/cc753112[v=ws.10].aspx
- Where do you stack up against other IT pros? Take the Challenge »
- Usage of SolarWinds products after recent cyber incident with this ...
- The end is nigh....
- Fingerprint or card swipe long on for shipping Department computers...
The help desk software for IT. Free.
Track users' IT needs, easily, and with only the features you need.
15 Replies
Security, Resource availability are a couple important ones.
Sharing admin accounts??? awesome way to keep accountability... You now know who did what when shit happens.
What if there is a power failure? If they have unsaved work open it would be lost. Better that they log out to avoid the possibility.
And why are they using their personal accounts to log into the servers? Create a generic service account for the admin staff with permissions needed to perform their duties.
Leaving sessions open can cause unforeseen issues, lock files, it is not a secure way to leave a server. Unless they have a really good reason to be logging in there really is no reason to do it.
Most generic management tasks can be performed via an MMC from their workstation.
Solutions@Work is an IT service provider.
The couple other admins nad I here all have our own admin logins and we RDP into the servers a great deal. if there are 2 accounts already logged in, nobody else can get in. Always log off.
Create a TS policy that limits disconnected sessions to X hours, where X is something reasonable to allow for long-running tasks, etc. Tell everyone that if they do not log out, they will lost all unsaved work.
@ShaggyMarrs: Connect using the -admin switch... That'll teach 'em! :]
Because servers are not to be treated like a community coffee pot!
Just set a policy to log off disconnected remote sessions after X minutes. Problem solved.
There are some security concerns if they have any open sessions to other network or internet servers.
Applications and user run services can have memory leaks and otherwise tie up resources [especially mmc snap-ins].
Those two are good enough reasons. Like I said, though, just make a GPO and be done with it.
//technet.microsoft.com/en-us/library/cc753112[v=ws.10].aspx
Rockn wrote:
And why are they using their personal accounts to log into the servers? Create a generic service account for the admin staff with permissions needed to perform their duties.
Did you really just suggest that everyone use the same account?
This is absolutely the wrong thing to do. Say Buh-bye to any hope of an audit trail or use accountability. Best practice says IT staff should have a standard-level account for their daily activities and a separate, unique admin-level account for admin tasks.
You can use a scheduled task to run logoff.exe after X minutes of idle. This works regardless if they logged onto the local console or via RDP.
Or you can provide slightly more delay/warning this is about to happen, as well as a reason code, if you use psshutdown
If you want to call somebody out on it, why not run a .bat with a command-line email that will send you...
" %username% did not logoff %computername% so script is logging them off now "
and then it runs logoff.exe
Blizz183, can you elaborate please?
We don't generally share accounts, there are some generic service accounts for certain purposes where I find this, I also see their personal accounts still logged in when I query sessions. Anyway, got a lot of responses suggesting ways to stop this, issues around accountability, etc, don't know if my question wasn't clear but I'm not really looking for that I'm looking for reasons why people shouldn't stay logged in [to servers, I don't care what they do to their machines]. I do appreciate the advise on preventing this and I have and will follow it but I want to be able to explain to people, who clearly disregard the importance of logging off, good reasons why they should be logging off that will hopefully help them learn and build good habits for the future.
Brand Representative for ESET
Hello,
Perhaps the following blog posts from WeLiveSecurity will be of interest:
- Remote Desktop [RDP] Hacking 101: I can see your desktop from here
- Filecoder: Holding your data for ransom
Those should provide a couple of real-world examples of why it is a bad idea to indefinitely maintain RDP sessions.
Regards,
Aryeh Goretsky
Aryeh Goretsky [ESET] wrote:
Hello,
Perhaps the following blog posts from WeLiveSecurity will be of interest:
- Remote Desktop [RDP] Hacking 101: I can see your desktop from here
- Filecoder: Holding your data for ransom
Those should provide a couple of real-world examples of why it is a bad idea to indefinitely maintain RDP sessions.
Regards,
Aryeh Goretsky
I'm not sure these apply to what he's talking about. I was under the impression that he was talking about disconnected sessions that were left logged in.
Nice sales pitch Aryeh however bottom line if you cant figure out a reason for the pc's to stay logged on then log them off and set a pol of after 2 hours machine will disconnect and log out. If pol has to be used to many times their account will be locked out and they will need to see you for their new password "ImUsTrEMbErToLoGoUtwHeNIGoHoMeEvErYnIGhT!"
On or two of those and you should have them remembering....
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.